Patch diffing in the dark

Patch Diffing In The Dark (16–18 Sept 2024)

£2,500.00 ex VAT

Take the first step into the light. Sign up for this course. Learn the skill of patch diffing to go from knowing about a vulnerability to actually understanding it.

The three-day course will take place on 16 to 18 September 2024 at the Novotel London West.

The course will be cancelled if minimum numbers are not reached so book early to avoid disappointment.

In stock

SKU: 44CON-TRN-S24-PDITD Categories: , Tags: , , , , , , ,

Binary Diffing For Vulnerability Researchers and Reverse Engineers

Presented by: John McIntosh

Every day, a new CVE (Common Vulnerabilities and Exposure) is published or a new blog post comes out detailing the latest and greatest vulnerability. Often, we know about a vulnerability but feel like we don’t have the skills or time to understand its root cause. What if you could change that? What if you could learn a skill that would lead you step by step towards understanding modern vulnerabilities? If you feel like you are always “in the dark” about the latest CVE and want to take a step towards the light (understanding), this course is for you.

Binary patch diffing is an essential skill for reverse engineering, vulnerability research, and malware analysis. The process helps a researcher identify the security-relevant code changes of a patched binary and helps highlight the underlying security issues. The process is not magic, and with a little guidance, anyone can learn the basics and improve with practice.

This fast-paced training will teach you how to reverse engineer the latest CVEs. We will start with a simple CVE description, progress towards identifying a vulnerability, and eventually gain a complete understanding of the underlying vulnerability and identify its root cause. You will analyse (7+) real-world CVEs, dive into the patch diffing process, and learn a step-by-step approach to modern patch diffing using open-source tools. The short topical lessons and hands-on exercises will have you patch diffing recent CVEs and their corresponding binaries across both Android and Windows platforms. You will learn about best practices, how to avoid patch diffing pitfalls, and get useful scripts to enhance your analysis workflow.

The best part about the training is that there is no secret ingredient. Using free tools (Ghidra SRE framework, BinDiff, and more) and leveraging readily available CVE information, you will learn how to discover and analyse complex vulnerabilities. The course, via hands-on exercises and lecture that cover real-world CVEs challenges, provides students with practical reverse engineering exercises to help you learn and practise the concepts and techniques. You will discover that you can leverage CVEs as a guide for reverse engineering and vulnerability research.

Take the first step into the light. Sign up for this course. Learn the skill of patch diffing to go from knowing about a vulnerability to actually understanding it.

Learn the value of using readily available security information (CVEs, Github POCs, and blog posts) to dive deep into reverse engineering the latest CVEs.

1. Introduction

  • Binary Diffing Use Cases
  • Seeking Binary Truth
  • Overview of the CVE vulnerabilities and their impact
  • Introduce the tools and data sets (Ghidra, WinDbg, Frida, CVEs)

2. Patch Analysis

  • Finding the CVE binaries
  • Patch Diffing Workflow
  • Reverse Engineering
  • Interpreting Diff Results
  • Patching Holes in Ghidra Version Tracking Root Cause Exercises
  • BinDiff Alternative

3. Vulnerability Analysis

  • Discovering the vulnerable code path
  • Identifying the vulnerability
  • Ghidra scripting Version Tracking analysis

Homework: Research/Download Grab Bag CVEs

Learn how to go from a simple CVE description to finding the underlying root cause of the vulnerability. This day will provide the background on how to research CVEs, find the binaries of interest, and reverse engineer the vulnerabilities using both static and dynamic analysis.

1. Windows: Zero to Hero – CVE-2023-28302 Identify vulnerable application

  • Research methods to reach vulnerable code paths Static and Dynamic Analysis
  • Root Cause the vulnerability
  • Develop exploit trigger POC

2. Android: Zero to Average – WhatsApp CVE-2022-36934

  • Android APK Reverse Engineering
  • Identify vulnerable application
  • Extracting native files from WhatsApp APKs
  • Patch Diff Several WhatsApp CVEs
  • Basic Frida instrumentation for Dynamic Analysis

This day will begin with learning how to use a brand new Ghidra feature called Binary Similarity (BSim). BSim allows a researcher to build and explore a large set of binaries for comparison. The day will also consist of live patch diffing, where together as a class we walk through several recent CVE examples in real time to discover what we can learn. Last, we will conclude with a final project. The final project is designed to cement the concepts learned throughout the course and prepares a researcher for patch diffing outside of class. It will consist of several patch diffing challenges allowing you to flex the skills developed during the course.

1. The Power of BSim

  • Experience Ghidra’s latest feature Binary Similarity toolset
  • Learn how to build training data sets for binary exploration
  • Leverage BSim to broaden your patch diffing across binary data sets

2. Grab Bag CVEs

  • This exercise will provide an instructor led walk through of as many live patch diffs of preselected CVEs and/or student suggested CVEs (suggested homework from Day 1).
  • This experience sometimes reaches beyond Windows or Android operating systems. Experience will be unique for each class.

3. Final Project

  • Practical application of skills learned in the course

  • Laptop with Ghidra installed and ability to run workshop VM
  • Internet access to download workshop resources

John McIntosh (@clearbluejar) is a security researcher and lead instructor @clearseclabs, a company that offers hands-on training and consulting services on various aspects of information security. He is passionate about learning and sharing knowledge on topics such as binary analysis, patch diffing, and vulnerability discovery. He is the creator of several open-source security tools and also blogs regularly about his research projects and experiments with Ghidra and patch diffing. With over a decade of offensive security experience, speaking and teaching at security conferences worldwide, he is always eager to learn new things and collaborate with other security researchers.

John McIntosh (@clearbluejar) is a security researcher and lead instructor @clearseclabs, a company that offers hands-on training and consulting services on various aspects of information security. He is passionate about learning and sharing knowledge on topics such as binary analysis, patch diffing, and vulnerability discovery. He is the creator of several open-source security tools and also blogs regularly about his research projects and experiments with Ghidra and patch diffing. With over a decade of offensive security experience, speaking and teaching at security conferences worldwide, he is always eager to learn new things and collaborate with other security researchers.

The three-day course will take place on 16 to 18 September 2024 at the Novotel London West.

The price is £3,000 (inc VAT/£2,500 ex VAT).

Conference and training tickets are non-refundable as per our Terms of Service.

This ticket is NOT transferable (i.e. you cannot use it one day and pass it to someone the other — you can however change the name on it if circumstances change and you can’t attend).

The course will be cancelled if minimum numbers are not reached so book early to avoid disappointment.

If you purchase a training course you get discounted rates for future training courses for one year and for the following 44CON conference.