Bindiff Analysis presented at BlueHat 2006

by Thomas ( Halvar Flake ) Dullien (zynamics ),

Tags: Security

Summary : SABRE Security
Comparing two executable objects has many different and interesting applications, ranging from ìoffensiveî security (such as attacking systems) and ìdefensiveî security (analyzing malware) to legal questions, such as detecting code theft without access to source code of either party. The actual process of comparing executables is complicated by different optimization settings on different executables, or even different compilers.
It is oftentimes beneficial to treat the executable not as computer code but as a directed graph and to apply graph-theoretical algorithms on the graph without taking the actual instructions into account. This talk explained the concepts behind SABRE BinDiff, a tool that uses a graph-theoretical approach to compare two executable objects. Different applications for such a comparison technique were discussed, ranging from the analysis of security patches over the porting of debug information from one executable to the other, to identifying highly similar code in two different executables.