tag:blogger.com,1999:blog-14114712.post216789509622738085..comments2024-03-03T02:04:07.138-08:00Comments on ADD / XOR / ROL: Improving Binary Comparison (and it's implication for malware classification)halvar.flakehttp://www.blogger.com/profile/12486016980670992738noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-14114712.post-70389454089842354522008-10-31T02:17:00.000-07:002008-10-31T02:17:00.000-07:00@forever: This should be in BinDiff v3.0, due out ...@forever: This should be in BinDiff v3.0, due out in q1 2009. <BR/><BR/>@nate: False positives are usually identifiable -- they tend to have low "confidence" scores in the matching algorithm. Generally, with larger graphs the false positive rate decreases drastically. <BR/><BR/>As far as I can see, they are backporting patches to 0.9.5a, but I only had a cursory look.<BR/><BR/>Concerning gnutls: I would be _extremely_ surprised if gnutls vs openssl matches in any way -- but I will try, thanks for the hint ! :)<BR/><BR/>@ryan: No, not yet -- the confidence of the neighboring matches does not influence the confidence of the current match yet. In debug builts of the code we construct a "reasoning tree" though -- e.g. "this node was matched because of this other node here". This would allow us to base the current confidence on the confidence of the things that "led" the algorithm to decide the way it did. <BR/><BR/>Unfortunately, keeping this "reasoning tree" in memory is not easily feasible for very large diffs, so we don't build it unless we're trying to diagnose an error...halvar.flakehttps://www.blogger.com/profile/12486016980670992738noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-61358321196153611492008-10-06T16:46:00.000-07:002008-10-06T16:46:00.000-07:00Asking out of ignorance, so apologies in advance.Y...Asking out of ignorance, so apologies in advance.<BR/><BR/>You are already taking advantage of callpath info to bring up neighbor functions? I.e. A calls B. B by itself in both binaries is 0.5 confidence. But A is 0.95. If both A's call both B's in the same place, do you bump B up to 0.725?Ryan Russellhttps://www.blogger.com/profile/13265663681454609204noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-58808055763825277752008-10-04T10:39:00.000-07:002008-10-04T10:39:00.000-07:00Hey Halvar, your posts do have titles now! :)Hey Halvar, your posts do have titles now! :)Thierry Zollerhttps://www.blogger.com/profile/14432216409558141236noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-36400510122799502512008-10-01T10:19:00.000-07:002008-10-01T10:19:00.000-07:00Halvar, amazing stuff. I like your thesis too, al...Halvar, amazing stuff. I like your thesis too, although I've only read a few pages so far.<BR/><BR/>While you've demoed some libraries that likely match the one used in the target, what about the false positive ratio? It would be interesting to see your comparison of multiple versions of the OpenSSL library against PIX to see which one it is most similar to. Are they really backporting patches or is it stock 0.9.5a?<BR/><BR/>Also, perhaps compare gnutls to the PIX OpenSSL implementation and see how much various internal functions (say, derive master secret) match even though the libraries are different implementations.Unknownhttps://www.blogger.com/profile/11280644250533859717noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-57433736688550422812008-10-01T07:01:00.000-07:002008-10-01T07:01:00.000-07:00I'm going to be the annoying one and ask when we c...I'm going to be the annoying one and ask when we can expect to see this behavior in BinDiff or some other publicly available product?Unknownhttps://www.blogger.com/profile/12250541540458036082noreply@blogger.com