Upload
positive-hack-days
View
1.169
Download
0
Embed Size (px)
Citation preview
If You Find One,
There are Probably More!:
A Detection Method of “Reproduced” Vulnerability
Asuka Nakajima @ Positive Hack Days VI
1Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
# whoami
Asuka Nakajima- Researcher at NTT Secure Platform Laboratories
- Vulnerability Discovery / Reverse Engineering
Organizer of SECCON CTF- Thank you for playing SECCON CTF
Founder of “CTF for GIRLS”- The first security engineer community for woman in Japan
2Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
What is “reproduced” vulnerability ?
Software 1 Software 2
Vulnerability which is copied to other
source code or software for some reason
Vulnerable
part
copy
3Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
Why it happens?
Copy & Paste Source Code Sharing Fork Project
Source A Source BCtrl + C
Ctrl + V
4Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
Why it happens?
Copy & Paste Source Code Sharing Fork Project
Source A Source BCtrl + C
Ctrl + V
5Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
The risk of reproduced vulnerability
Software 1
Software 2
TIME
Patch release date
differs maximum
118days[1]
vulnerable
vulnerable
Patch distribution for reproduced vulnerability
New Vulnerability
discoveredPatch
distributed
Patch
distributed
vulnerable
Attacker can analyze the patch & develop
the exploit code for unpatched one[1] A. Nappa, R. Johnson, L. Bilge, J. Caballero, and T. Dumitraș, “The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability
Patching,” in IEEE Symposium on Security and Privacy, San Jose, CA, 2015.
6Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
About the research
Source code based approach?
Can not be applied for proprietary software product
・ReDeBug[2]
Detection method that targets binary
executable is necessary[2] Jiyong Jang, Abeer Agrawal, and David Brumley,”ReDeBug: Finding Unpatched Code Clones in Entire OS Distributions”, In Proceedings of
the 33rd IEEE Symposium on Security and Privacy, 2012
7Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
Previous Works
TEDEM[3]
Cross-Architecture Bug Search in Binary Executables
- Represent the assembly codes
(per basic block) as a S-expression
(Tree structure)
- Targets reproduced vulnerability which resides in different architecture
- Basic Block I/O based similarity calculation
- Uses tree edit distance to specify
the reproduced vulnerability
Can not detect reproduced vulnerability when some types of
source code modification(add multiple lines, I/O Change) occurs [3] Jannik Pewny, Felix Schuster, Lukas Bernhard, Thorsten Holz, Christian Rossow, “Leveraging semantic signatures for bug search in binary programs”, Annual Computer
Security Applications Conference , New Orleans, USA, December 2014.
[4] Jannik Pewny, Behrad Garmany, Robert Gawlik, Christian Rossow, Thorsten Holz “Cross-Architecture Bug Search in Binary Executables”36th IEEE Symposium on Security and Privacy (Oakland), San Jose, May 2015.
8Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
Approach (Overview)
Calculate the similarity between the assembly code
by using similar string search algorithm
Workflow
push REG
mov REG REG
mov REG VAL
call MEM・・・
mov REG REG
push REG
mov REG REG
push REG
push REG
mov REG MEM
mov REG MEM
lea REG MEM・・・
Similarity
Calculation
Similarity 80%Same vulnerability?
1.Disassemble&Normalization
2.SimilarityCalculation
3.Discriminate “patched” or “unpatched”
Unpatched part
Assembly
Target Binary
Assembly
4. CheckAttack Vector
Future Work
9Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
Approach
1.Disassemble&Normalization
2.SimilarityCalculation
Disassemble ※Example
Normalization (Operand)
・Binary File(unpatched vuln)
・Target Binary File
Different assembly(operand) will be
generated even the source code is same※
VAL
MEM
REG
Immediate val
Memory
Register
Before After
mov eax ecx mov REG REG
3.Discriminate “patched” or “unpatched”
Original Copy
shr rdx,1lea rdi,[rdx+0x4]call 3f3d0
shr rdx,1lea rdi,[rdx+0x4]call 41d630
Original Copy
xor ebx, ebxadd rsp, 38hmov eax, ebxpop rbxpop rbppop r12pop r13retn
xor r12d, r12dadd rsp, 38hmov eax, r12dpop rbxpop rbppop r12pop r13retn
1
2
10Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
Approach
1.Disassemble&Normalization
2.SimilarityCalculation
3.Discriminate “patched” or “unpatched”
Similarity Calculation
push REG
mov REG REG
mov REG VAL
call MEM・・・
mov REG REG
push REG
mov REG REG
push REG
push REG
mov REG MEM
mov REG MEM
lea REG MEM・・・
Similarity
Calculation
Similarity
N%
Unpatched part
Assembly
Target Binary
Assembly
・ Needleman-Wunsch (Semi-global alignment algorithm)
→Apply “Affine Gap Penalty”
Similar string search algorithm which is used in bioinformatics
11Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
Approach -Why Needleman-Wunsch?-
Search similar region between
two given strings
LCS(Global Alignment)
Smith-Waterman(Local Alignment)
Needleman-Wunsch
(Semi-Global Alignment)
mov REG REGmov REG REG
call MEMtest REG REG
push REG REGpush REG REG
call MEMtest REG REG
jmp MEMxor REG REG
pop REGpop REG
・・
mov REG REGmov REG REG
call MEMtest REG REG
push REG REGpush REG REG
call MEMtest REG REG
jmp MEMxor REG REG
pop REGpop REG
・・
mov REG REGmov REG REG
call MEMtest REG REG
mov REG REGpush REG REGpush REG REG
call MEMtest REG REG
jmp MEMxor REG REG
pop REGpop REG
・
String1(source)
String2(dest)
String1(source)
String2(dest)
String1(source)
String2(dest)
Search all similar part between
two given string
Search the region(in string2) that bestmatches to string1
1.Disassemble&Normalization
2.SimilarityCalculation
3.Discriminate “patched” or “unpatched”
Needleman-Wunsch is most suitable
12Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
Approach
Similarity=𝑺𝒄𝒐𝒓𝒆 𝒐𝒇𝑴𝒐𝒔𝒕 𝑺𝒊𝒎𝒊𝒍𝒂𝒓 𝑷𝒂𝒓𝒕
𝑴𝒂𝒙𝒊𝒎𝒖𝒎 𝑺𝒄𝒐𝒓𝒆(𝑨𝒍𝒍 𝑴𝒂𝒕𝒄𝒉𝒆𝒅 𝑪𝒂𝒔𝒆)
Needleman-Wunsch(Normal Gap)
match +2point
mismatch –2point
gap –1point
■Match ■Mismatch ■Gap
pop rax pop rax pop rax push rcx pop rax call rax
pop rax
Needleman-Wunsch (AffineGap)
match +2point
mismatch -2point
open gap※ -3point
extended gap -0.5point
Score Calculation
Distinctthe Gap
※Open gap:The first gap of multiple gaps
1.Disassemble&Normalization
2.SimilarityCalculation
3.Discriminate “patched” or “unpatched”
13Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
Approach
Score Calculation
𝑠 𝑎𝑖 , 𝑏𝑗 = 𝑚𝑎𝑡𝑐ℎ 𝑖𝑓 𝑎𝑖 = 𝑏𝑗 ,
𝑚𝑖𝑠𝑚𝑎𝑡𝑐ℎ 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒.
A → Unpatched Part Assembly
Calculate ScoreMatrix X,Y, Z
B → Target Binary Assembly
𝑋 = 𝑥𝑖𝑗 0 ≤ 𝑖 < 𝑀, 0 ≤ 𝑗 < 𝑁
𝑌= 𝑦𝑖𝑗 0 ≤ 𝑖 < 𝑀, 0 ≤ 𝑗 < 𝑁
𝑍 = 𝑧𝑖𝑗 0 ≤ 𝑖 < 𝑀, 0 ≤ 𝑗 < 𝑁
Matrix Calculation Formula
𝐴 = 𝑎1𝑀 = 𝑎1, 𝑎2, 𝑎3…𝑎𝑀
𝐵 = 𝑏1𝑁 = 𝑏1, 𝑏2, 𝑏3…𝑏𝑁
※|A|=M,|B|=N
𝑗𝑚𝑎𝑥= argmax1≤𝑗≤𝑁
𝑥𝑀𝑗
Calculate the similarity based on the max score of matrix X
1.Disassemble&Normalization
2.SimilarityCalculation
3.Discriminate “patched” or “unpatched”
𝑥𝑖𝑗 =
0 𝑖𝑓 𝑖 = 0 𝑎𝑛𝑑 𝑗 ≠ 0 ,𝑖 × 𝑚𝑖𝑠𝑚𝑎𝑡𝑐ℎ 𝑖𝑓 𝑗 = 0,
𝑚𝑎𝑥
𝑥𝑖−1,𝑗−1 +𝑠 𝑎𝑖 , 𝑏𝑗 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒.𝑦𝑖 ,𝑗𝑧𝑖 ,𝑗
𝑦𝑖𝑗 =
−∞ 𝑖𝑓 𝑖 = 0,
0 𝑖𝑓 𝑗 = 0 𝑎𝑛𝑑 𝑖 ≠ 0,
𝑚𝑎𝑥 𝑦𝑖−1,𝑗 + 𝑒 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒.
𝑥𝑖−1,𝑗 + 𝑜 + 𝑒
𝑧𝑖𝑗 =
0 𝑖𝑓 𝑖 = 0 𝑎𝑛𝑑 𝑗 ≠ 0,
−∞ 𝑖𝑓 𝑗 = 0,
𝑚𝑎𝑥 𝑧𝑖,𝑗−1 + 𝑒 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒.
𝑥𝑖,𝑗−1 + 𝑜 + 𝑒
14Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
Approach
push REGmov REG REGmov REG REGcall MEMmov REG REG
mov REG REGmov REG REGpush REGpush REGmov REG REGmov REG REGcall MEM
Max Score4.5 p
Similarity
45%
𝟒. 𝟓
𝟏𝟎※all matched case2p×5=10 = 45%
1.Disassemble&Normalization
2.SimilarityCalculation
3.Discriminate “patched” or “unpatched”
Unpatched PartAssembly
Target BinaryAssembly
Matrix X
Matrix Y Matrix Z
15Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
Approach
Affine Gap penalty can mitigate the significant
score drop due to the source code modification
int main(int argc, char* argv[]){
if(argc !=2){
printf("Usage:%s <your name>¥n", argv[0]);
return 1;
}
printf(“Argument:%d,%s¥n",argc,argv[1]);
printf("Hello World! %s¥n", argv[1]);
return 0;
}
push ebpmov ebp,espand esp,0xfffffff0sub esp,0x10cmp DWORD PTR [ebp+0x8],0x2je 0x8048448 <main+43>mov eax,DWORD PTR [ebp+0xc]mov eax,DWORD PTR [eax]mov DWORD PTR [esp+0x4],eaxmov DWORD PTR [esp],0x8048520call 0x80482f0 <printf@plt>mov eax,0x1jmp 0x8048484 <main+103>mov eax,DWORD PTR [ebp+0xc]add eax,0x4mov eax,DWORD PTR [eax]mov DWORD PTR [esp+0x8],eaxmov eax,DWORD PTR [ebp+0x8]mov DWORD PTR [esp+0x4],eaxmov DWORD PTR [esp],0x8048536call 0x80482f0 <printf@plt>mov eax,DWORD PTR [ebp+0xc]add eax,0x4mov eax,DWORD PTR [eax]mov DWORD PTR [esp+0x4],eaxmov DWORD PTR [esp],0x8048546call 0x80482f0 <printf@plt>mov eax,0x0leave ret
■ Normal gap
■ Affine Gap
Total36p
22×2 = 44
Total37.5p
Adding 1L Source Code =
Adding 8L Assembly Code
8 ×-1 = -8
22×2 = 441 ×-3 =-3
7×-0.5 =-3.5
1.Disassemble&Normalization
2.SimilarityCalculation
3.Discriminate “patched” or “unpatched”
Source Code Assembly
16Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
Approach
Extract when Unpatched part(Sim①) > Patched part (Sim②)
push REG
mov REG REG
mov REG VAL
call MEM・・・
push REG
mov REG REG
mov REG VAL
call MEM・・・
mov REG REG
push REG
mov REG REG
push REG
push REG
mov REG MEM
mov REG MEM
lea REG MEM・・・
Unpatched Part
Assembly
Patched Part
Assembly
SimilarityCalculation①
SimilarityCalculation②
Sim①:80%
Sim②:55%
Extract
Target Binary
Assembly
1.Disassemble&Normalization
2.SimilarityCalculation
3.Discriminate “patched” or “unpatched”
vulnerability
candidate
17Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
Calculate the similarity between original and copied binary
Vuln1 (CVE-2008-4314)
Original
Vuln2 (CVE-2008-5023)
Original
Vuln1 (CVE-2008-4314)
Copy
Vuln2 (CVE-2008-5023)
Copy
?%
Vuln1 (CVE-2008-4314)
Original
Vuln2 (CVE-2008-5023)
Original
?%
Dataset(432 binary)
Ubuntu12.04
/bin,/usr/lib
(x86-64/ELF)
[GOAL] Evaluate the validity of the approach
[score setting] Match2p, Mismatch -2p, Opengap-3p, Extendedgap-0.5p
Experiment 1 [Overview]
Calculate the similarity between original and dataset binary
18Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
Case1: CVE-2008-4316 (Source Code)
g_base64_encode (const guchar *data,gsize len){
gchar *out;
gint state = 0, outlen;
gint save = 0;
g_return_val_if_fail (data != NULL, NULL);
g_return_val_if_fail (len > 0, NULL);
out = g_malloc (len * 4 / 3 + 4);
outlen = g_base64_encode_step (data, len, FALSE, out, &state, &save);
outlen += g_base64_encode_close (FALSE, out + outlen, &state, &save);
out[outlen] = '¥0';
return (gchar *) out;
}
seahorse_base64_encode (const guchar *data,gsize len){
gchar *out;
gint state = 0, outlen;
gint save = 0;
out = g_malloc (len * 4 / 3 + 4);
outlen = seahorse_base64_encode_step (data, len, FALSE, out, &state, &save);
outlen += seahorse_base64_encode_close (FALSE,out + outlen,&state,&save);
out[outlen] = '¥0';
return (gchar *) out;
}
2 lines are
deleted Original[Glib]
Copy[Seahorse]
19Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
Case2: CVE-2008-5023 (Source Code)
PRBool nsXBLBinding::AllowScripts(){PRBool result;mPrototypeBinding->GetAllowScripts(&result);…nsCOMPtr<nsIDocument> ourDocument;mPrototypeBinding->XBLDocumentInfo()->GetDocument(getter_AddRefs(ourDocument));PRBool canExecute;nsresult rv = mgr->CanExecuteScripts(cx, ourDocument->NodePrincipal(), &canExecute);return NS_SUCCEEDED(rv) && canExecute;
}
PRBool nsXBLBinding::AllowScripts(){PRBool result;mPrototypeBinding->GetAllowScripts(&result);…nsCOMPtr<nsIDocument> ourDocument;mPrototypeBinding->XBLDocumentInfo()->GetDocument(getter_AddRefs(ourDocument));
nsIPrincipal* principal = ourDocument->GetPrincipal();if (!principal) {
return PR_FALSE;}PRBool canExecute;
nsresult rv = mgr->CanExecuteScripts(cx, principal, &canExecute);return NS_SUCCEEDED(rv) && canExecute;
}
Original[Firefox]
Copy[Seamonkey]
4 lines are added & 1 line is modified
20Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
Experiment 1 [Result]
CVE-ID Original CopySimilarity
(unpatched)
Similarity
(patched)
Max similarity
(Dataset)
CVE-
2008-4316Glib Seahorse 60.7% 11.5% 9.2%
CVE-
2008-5023Firefox Seamonkey 68.8% 38.0% 9.7%
The extracted part was the copied vulnerable part
Threshold should be around 20%
Similarity between the dataset was maximum 9.7%
Detected reproduced vulnerability in binary executables,
even there was source code modification
21Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
Experiment 2 [Overview]
21 Vulnerabilities 40945 binary filesCVE-2015-1635
CVE-2014-0301
CVE-2013-5058
CVE-2013-0030
CVE-2011-2005
CVE-2011-0658
CVE-2010-0816
?%CVE-2010-0028
CVE-2008-4250
CVE-2008-4028
CVE-2007-1794
CVE-2007-0024
CVE-2006-4691
CVE-2006-0021
Windows XP.Windows Vista,
Windows 7Windows 8.1
Windows ServerVirus Total(NSRL)
[Score setting]match2p,mismatch-2p,opengap-3p,extendedgap-0.5p[Threshold] 20%
CVE-2015-1793
CVE-2015-1790
CVE-2015-1789
CVE-2015-0292
CVE-2015-0288
CVE-2015-0287
CVE-2015-0286
14 vulnerabilities from Windows
7 vulnerabilities from OpenSSL
[GOAL] Detect reproduced vulnerability
from real world software product
22Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
Details of the vulnerabilities
14 vulnerabilities from WindowsCVE-ID Type of Vuln Function name File name
CVE-2015-1635 Integer Over Flow UlpParseRange http.sys
CVE-2014-0301 Double Free LoadJPEGImageNewBuffer qedit.dll
CVE-2013-5058 Integer Over Flow RFONTOBJ::bTextExtent win32k.sys
CVE-2013-0030 Buffer Over Flow SavePathSeg vgx.dll
CVE-2011-2005 Memory error AfdJoinLeaf afd.sys
CVE-2011-0658 Integer Under Flow _PictLoadMetaFileRaw oleaut32.dll
CVE-2010-0816 Integer Over Flow CPOP3Transport::ResponseSTAT inetcomm.dll
CVE-2010-0028 Integer Over Flow CBMPStream::Write mspaint.exe
CVE-2008-4250 Buffer Over Flow sub_5925A26B netapi32.dll
CVE-2008-4028 Buffer Under Flow SrvIssueQueryDirectoryRequest srv.sys
CVE-2007-1794 Integer Under Flow CDownloadSink::OnDataAvailable vgx.dll
CVE-2007-0024 Integer Over Flow CVMLRecolorinfo::InternalLoad vgx.dll
CVE-2006-4691 Buffer Over Flow NetpManageIPCConnect netapi32.dll
CVE-2006-0021 DoS IGMPRcvQuery tcpip.sys
23Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
Details of the vulnerabilities
Collected unpatched & patched part
which resides in single function
CVE-ID Type of Vuln Function name File name
CVE-2015-1793 Certificate forgery X509_verify_cert libeay32.dll
CVE-2015-1790 DoS(Null pointer) PKCS7_dataDecode libeay32.dll
