| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 5 Jan 2010 15:51:02 +0100
From: Dan Kaminsky <dan@...para.com>
To: T Biehn <tbiehn@...il.com>
Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk>,
bugtraq@...urityfocus.com, Joxean Koret <joxeankoret@...oo.es>
Subject: Re: [Tool] DeepToad 1.1.0
I looked into a fair amount of this sort of normalization back when I was
playing with dotplots. The idea was to upgrade from simple Levenshtein
string comparison (with no knowledge of variable length x86 instructions,
pointers that shift from compile to compile, etc) to something with at least
some domain specific knowledge. What I found, somewhat surprisingly, was
that dumb string comparison was more than enough. In fact, when I compared
pre-patch and post-patch builds, it was easy to directly see when content
was added, removed, shifted in location, etc. Joxean's going to have much
the same result -- as basic as his similarity metric is, he'll get the broad
strokes just fine.
Ultimately the best approach is to build a graph of how functions interact
and measure graph isomorphism, but of course Halvar figured that out years
ago :)
On Tue, Jan 5, 2010 at 3:41 PM, T Biehn <tbiehn@...il.com> wrote:
> Hmm,
> Wouldn't it be more useful to the sec community to have a algorithm
> that abstracts at the -interpreted- content level? That is when
> analyzing binaries I wouldn't think that this would classify two with
> near identical functionality together, even though it is removing a
> significant chunk of information during the hash pass.
>
> I would largely assume that your algorithm, as is, works best on
> uncompressed bitmaps. Is there something I'm missing?
>
> -Travis
>
> On Sun, Jan 3, 2010 at 6:37 AM, Joxean Koret <joxeankoret@...oo.es> wrote:
> > Hi all,
> >
> > I'm happy to announce the very first public release of the open source
> > project DeepToad, a tool for computing fuzzy hashes from files.
> >
> > DeepToad can generate signatures, clusterize files and/or directories
> > and compare them. It's inspired in the very good tool ssdeep [1] and, in
> > fact, both projects are very similar.
> >
> > The complete project is written in pure python and is distributed under
> > the LGPL license [2].
> >
> > Links:
> > Project's Web Page http://code.google.com/p/deeptoad/
> > Download Web Page http://code.google.com/p/deeptoad/downloads/list
> > Wiki http://code.google.com/p/deeptoad/w/list
> >
> > References:
> > [1] http://ssdeep.sourceforge.net/
> > [2] http://www.gnu.org/licenses/lgpl.html
> >
> > Regards && Happy new year!
> > Joxean Koret
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
>
> --
> FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C
> http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
> http://pastebin.com/f6fd606da
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists