02-24, 13:30–15:00 (US/Central), Workshop Track 2 📍Room 1.126
Diffing is used in reverse-engineer, to analyze two variants or versions of a same software whether its a legit executable or a malware. It is useful to transfer information from a program to another, for anti-plagiarism or for patch analysis and thus vulnerability research. While multiple diffing tools exists little has been done to perform it at scale on numerous binaries.
This workshop introduces a variety of tools to both analyze binaries by working on their representation extracted from a disassembler and also tools to automate diffing with Bindiff. All these tools have been open-sourced very recently and documentation is available at https://diffing.quarkslab.com.
This workshop is targeting tech savy eager to know more about reverse-engineering up to experienced red teamers. Anyone will be able to take advantage of this workshop and to take away practical knowledge, get familiar with various tools and to get an overview of various use-cases where it can be applied. The outline of the workshop is given below.
First, the workshop will recall basics about reverse-engineering, x86_64 assembly, ELF format, and how to get familiar with IDA Pro or Ghidra for analyzing programs at binary level. Once everyone is back on the same basis we will move to scripting some analyzes.
Then, we will introduce the concept of binary exporters which aims at dumping the whole Ghidra/IDA Pro disassembly into a file that can then be manipulated without having to keep the disassembler open. We will present python-binexport, a wrapper around Binexport (Google's exporter) to automated the export and the processing of exported files. Then we will present Quokka that we developed which is better than Binexport by being more exhaustive and more compact.
From there, we will start manipulating executable files exported with binexport or quokka to start digging into the binary. Multiple exercises will be given to get familiar with the API, and to search for various information in the binary e.g: which function is using a specific string ? What are the parameters given to a specific function call. Various binaries will be used as examples including some malware code. We will also write scripts that can be batched on multiple executables.
Thenafter, we will move to the binary diffing use-case and to show how to analyze an update by comparing the two programs in order to understand what has been patched. First, an introduction to Bindiff will be done to show how to do manual diffing. Then we will introduce python-bindiff to show how to automate the diffing process and how to manipulate the result seamlessly.
No existing utilities or libraries enables manipulating a diff programatically to perform security analyzes. We will give a glimpse of how this can be done using our collection of tools with some exercises aiming at finding the key modifications between two binaries.
We will conclude with a practical to perform a diff between two firmware versions used at Pwn2own 2022. The goal of the practical is identifying key changes in order to understand what has been updated by performing whole firmware diffing. This practical will also leverage another tool Pyrrha that we developped for firmware cartography.
Robin David, Phd is the automated analysis team leader at Quarkslab and full-time software security researcher. He is working on various technologies like greybox fuzzing, symbolic excution, firmware analysis and deobfuscation for which he is actively working on open-source tools to help to community.
He has been presenting his work in a variety of industrial conferences like Black Hat or BalCCon but also academic venues like S\&P, BAR, or ISSTA. He is also trainer at RingZero.