Diffing Binaries vs Anti-diffing Binaries

The Problem:

Security patches are usually meant to fix security vulnerabilities. And those are for fixing problems and protect computers and end users from risks. But how about releasing patch imposes new threats? We call the threat 1-day exploits. Just few minutes after the release of patches, binary diffing technique can be used to identify the vulnerabilities that the security patches are remedying. It's ironical situation but that's what is happening these days.

This binary diffing technique is especially useful for Microsoft's binaries. Not like other vendors they are releasing patch regularly and the patched vulnerabilities are relatively concentrated in small areas in the binary. Those facts make the patched area in the binary more visible and apparent to the patch analyzers.

We already developed "eEye Binary Diffing Suites" back in 2006 and it's widely used by security researchers to identify vulnerabilities. It's free and open-source and it's powerful enough to be used for 1-day vulnerabilities hunting purpose. So virtually, attackers have access to all the tools and targets they need to identify unknown vulnerabilities that is just patched. They can launch attack during the time frame users or corporates are applying patches. This process typically takes few minutes to few days.

From our observations during past few years, all the important security patches were binary diffed manually or automatically using tools. Sometimes the researchers claimed they finished analyzing patches in just 20-30 minutes. At most in a day, it's possible to identify the vulnerability itself and make working exploits. And binary diffing has now become too easy and cheap to the attackers. During patch applying time frame, the end users are more vulnerable and targeted using 1-day attack.

The Answer:

So now it became crucial to make theses 1-day exploits more difficult and time-consuming so that the vendors can earn more time for the consumers to apply patches. Even though using severe code obfuscation is not an option for Microsoft's products, they can still follow some strategies and techniques to defeat the binary diffing processes without forsaking stability and usability. We are going to show the methods and tactics to make binary differs life harder. And will show the in-house tool that obfuscates the binaries in a way that especially binary differs confused. We call this process anti-binary diffing.