Smart Binary Diffing

Binary diffing is generally performed to understand the changes in the code such that the fixes in the code can be analyzed and then these fixes can be used for the generation of NIS signatures. We have discussed patch analysis of many vulnerabilities in some of our previous blog posting. While analyzing the fixes in the vulnerability, it can happen that many functions can get changed. If there are small numbers of functions then analysis can be done fast. However if the number of function is in order of 100s, then to reduce the response time many tools/algorithms have been developed which can rank the changed function for vulnerability analysis. Smart binary diffing is different from the usual approach since as such the functions are not ranked, however based upon the instructions which have been added or deleted probable cause of the vulnerability along with the address of the instructions is given in the output. For example if there is addition of the instruction “ULongLongToULong”, then the chances of an instruction in a patch fixing the Integer overflow vulnerability is high. Smart analysis aids in providing a quick snapshot of what has been changed in the file along with the probable cause of the vulnerability. Let’s take a case study to further explain how the concept of “Smart Diffing” is useful while performing the patch analysis of a vulnerability. MS11-002 CVE-2011-0027, is a remote code execution vulnerability exists in the way that Microsoft Data Access Components validates memory allocation. This vulnerability could allow code execution if a user visited a specially crafted Web page. When the smart diffing is performed analysis file is generated.

Figure 1.0 showing the output of an Analysis File The analysis file as shown in figure 1.0 provides probable cause of the vulnerability, thus giving a head start to the analyst and then later he can dig in the code for further analysis. For example in the above mention case, when further analysis is performed as shown in figure 2.0 , it is obvious that the function ULongLongToUlong has been added to check [ebp+arg_0] to prevent integer overflow vulnerability. [ebp+arg_0] acts as an input to the HeapAlloc which was the vulnerable function.

Figure 2.0 Showing the section of the code which was patched to remove vulnerability In this blog posting, I have discussed Smart Diffing. Based upon the intrustion which have been added in the code the concept of smart diffing can aid in generation of analysis file. The analysis file further aids in improving the response time by giving the probable cause of the vulnerability. Acknowledgement I would like to express my gradidute and thanks to Johnathan for providing his feedback.