This is beautiful. #aor24 day 15 #bindiffing #radare2
#bindiffing
The code is also published (in github) already and #Diaphora now can use an already trained model to try to improve binary diffing results (matching). I haven't made yet a new release just yet as these changes are considered a bit experimental for now.
The datasets and tools for training and testing are here: https://github.com/joxeankoret/diaphora-ml
And Diaphora, is here: https://github.com/joxeankoret/diaphora
#Diaphora #BinaryDiffing #Bindiffing #ReverseEngineering #MachineLearning
SPONSORING
📢 We are vey happy to announce the GOLD sponsorship by Quarkslab ( https://www.quarkslab.com ) 😍 We thank them a lot for their support since the Day 1 of the conference in 2018 🙏
🚀 Among many others #opensource projects, Quarkslab recently published a ⚡ #binDiffing portal https://diffing.quarkslab.com/ . You will be able to find there several of their #bindiffing open source softwares like #Qbindiff or #Quokka but also many ressources on the topic.
📝 "Through QLab‘s consulting expertise and R&D, and our software QFlow and QShield, we share and scale our knowledge by making it accessible to everyone. We believe that security is everyone’s concern as there is no freedom if there is no security."
It's very sad, but it's always a damn waste of time reading academic research about binary diffing or, as it's called at the academia, about binary code similarity analysis. It's either all fairytales that cannot be proved or, plainly, false and/or wrong.
An example? One paper that I have re-read today says that #BinDiff and #Diaphora are mono-architecture and totally discard these tools for the paper. LOL.
Fun Reverse Engineering problem du jour. A compilation unit is a set of functions. Cool. However, a function might belong to one or many compilation units.
For example, in #Diaphora, I used to think that once I have a compilation unit name for a function, that function belongs to just that one CU. However, if a function from, for example, a header file is in-lined inside a function, what compilation unit does that function belong to?
Not one, but two new #bindiffing tools landed this week. Sweet!
// HT @clearbluejar @4Dgifts
https://github.com/clearbluejar/ghidriff
https://blog.quarkslab.com/qbindiff-a-modular-diffing-toolkit.html
Any cool bug on this Patch Tuesday? Anything cool to diff with #Diaphora and enhance the ability to try to find patched vulnerabilities?
Did you know that #Diaphora detects patch diffing sessions and tries to help finding where vulnerabilities were fixed? Here are some examples for CVE-2020-1350 and CVE-2023-28231.
#patchdiffing #binarydiffing #bindiffing #vulnerabilityresearch #vulndev
Today I realised that the oldest technology developed by me integrated into #Diaphora dates from 2009.
In case you are curious, it's #DeepToad, a Python library for doing fuzzy hashing. This simplistic library calculates a set of 3 different hashes using a configurable block size (in opposite to, say, ssdeep, that doesn't work for this).
https://github.com/joxeankoret/deeptoad
#FuzzyHashing
#DeepToad
#Diaphora
#BinDiffing
#ProgramDiffing
#BCSA
Also, #SymbolicExecution of even small #binaries is very slow and would only, probably, help for comparing binaries for the same (or compatible) architecture. And in order to compare binaries for the same architectures you have a myriad of different, not terribly slow, ways for doing #BinDiffing.
Dear everyone in the academia (and maybe elsewhere) doing #bindiffing research: #SymbolicExecution does not work for comparing different architectures, unless you are using as input for your symbolic execution tool *decompiled code*.
If you are using assembly or using an IR (Intermediate Representation) based on assembler (like Ghidra' p-code, IDA's microcode, LLVM's IR, etc), it will inevitably produce different outputs.
Your best IR for #diffing is pseudo-code, the #decompiler's output.
One more question regarding #BinDiffing: Which binary diffing tools have you used?
One question regarding #bindiffing: Have you ever used a tool called #DeepBinDiff? I am not talking about "BinDiff" but rather about "DeepBinDiff".
@Mizu If you want more #datasets for #binary #diffing, take a look to this paper:
https://arxiv.org/abs/2011.10749
#BinaryDiffing #BinDiffing #BinaryCodeSimilarityAnlysis #BCSA
Dear everyone in the academia using "Machine Learning" for Binary Code Similarity Analysis (ie, bindiffing): AI is bad for anything that requires exact results. It will generate a huge amount of false positives mixed with a varying degree of similar results and is pretty hard to understand its output.
#bindiffing #BinaryDiffing #ProgramDiffing #MachineLearning #BCSA #ArtificialIntelligence
#Bindiffing with #Diaphora CVE-2023-28231. As explained in the linked blog from @thezdi, the vulnerability has been fixed by checking that the number of relay forward messages in "ProcessRelayForwardMessage()" is not bigger or equal than 32 (0x20), as shown in the following pseudo-code diffing:
So, let's say that we have 2 functions in binary A matching 2 functions in binary B *but* both A functions and B functions have the exact same score for the 4 matches (and the same callers and callees). This looks like a complex match to resolve, right?
So, what do you think is (apparently) the best and simplest method in #BinaryDiffing to determine which match is the appropriate one?
@themoep
Thank you very much for the explanation! That makes sense.
In case you are curious, the idea is to try to build a better matches scoring function for #BinDiffing with #Diaphora. Ie: given 2 functions in 2 binaries determine how close they are and generate a ratio.
So, with what you say, my guess is that I have to train more than anything with bad results, as most of the times such a function to score matches is going to see false matches.
What are diffing acceptable times, in your opinion, for medium to big binaries (ie, diffing 2 kernels, something like 70k functions on each database)?
#bindiffing #binarydiffing #diaphora
Client Info
Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst