Reversing the Root: Identifying the Exploited Vulnerability in 0-days Used In-The-Wild

Presented at Black Hat USA 2020 Virtual, Aug. 5, 2020, 1:30 p.m. (40 minutes).

Over the past 12 months, Project Zero has analyzed eleven 0-day vulnerabilities that were exploited in the wild. One of the very important parts of these analyses is to do a root cause analysis on the vulnerability that is being exploited. To identify the root cause vulnerability, we've employed a variety of techniques to varying degrees of success: binary patch diffing, putting the exploit sample into a test case minimizer, source code patch diffing, manually reverse engineering the exploit, and "bug hunting" based on known details of the exploit. Rather than discussing these exploited vulnerabilities in detail, this talk will instead cover the reverse engineering techniques to determine the vulnerability in the first place. For these 11 different 0-days, we used five different techniques to determine their root cause. This talk will detail the factors that go into when each technique is used, how we used the technique, and lessons learned from when it's been successful and when it hasn't.

Each technique will include case studies across a variety of platforms: from OS kernels, to Javascript engines, to apps, and more. This allows us to see similarities and differences in the reverse engineering techniques across targets. For each case study, we'll show a walk through of how the reversing technique allowed us to determine the vulnerability (or not), and discuss what we might do differently next time. This talk will be a detailed tour of reverse engineering a variety of vulnerabilities that were exploited in the wild, all in less than an hour.


Presenters:

  • Maddie Stone - Security Researcher, Google
    Maddie Stone (@maddiestone) is a Security Researcher on Google Project Zero where she focuses on 0-days used in-the-wild. Previously, she was a reverse engineer and team lead on the Android Security team, focusing predominantly on pre-installed and off-Google Play malware. Maddie also spent many years deep in the circuitry and firmware of embedded devices including 8051, ARM, C166, MIPS, PowerPC, BlackFin, the many flavors of Renesas, and more. Maddie has previously spoken at conferences including Black Hat USA, REcon, OffensiveCon, KasperskySAS, and others. She holds a Bachelors of Science, with a double major in Computer Science and Russian, and a Masters of Science in Computer Science from Johns Hopkins University.

Links:

Similar Presentations: