Security researchers and vendors alike know the situation: A vulnerability has been identified but it is unclear whether further vulnerabilities 'just like that' exist hidden somewhere in the code. Since application programming interfaces often dictate or induce programming patterns and simply because developers tend to copy & paste throughout the development process, it makes sense to ask whether it is possible to automatically identify functions sharing similar programming patterns in source-code to assist auditors in finding vulnerabilities similar to a known vulnerability.
To answer this question, we decided to study how other fields deal with the discovery and exploitation of patterns in data. We found that simple statistical methods from the field of machine-learning provide a promising set of tools for offensive security research and are in particular well suited to address the outlined problem of vulnerability extrapolation. To demonstrate that these methods are useful in practice despite their academic feel, we present a detailed case-study where a zero-day vulnerability is discovered based on a known vulnerability using our method. Since it is BlackHat, we will of course be presenting a working exploit as well.