Over the past 12 months, Project Zero has analyzed eleven 0-day vulnerabilities that were exploited in the wild. One of the very important parts of these analyses is to do a root cause analysis on the vulnerability that is being exploited. To identify the root cause vulnerability, we've employed a variety of techniques to varying degrees of success: binary patch diffing, putting the exploit sample into a test case minimizer, source code patch diffing, manually reverse engineering the exploit, and "bug hunting" based on known details of the exploit. Rather than discussing these exploited vulnerabilities in detail, this talk will instead cover the reverse engineering techniques to determine the vulnerability in the first place. For these 11 different 0-days, we used five different techniques to determine their root cause. This talk will detail the factors that go into when each technique is used, how we used the technique, and lessons learned from when it's been successful and when it hasn't.
Each technique will include case studies across a variety of platforms: from OS kernels, to Javascript engines, to apps, and more. This allows us to see similarities and differences in the reverse engineering techniques across targets. For each case study, we'll show a walk through of how the reversing technique allowed us to determine the vulnerability (or not), and discuss what we might do differently next time. This talk will be a detailed tour of reverse engineering a variety of vulnerabilities that were exploited in the wild, all in less than an hour.