Structural Comparison of Executable Objects

October 8, 2004
Halvar Flake | Ruhr-Universitaet Bochum

Comparing two executable objects has many different and interesting applications, ranging from “offensive” security (such as attacking systems) and “defensive” security (analyzing malware) to legal questions such as detecting code theft without access to source code of either party.
The actual process of comparing executables is complicated by different optimization settings on different executables, or even different compilers. It is oftentimes beneficial to treat the executable not as computer code but as a directed graph, and to apply graph-theoretical algorithms on the graph without taking the actual instructions into account.
The talk will explain the concepts behind SABRE BinDiff, a tool that uses a graph-theoretical approach to compare two executable objects. Different applications for such a comparison technique will be discussed, ranging from the analysis of security patches over the porting of debug information from one executable to the other to identifying highly similar code in two different executables.

Speaker Details

Halvar Flake is Black Hat’s resident reverse engineer. Originating in the fields of copy protection, he moved more and more towards network security after realizing the potential for reverse engineering as a tool for vulnerability analysis. He spends most of his screen time in a disassembler (or developing extensions for the disassembler), likes to read source code diff’s with his breakfast and enjoys giving talks about his research interests. He drinks tea but does not smoke camels.