Jeongwook Oh: Fight Against 1-Day Exploits
Augustus Ballroom 1-2
About: This is about binary diffing vs anti-binary-diffing technique. Security patch is usually meant to fix security vulnerabilities. And it's for fixing problems and protect users and computers from risks. But how about releasing patch imposes new threats? We call the threat 1-day exploits. Just few minutes after the release of patches, binary diffing technique can be used to identify the vulnerabilities that the security patches are remedying. Since being introduced by Halvar back in few years ago, binary diffing is now so common and easily affordable technique. Aside from expensive commercial tools like "bindiff," there are already 2-3 free or opensource tools that can be used to identify exact patched points in the patch files.
This binary diffing technique is especially useful for Microsoft binaries. Not like other vendors they are releasing patch regularly and the patched vulnerabilities are relatively concentrated in small areas in the code. That makes the patched part more visible and apparent to the patch analyzers. We already developed "eEye Binary Diffing Suites" back in 2006 and it's widely used by security researchers to identify vulnerabilities. Even though it's free and opensource, it's powerful enough to be used for that vulnerabilities hunting purpose. So virtually, attackers have access to all the tools and theories they need to identify unknown vulnerabilities that is just patched. They can launch attack during the time frame users or corporates are applying patches (typically takes few hours to few days).
From our observations during past few years, all the important security patches were binary diffed manually or automatically using tools. Sometimes the researchers claimed they finished analyzing patches in just 20-30 minutes. At most in a day, it's possible to identify the vulnerability itself and make working exploits. So now it became crucial to make theses practices more difficult and time-consuming so that earn more time for the consumers to apply patches. Even though using severe code obfuscation is not an option for Microsoft's products, they can still follow some strategies and techniques to defeat the binary diffing processes without forsaking stability and usability. We are going to show the methods and tactics to make binary differs life harder. And will show the in-house tool that obfuscates the binaries in a way that especially binary differs confused.