Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Can you expand on or point to a write up on reverse engineering patches?

Do you mean that reversers' try to locate the, say, buffer overflow that was fixed and try to find another way to exploit it? Why would major companies want to do this?



The earliest talk I ever saw on automated binary reverse engineering was this one: http://www.blackhat.com/presentations/win-usa-04/bh-win-04-f...

I actually didn't see the BH talk, but I saw a similar talk that Halvar gave at CanSecWest shortly after.

The gist of it is, imagine that you have a binary that you are looking to find vulnerabilities in to exploit. You can go through all the trouble of discovering a vulnerability, and then hope it doesn't get patched; or you can sit and wait for a patch for said binary. There's reams of data out there about how long it takes for systems to apply patches, but in general, you can find vulnerable versions of patched software long after the patch has been released.

Using binary differential analysis you are basically zeroing in on the parts that were changed (which you can imagine is a much smaller subset of the overall binary) and find the vulnerability much more quickly.

There are tools (there is/was a product called Bindiff that I don't know if Zynamics still sells after they got bought by Google), which help you do this in a more automated fashion.

That means that with much less work, you can write up a working exploit that will still work on some decent percentage of the install base for the application (until everyone patches it).

Additionally, you can imagine that a lot of times when vulnerabilities get fixed, they aren't necessarily fixed with the utmost rigor. There's a lot of cases where an individual vulnerability might be fixed, but if you look at what was done, you can find other parts of the binary that are vulnerable to the same underlying flaw. Knowing what gets changed in the patch can tell you a lot about underlying issues.


So they can build tools that test for those vulnerabilities, or detect attempts to exploit them and block them on the network.


Think of Windows. You and I both know that not all machines running windows are up-to-date with their security patches. Reverse engineering a patch for a 0-day exploit could give an attacker an idea on how to compromise un-patched machines. With all the un-patched windows xp machines in the world, you could probably build your own bot net if you're smart enough :)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: