John McIntosh - ghidriff

Presented on Friday 15th September 2023 at 44CON 2023 This talk presents ghidriff, a new open-source Python package that offers a command line binary diffing capability leveraging the power of Ghidra with a fresh take on the standard patch diffing workflow. As seen in most security blog posts today, binary diffing tools are essential for reverse engineering, vulnerability research, and malware analysis as they identify added, deleted, and modified functions between two binaries. Matching functions across binaries is a challenging and asymmetric problem because of complex function relationships and the many changes that can occur after a simple change is introduced into the source of a binary. ghidriff overcomes this challenge by offering the latest function matching heuristics while also providing the user the ability to write custom function correlation classes. Like other binary diffing solutions, the tool stands on the shoulders of giants (SRE tooling) to interpret a binary and provide a consistent and reliable approach to binary diffing. Unlike other tools, ghidriff offers a command line experience, simplifying the entire patch diffing workflow to only a single step, significantly reducing analysis time. Additionally, the results of the diff are rendered as beautiful markdown files that can be shared and hosted almost anywhere. ghidriff is the tool security researchers need to quickly understand the latest patched vulnerabilities and easily share their next vulnerability writeup with the security community. John McIntosh: A security researcher in Canada who is passionate about learning and sharing knowledge on various aspects of information security. He has a keen interest in binary analysis, patch diffing, and vulnerability discovery. He is the creator of several open-source security and InfoSec tools and also blogs regularly about his research projects and experiments with Ghidra and Jupyter Notebooks. He has presented his previous work at events such as InfoSec Jupyterthon 2022 and REcon 2023. You can follow him on Twitter [@clearbluejar] or visit his website[https://clearbluejar.github.io/]