Heuristics applied to Binary Diffing

Heuristics applied to Binary Diffing

This talk will verse over a presently very common activity, related directly with computer security and the detection of stolen code, which is the comparison of software binaries and the generation of exploits based on security patches. We will describe in detail the heuristics that we apply in order to produce a tool (turbodiff) and how we solved the problems of function matching, change detection and implementation.

  • We'll demo examining changes over a Microsoft security patch.
  • We'll demo examining changes over an IPhone security patch.
  • We'll demo examining changes over a server-demo security patch, we'll deduce the underlying bug and describe how to exploit it.
  • Last, we'll make a demo that shows how this tool can be used to detect stolen (e.g., reused) code.

Turbodiff is the result of an independent research by the author that ended in the development of an IDA plugin with realistic performance which can compare binary files for the different architectures supported by IDA including PowerPC, MIPS, ARM, x86, etc.

Thursday, September 17, 2009