★ WORKSHOP ★
Binary Reversing and Whole Firmware Diffing
Saturday, 24 February
This workshop introduces the field of binary diffing and especially its automation through scripting. Diffing is used for a variety of use cases like patch-diffing, variant analysis, anti-plagiarism or vulnerability research. While multiple diffing tools exists few has been done to perform it at scale on numerous binaries.
Attendees will perform diffing on vulnerabilities (CVEs) but also on a full router firmware for security analyses. Participants will use existing differs like Bindiff but also some plugins and tools developed on purpose and available at: https://diffing.quarkslab.com.
This workshop is targeting tech savvy eager to know more about binary diffing up to experienced red teamer. The outline of the workshop is the following.
1. Introduction (5 min)
We will first introduce the workshop, the virtual machine and the various materials used. Once everyone is ready with a running VM, we will deep dive into RE scripting and diffing.
2. Scripting Reverse Engineering (15 min)
This part introduces the concept of binary exporters which aims at dumping the whole Ghidra/IDA Pro disassembly into a file that can then be manipulated without having to keep the disassembler open. We will present:
- python-binexport, a wrapper around Binexport (Google's exporter)
- Quokka developed internally circumventing binexport limitations
Exercise: Exporting some binaries and start manipulating them through the Python API to automate some scripting. We will showcase how to decipher automatically Mirai's malware ciphered strings.
3. Binary Diffing (30 min)
Binary diffing will be introduced covering first how to do manual diffing using Bindiff and how it can be used for patch diffing.
Then we will introduce python-bindiff enabling automating the diffing process and to manipulate the result seamlessly.
Exercise: * Diffing CVE-2021-0308, an LPE impacting gdisk on Android (both manually & automated manner) * Diffing to port symbols on stripped binaries
4. Automating Whole Firmware Diffing (40 min)
Assembling the various pieces together, we will show how to perform structured firmware diffing. Indeed, no existing utility enable manipulating a diff result programmatically on a whole file system to perform security analyzes. The process will be decomposed in:
- firmware extraction
- firmware cartography using Pyrrha
- diffing the cartography of the two firmware (for a broad overview)
- full firmware binary-diffing for in-depth analysis
Exercise: Real-world use case on the Netgear RAX30 WiFi router present at the Pwn2own 2022 contest. By applying the aformentioned methodology, the goal is identifying key changes in order to understand what has been updated between version 184.108.40.206 and version 220.127.116.11 through whole firmware diffing. Solving the exercise give attendees a glimpse of issues patched in the latest version released right before the contest.
We will conclude summarizing the various topics addressed and especially whole firmware diffing. Key takeaways will be highlighted along with an opening discussion on Qbindiff a differ we developed tailored for advanced use cases. Some time will be allocated for questions, feedback and to give further materials and links to dig into diffing.
- Downloading and installing the VM: https://files.quarkslab.com/3dac2dcd-bb92-4ac9-99cc-e517498i6978/quarkslab-binary-diffing.ova
- x64-based VM
- user: vagrant
- mdp: vagrant
- Basics in assembly x64, ARM
- Familiarity with Python language
Robin David, Phd is Automated Analysis Team Leader at Quarkslab and full-time senior security researcher. He is working on various technologies like greybox fuzzing, symbolic excution, firmware analysis and deobfuscation for which he is actively working on open-source tools to help to community. He has been presenting his work in a variety of industrial conferences and is also trainer at Ringzer0.