Reverse engineering patches making disclosure a moot choice?
Darned if you do. Darned if you don't
When Microsoft released limited information on a critical vulnerability in Internet Explorer last month, reverse engineer Halvar Flake decided to dig deeper.
Using his company's tool for analyzing the differences in the patched and unpatched versions of a program, Flake pinpointed the portable networked graphics (PNG) vulnerability that Microsoft fixed with its latest update, locating the specific changes in less than 20 minutes.
"The PNG patch (is) excellent for a demo," he said. "It's a small (piece of code), which means quick comparison, and the bug is easily understandable for a laymen, too."
While Flake - who is also CEO of security software firm SABRE Security- had been searching for a good way to show off the company's binary difference analysis tool BinDiff, the demonstration is just the latest example illuminating how fast patches can be reverse engineered to reveal vulnerable code.
In a paper published in early June, SABRE researchers discussed how they had pinpointed, in less than 30 minutes, the flaw fixed by a Microsoft update to the Secure Sockets Layer (SSL). A reliable exploit for the flaw was created in less than 10 hours. In another example in the paper, the tool was used to discover in less than three hours that Microsoft had corrected a communications vulnerability in the Internet Security and Acceleration (ISA) Server, but had missed the same vulnerability in other parts of the system.
While Flake stressed that binary difference analysis, or "binary diffing," has many other uses - such as finding the changes in virus variants and detecting intellectual property violations in software - an increasing number of security researchers use the technique to find the flaws patched by software updates.
"We have reached the point where the patch is as revealing as an advisory," said David Aitel, principal researcher and CEO of security firm Immunity.
Aitel stresses that the technique has been used for several years, but adds that the availability of more user-friendly tools, such as BinDiff and IDA Pro, has broadened the pool of people that now have access and the knowledge to do the technique.
"You have to assume that we are all doing it," he said.
For software makers, the trend in reverse engineering makes releasing patches a problem: A malicious coder might reverse engineer the patch and build an exploit before a significant fraction of customers can apply the fix.
"It is really a darned if you do, darned if you don't," said Mary Ann Davidson, chief security officer for database maker Oracle.
To make it harder on reverse engineers, Oracle only supplies patches to customers, she said. However, she is under no illusions that serious attackers would not be able to get their hands on a patch to reverse engineer.
Still, binary analysis is still not common enough for Oracle to change its patching process, Davidson said.
"I don't see this immediately being a threat, but you have to plan for the future and not just after you suffer an attack," she said.
Microsoft also acknowledged that, in at least some cases, the time it takes to reverse engineer patches is decreasing. However, the company stressed that increased adoption of patching technology has reduced the time that users' computers are vulnerable.
"The release of a software update helps provide a solution for customers, whereas the public release of vulnerability details without an associated update only puts customers at risk," the software said in a statement sent to SecurityFocus.
Moreover, even with good tools, the process of analyzing code for a vulnerability is not easy, said HD Moore, a security researcher for Digital Defense.
"Actually tracing through the code to figure out how to get to that vulnerable function can still take some time," Moore said. "In term of how bad it is versus a technical advisory, I would much prefer a nice technical rant ... over having to kill six hours digging through (code)," he said.
Security companies have frequently pointed to circumstantial evidence that the time between the release of a patch and the publication of an exploit has decreased. The increase in binary difference analysis could explain that trend, even though there is no evidence connecting the two. After the first papers discussing the techniques were published over a year ago, there was no large spike in attacks, said SABRE Security's Flake.
In the end, whether better binary analysis means that more companies will inadvertently be disclosing flaws by publishing patches should not matter, Flake said.
"Many people seem to pour time into the disclosure debate that should be spent elsewhere," he said. "It's fruitless and boring and has been for a few years."