Binary and Patch Diffing for Bug Hunting and Weaponization - SANS@Mic

  • Webcast Aired Wednesday, 02 Dec 2020 8:00PM EST (03 Dec 2020 01:00 UTC)
  • Speaker: Stephen Sims

We hear about 0-day attacks all of the time, but in fact, 0-days are not often used to compromise companies. Why? They are expensive! Some 0-days can yield hundreds of thousands of dollars. There is another interesting technique used that comes close to the power of 0-days, but without the high cost. Security researchers and adversaries alike often use a technique called binary diffing or patch diffing. The process involves taking a file that has received a security fix, such as an executable, library, or driver, and diffing it against the unpatched version. This allows the person performing the analysis to identify the altered code, revealing the security fix. A skilled person can use this knowledge to potentially weaponize the vulnerable version of software. Organizations are often slow to patch and the faster someone can perform this work, the more valuable it is! Join me as we walk through the tools and techniques used to perform patch diffing as well as opportunities for weaponization. '