nCircle.com >> 360 Security

« CanSec West, First Day | Main | SCADAGard SIG To Be Established »

CanSec West, Second Day: “Binary Difference Analysis”

The presentation “Binary Difference Analysis”, presented by Halvar Flake, talked about three key elements of binary analysis: Comparing executable objects, porting information between executable objects, and navigating executable objects.

The tool known as “BinDiff” interfaces with IDA (Interactive Disassembler) and provides the capability to compare two executable objects and provide a set of code logic differences (not physical differences). This technique would be useful (and was designed for) finding undisclosed bugs in patched software when both vulnerable and non-vulnerable executables are available. We use this technique often during Microsoft Tuesday to write rules that directly detect the existence of the patch in a non-invasive manner.

Based on the analysis of the two executable objects “BinDiff” is also capable of porting code comments, variable names, and function names between two executable objects based on code segments that are logically similar (not physically similar). This technique would be useful when you have fully documented and reverse engineered an application that is later patched, or a new version is released, modifying the originally documented executable. To complete the documentation process of the new executable you can use the previously described feature to find any differences in code logic and document them accordingly.

Navigating executable objects with “BinNavi” was very impressive. The application would associate itself with an active process of the executable object you wish to navigate and permit one to take snapshots of the functions called between two points in time. This greatly simplifies the process of determining how to execute certain segments of code (such as the vulnerable segment that was determined when detecting the difference between a vulnerable and non-vulnerable executable). This should also simplify the process of reverse engineering proprietary protocols by permitting one the ability to easily determine how an executable interprets the data it receives. The graphing present in “BinNavi” was amazing from both a usability perspective, narrowing down the amount of information to only important aspects of the graph based on function call analysis, and an eye candy perspective with graph rotations, fitting data onto a single screen (the ball of yarn), and providing graphs similar to “BinDiff”.

Posted by Paul Miseiko on May 5, 2005 11:15 AM |

Search


About

This page contains a single entry from the blog posted on May 5, 2005 11:15 AM.

The previous post in this blog was CanSec West, First Day.

The next post in this blog is SCADAGard SIG To Be Established.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]