ExploitSpotting: Locating Vulnerabilities Out Of Vendor Patches Automatically

Black Hat USA 2010

Presented by: Jeongwook Oh
Date: Wednesday July 28, 2010
Time: 10:00 - 11:00
Location: Augustus 1+2
Track: Reverse Engineering

We already have many kinds of binary patching systems available. There are commercial ones and free ones. But the current implementations only concentrate on finding the difference between binaries. But what the security researchers really want from the patch analysis is security patches. Sometimes it's very hard to locate security patches because they are buried inside normal feature updates. The time for locating the security patches will increase drastically as more feature updates are included in the released patches. This is especially true with all the Adobe and Sun product patches. They tend to mix security patches and feature updates.

In that case, we need another way to boost the speed of the analysis. The automatic way to locate the security patches! This can be done by analyzing the patched parts and see if it has some specific patterns that the usual security patches have. Some integer overflow will have some comparison against the boundary integer values. And buffer overflow will involve the vulnerable "strcpy" or "memcpy" replaced with safer functions. Even free-after-use type bug has their own patch patterns. We will present all the common patterns that we saw and also present way to locate them using pattern matching.

But there can be more thing to be done in addition to this simple approach. You can introduce static taint analysis to binary diffing world. You can trace back all the suspicious variables(expressed as register value or memory location) found in the patch by using binary diffing. And you can see if they are controllable or taint-able from the user controllable input like network packets or user supplied file input.

This automatic security patch locating ability will be beneficial to the IPS rule writers. They can spend more time in concentrating on what really matters instead of spending time to find the actual parts to analyze. To achieve all these, I upgraded the current implementation of "DarunGrim(http://www.darungrim.org)" binary diffing system to support pattern matching and static taint analysis. It will become DarunGrim v3. DarunGrim is the most featured opensource binary diffing implementation. I will show how fast we can locate the vendor patches that, otherwise, will take few hours using other tools. All the updated source code will be released at the presentation.

Jeongwook Oh

Jeongwook Oh started his career as a firewall developer back in mid 90s. After that he spent few years doing security audits and penetration testing. Finally, he moved to California and joined eEye crew and did some IPS stuff. It involved userland and kernel land hacking stuff. Now he's working for WebSense Inc where he's doing researches related to malware and exploit detection.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats