Talk

Patch Different on *OS

April 26, 14:30 (CLOUD)

Binary diffing is a powerful technique for reverse engineering, vulnerability research, and malware analysis. It allows security researchers to compare two versions of a binary and identify the changes related to security patches. By doing so, they can gain insights into the root causes of the latest CVEs and patched vulnerabilities.

However, patch diffing is not equal for all operating systems. While Windows provides convenient access to binaries, download links, and public symbols, \*OS poses several challenges for patch diffing. Apple has historically made its binaries less accessible, and even encrypted its software distributions in the IPSW (IPhone Software) format until later versions of iOS. Moreover, \*OS security updates vary across products (watchOS, tvOS, iOS, and MacOS) and the binaries are embedded in the dyld_shared_cache (DSC), complicating the diffing process.

In this talk, we will show you how to overcome these challenges and perform effective patch diffing on \*OS platforms in 2024. We will demonstrate how to use open-source reverse engineering tools (such as ipsw and Ghidra) to extract and analyze IPSW files, which contain the software updates for iOS and MacOS. We will also show you how to find the updated binaries, extract embedded binaries from the DSC, and how to use freely available binary diffing tools to compare them. Finally, we will walk you through 3 real-world examples of patch diffing on \*OS, and how to map the binary changes to recent CVEs. From there we will identify and reverse engineer the underlying vulnerabilities for each CVE.

This talk will not only teach you the skills and tools for patch diffing on modern \*OS platforms, but also inspire you to explore the untapped potential of this technique for discovering new vulnerabilities and understanding the Apple security ecosystem. You will discover what makes patch diffing on \*OS different and challenging, and how to overcome these obstacles with open-source tools and methods.

Speaker

John McIntosh

John McIntosh ([@clearbluejar](https://twitter.com/clearbluejar)) is a security researcher at[@clearseclabs](https://www.clearseclabs.com/). He is passionate about learning and sharing knowledge on topics such as binary analysis, patch diffing, and vulnerability discovery. He is the creator of several open-source security tools and also blogs regularly about his research projects and experiments with Ghidra and patch diffing. With over a decade of offensive security experience, speaking and teaching at security conferences worldwide, he is always eager to learn new things and collaborate with other security researchers.

Organized by

Technology partners

Partner events

Scroll to Top