Special Offer w/ OnDemand: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training thru Jan 27


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Sorry, the slides for this webcast are not available for download.

Binary and Patch Diffing for Bug Hunting and Weaponization - SANS@Mic

  • Thursday, December 03, 2020 at 9:00 AM SGT / 10:00 AM JST / 12:00 PM AEST / 6:30 AM ISTWednesday, December 02, 2020 at 8:00 PM EST (2020-12-03 01:00:00 UTC)
  • Stephen Sims

You can now attend the webcast using your mobile device!



We hear about 0-day attacks all of the time, but in fact, 0-days are not often used to compromise companies. Why? They are expensive! Some 0-days can yield hundreds of thousands of dollars. There is another interesting technique used that comes close to the power of 0-days, but without the high cost. Security researchers and adversaries alike often use a technique called binary diffing or patch diffing. The process involves taking a file that has received a security fix, such as an executable, library, or driver, and diffing it against the unpatched version. This allows the person performing the analysis to identify the altered code, revealing the security fix. A skilled person can use this knowledge to potentially weaponize the vulnerable version of software. Organizations are often slow to patch and the faster someone can perform this work, the more valuable it is! Join me as we walk through the tools and techniques used to perform patch diffing as well as opportunities for weaponization.

Speaker Bio

Stephen Sims

Stephen Sims is an industry expert with over 15 years of experience in information technology and security. Stephen currently works out of San Francisco as a consultant. He has spent many years performing security architecture, exploit development, reverse engineering, and penetration testing. Stephen has an MS in information assurance from Norwich University and is a course author and senior instructor for the SANS Institute. He is the author of SANS' only 700-level course, SEC760: Advanced Exploit Development for Penetration Testers, which concentrates on complex heap overflows, patch diffing, and client-side exploits. Stephen is also the lead author on SEC660: Advanced Penetration Testing, Exploits, and Ethical Hacking and co-author of SEC599: Defeating Advanced Adversaries Purple Team Tactics & Kill Chain Defenses. He holds the GIAC Security Expert (GSE) certification as well as the CISSP, CISA, Immunity NOP, and many other certifications. In his spare time Stephen enjoys snowboarding and writing music.

Need Help? Visit our FAQ page or email webcast-support@sans.org.

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.