Vulnerability Extrapolation or 'Give me more Bugs like that, please!'

Black Hat USA 2011

Presented by: Fabian Yamaguchi
Date: Thursday August 04, 2011
Time: 15:15 - 16:30
Location: Augustus V + VI
Track: Scoping the Issue

Security researchers and vendors alike know the situation: A vulnerability has been identified but it is unclear whether further vulnerabilities 'just like that' exist hidden somewhere in the code. Since application programming interfaces often dictate or induce programming patterns and simply because developers tend to copy & paste throughout the development process, it makes sense to ask whether it is possible to automatically identify functions sharing similar programming patterns in source-code to assist auditors in finding vulnerabilities similar to a known vulnerability.

To answer this question, we decided to study how other fields deal with the discovery and exploitation of patterns in data. We found that simple statistical methods from the field of machine-learning provide a promising set of tools for offensive security research and are in particular well suited to address the outlined problem of vulnerability extrapolation. To demonstrate that these methods are useful in practice despite their academic feel, we present a detailed case-study where a zero-day vulnerability is discovered based on a known vulnerability using our method. Since it is BlackHat, we will of course be presenting a working exploit as well.

Fabian Yamaguchi

Fabian Yamaguchi works as a researcher and security consultant for Recurity Labs in Berlin where he focuses on discovering and analysing vulnerabilities. He has presented his work at a number of security conferences including DEFCON and Chaos Communication Congress. Recently, he received his MSc in computer engineering from Technische Universität Berlin. During his studies, he focused on communication protocols and methods for data analysis from signal processing and machine learning.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats