It's no secret hackers are pretty adept at reverse engineering vendor patches in order to learn more about the vulnerability being repaired, and in turn, quickly write malware to exploit the bug.
This is especially true with Microsoft's monthly Windows security patches that are released the first Tuesday of every month. Hackers -- and researchers -- have at their disposal an array of commercial and open source tools and techniques available to help with patch analysis called binary differs.
Binary diffing suites especially effective in analyzing Windows patches where fixes are in relatively concentrated areas of the binaries. By comparing past and current binaries, the diffing tools spot the differences, contrast what's new and point hackers in the right direction.
At the recent Black Hat USA 2009 conference, Jeongwook Oh, a researcher with eEye Digital Security, unveiled an anti binary-diffing tool called Hondon (which translates to chaos in Korean). Hondon, Oh said, obfuscates binaries so that patched elements are essentially invisible to diffing tools without impacting the stability and usability of the patches.
"It should not have any serious side effects other than preventing binary diffing. It will just make the patched code parts invisible and buried among obfuscated fake patched parts," Oh said.
The idea behind anti-binary diffing is to extend the time it takes for an attacker to analyze patches and create a working exploit. Oh called these 1-day exploits, in contrast to zero-day exploits that appear before vulnerabilities are known. Oh says all Windows patch binaries have either been manually or automatically diffed; he estimates some can be analyzed in as few as 30 minutes and a working exploit can be developed within a day. This certainly beats the timeframe many midmarket companies have for testing and rolling out patches within their IT environments.
"The binary diffing technique is very useful against Windows binaries because Microsoft monthly is changing only small bits of the binaries," Oh said. "You can find it easily."
Binary differs have been around for 10 years; the first called BMAT was similar to a signature-based tool that would match symbolic names before applying a hash value to the binaries and comparing the matches. Usually vendors don't release these symbols, but Microsoft does as soon as patches are released, Oh said.
Noted hacker Halvar Flake built on that work and at Black Hat 2004 introduced ARE, or automated reverse engineering, a tool that automated the process. Soon tools were introduced that conducted structural and graphical comparisons of executable objects. Eventually, Flake introduced bindiff, a commercial tool sold by Zynamics, formerly known as Sabre Security.
IDACompare followed in 2005. It is a plug-in for the IDA disassembler platform and is primarily used to analyze changes in malware variants; it can be adopted to perform patch analysis as well. EEye released its eEye Binary Diffing Suites to open source in 2006, and Tenable Network Security let loose with Patchdiff2 in 2008 before eEye followed up with DarunGrim2, the next version of the Binary Diffing Suites.
These tools depend on a variety of algorithms and matching techniques, including symbolic name matching, fingerprint hashing, structure-based analysis and more to find subtle and not-so subtle differences in patched versions of Windows binaries.
Oh said Windows binaries, which are readily available for download from each patch's page, are easy targets because they are patched so frequently and only security fixes, not feature enhancements, are included. Microsoft also provides symbols for system dlls, drivers and the kernel, along with the patches. This helps the attacker in his analysis of what has been modified. Also, Windows patches cannot obfuscate code because that practice would likely cause problems with other software, Oh said.
What Hondon, or anti-binary diffing does is attempt to defeat binary diffing processes by changing symbol names, reordering or replacing instructions to beat code checksums, and altering code flow graph signatures to fool identifying processes, among several other techniques.
"Some major vendors are reluctant to use a severe form of anti-debugging, because it can break things," Oh said. "They need some lightweight, non-aggressive and effective way to defeat binary differs."
Send comments on this technical tip firstname.lastname@example.org.