Structural comparison of executable objects
ISSN der Zeitschrift
Detection of intrusions and malware & vulnerability assessment, GI SIG SIDAR workshop, DIMVA 2004
Regular Research Papers
Gesellschaft für Informatik e.V.
A method to heuristically construct an isomorphism between the sets of functions in two similar but differing versions of the same executable file is presented. Such an isomorphism has multiple practical applications, specifically the ability to detect programmatic changes between the two executable versions. Moreover, information (function names) which is available for one of the two versions can also be made available for the other . A framework implementing the described methods is presented, along with empirical data about its performance when used to analyze patches to recent security vulnerabilities. As a more practical example, a security update which fixes a critical vulnerability in an H.323 parsing component is analyzed, the relevant vulnerability extracted and the implications of the vulnerability and the fix discussed.