Reversing the Root: Identifying the Exploited Vulnerability in 0-days Used In-The-Wild

Conference:  BlackHat USA 2020



The presentation discusses the process of reverse engineering vulnerabilities and shares case studies to demonstrate different techniques and approaches.
  • The presentation covers four categories of techniques for reverse engineering vulnerabilities
  • The speaker shares case studies of different approaches to reverse engineering vulnerabilities, including analyzing patches and descriptions of exploits
  • The importance of in-depth knowledge of the target and exploit depth is emphasized
  • The speaker encourages sharing of techniques and innovation in the reverse engineering process
The speaker shares a story of how getting one more detail allowed them to identify a vulnerability with a high level of confidence, highlighting the importance of challenging assumptions and having a precise understanding of the vulnerability


Over the past 12 months, Project Zero has analyzed eleven 0-day vulnerabilities that were exploited in the wild. One of the very important parts of these analyses is to do a root cause analysis on the vulnerability that is being exploited. To identify the root cause vulnerability, we've employed a variety of techniques to varying degrees of success: binary patch diffing, putting the exploit sample into a test case minimizer, source code patch diffing, manually reverse engineering the exploit, and "bug hunting" based on known details of the exploit. Rather than discussing these exploited vulnerabilities in detail, this talk will instead cover the reverse engineering techniques to determine the vulnerability in the first place. For these 11 different 0-days, we used five different techniques to determine their root cause. This talk will detail the factors that go into when each technique is used, how we used the technique, and lessons learned from when it's been successful and when it hasn't.Each technique will include case studies across a variety of platforms: from OS kernels, to Javascript engines, to apps, and more. This allows us to see similarities and differences in the reverse engineering techniques across targets. For each case study, we'll show a walk through of how the reversing technique allowed us to determine the vulnerability (or not), and discuss what we might do differently next time. This talk will be a detailed tour of reverse engineering a variety of vulnerabilities that were exploited in the wild, all in less than an hour.