Feeds

Reverse engineering patches making disclosure a moot choice?

Darned if you do. Darned if you don't

  • alert
  • submit to reddit

High performance access to file storage

When Microsoft released limited information on a critical vulnerability in Internet Explorer last month, reverse engineer Halvar Flake decided to dig deeper.

Using his company's tool for analyzing the differences in the patched and unpatched versions of a program, Flake pinpointed the portable networked graphics (PNG) vulnerability that Microsoft fixed with its latest update, locating the specific changes in less than 20 minutes.

"The PNG patch (is) excellent for a demo," he said. "It's a small (piece of code), which means quick comparison, and the bug is easily understandable for a laymen, too."

While Flake - who is also CEO of security software firm SABRE Security- had been searching for a good way to show off the company's binary difference analysis tool BinDiff, the demonstration is just the latest example illuminating how fast patches can be reverse engineered to reveal vulnerable code.

In a paper published in early June, SABRE researchers discussed how they had pinpointed, in less than 30 minutes, the flaw fixed by a Microsoft update to the Secure Sockets Layer (SSL). A reliable exploit for the flaw was created in less than 10 hours. In another example in the paper, the tool was used to discover in less than three hours that Microsoft had corrected a communications vulnerability in the Internet Security and Acceleration (ISA) Server, but had missed the same vulnerability in other parts of the system.

While Flake stressed that binary difference analysis, or "binary diffing," has many other uses - such as finding the changes in virus variants and detecting intellectual property violations in software - an increasing number of security researchers use the technique to find the flaws patched by software updates.

"We have reached the point where the patch is as revealing as an advisory," said David Aitel, principal researcher and CEO of security firm Immunity.

Aitel stresses that the technique has been used for several years, but adds that the availability of more user-friendly tools, such as BinDiff and IDA Pro, has broadened the pool of people that now have access and the knowledge to do the technique.

"You have to assume that we are all doing it," he said.

For software makers, the trend in reverse engineering makes releasing patches a problem: A malicious coder might reverse engineer the patch and build an exploit before a significant fraction of customers can apply the fix.

"It is really a darned if you do, darned if you don't," said Mary Ann Davidson, chief security officer for database maker Oracle.

To make it harder on reverse engineers, Oracle only supplies patches to customers, she said. However, she is under no illusions that serious attackers would not be able to get their hands on a patch to reverse engineer.

Still, binary analysis is still not common enough for Oracle to change its patching process, Davidson said.

"I don't see this immediately being a threat, but you have to plan for the future and not just after you suffer an attack," she said.

Microsoft also acknowledged that, in at least some cases, the time it takes to reverse engineer patches is decreasing. However, the company stressed that increased adoption of patching technology has reduced the time that users' computers are vulnerable.

"The release of a software update helps provide a solution for customers, whereas the public release of vulnerability details without an associated update only puts customers at risk," the software said in a statement sent to SecurityFocus.

Moreover, even with good tools, the process of analyzing code for a vulnerability is not easy, said HD Moore, a security researcher for Digital Defense.

"Actually tracing through the code to figure out how to get to that vulnerable function can still take some time," Moore said. "In term of how bad it is versus a technical advisory, I would much prefer a nice technical rant ... over having to kill six hours digging through (code)," he said.

Security companies have frequently pointed to circumstantial evidence that the time between the release of a patch and the publication of an exploit has decreased. The increase in binary difference analysis could explain that trend, even though there is no evidence connecting the two. After the first papers discussing the techniques were published over a year ago, there was no large spike in attacks, said SABRE Security's Flake.

In the end, whether better binary analysis means that more companies will inadvertently be disclosing flaws by publishing patches should not matter, Flake said.

"Many people seem to pour time into the disclosure debate that should be spent elsewhere," he said. "It's fruitless and boring and has been for a few years."

Copyright © 2005, SecurityFocus logo

Related stories

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.