CVE-2015-1789 DoS X509_cmp_time libeay32.dll
CVE-2015-0292 Integer Underflow EVP_DecodeUpdate libeay32.dll
CVE-2015-0288 DoS(Null pointer) X509_to_X509_REQ libeay32.dll
CVE-2015-0287 DoS ASN1_item_ex_d2i libeay32.dll
CVE-2015-0286 DoS ASN1_TYPE_cmp libeay32.dll
7 vulnerabilities from OpenSSL
24Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
Collected binary files
Source # of files
Virus Total(NSRL) 7580
Windows XP 3479
Windows Vista 6933
Windows 7 5981
Windows8.1 5048
Windows Server 2003 3984
Windows Server 2008 7940
Details of 40945 binary files
25Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
Experiment 2 [Result]
Candidate of reproduced vulnerability
CVE-ID Original Copy Similarity Result
CVE-2008-4250netapi32.dll
(5.1.2600.2952)
netlogon.dll(5.2.3790.1830) 37.7%
CVE-2011-0658oleaut32.dll
(5.2.3790.4202)
olepro32.dll(6.1.7601.17514) 75.1%
Deadcode
CVE-2015-1789libeay32.dll
(0.9.8.31)
JunosPulseVpnBg.dll(1.0.0.206) 43.9%
CVE-2015-1793libeay32.dll
(1.0.1.15)
JunosPulseVpnBg.dll(1.0.0.206) 39.0%
No attack
vector
26Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
CVE-2008-4520 (MS08-067)
Details- It was real case “reproduced” BoF vulnerability !
- [original] netapi32.dll [copy] netlogon.dll
Original Copy
→ Vulnerability which was used by ConfickerWorm
27Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
CVE-2008-4520 (MS08-067)
Distribution of patch
Patch for netapi32.dll
KB958644
Patch for netlogon.dll
KB961853
Oct/2008 Jan/2009TIME
Patch distribution date differs three month a part
3 month
28Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
CVE-2011-0658 (MS11-038)
Details- [original] oleaut32.dll [copy] olepro32.dll
- Integer Underflow Vulnerability
Vulnerable part was dead code(function forwarding)
Original Copy
29Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
CVE-2015-1789 (OpenSSL)
Details- [original] libeay32.dll [copy] JunosPulseVpnBg.dll
- Used by “Windows In-Box Junos Pulse Client (VPN Client)”※
※“Microsoft Windows 8.1 introduced
Junos Pulse client as part of the
Windows operating system. (Microsoft
calls this an “in-box” application.)” [5]
[5]Windows In-Box Junos Pulse Client Quick Start Guidehttps://www.juniper.net/techpubs/software/pulse/guides/j-pulse-windows-inbox-client-qsg.pdf
- Originally used by Pulse Client
30Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
CVE-2015-1789 (OpenSSL)
Original Copy
31Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
CVE-2015-1789 (OpenSSL)
Pulse(Desktop) Client:
Resolved in 5.0R13/5.1R5
(CVE-2015-1789)
Vulnerable
32Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
CVE-2015-1789 (OpenSSL)
Vulnerability Fixed Date
Vulnerability Fixed
(OpenSSL)
Update Released
(Pulse Secure)
June/2015 Aug/2015TIME
Fixed date differs two month a part
2 month
When I found the
vulnerability
July/2015
33Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
CVE-2015-1793 (OpenSSL)
Details
- Alternative Chain Certificate Forgery
- [original] libeay32.dll [copy] JunosPulseVpnBg.dll
Original Copy
34Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
CVE-2015-1793 (OpenSSL)
“This issue does not affect Pulse Secure products
as it only exists in very recent version of OpenSSL code that we do not utilize“
35Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
Conclusion & Future Work
Conclusion- Proposed method can detect reproduced vulnerability in binary files, even there was source code modification
- Found real world reproduced vulnerability !
Future Work
- Consider the method which can find whether the attack vector exists or not
- Consider the method which can detect reproduced vulnerability,which resides in multiple functions