Abstract
Detecting if a software is patched against a known 1-day vulnerability is crucial to assess a system exposure. Indeed, because of the patch propagation delay or discontinued support, recurrent security patches are insufficient to prevent these vulnerabilities. The Firmware Matching Problem (FMP) asks to check if a patch has been applied to a complete system. In this paper, we detail a generic strategy to solve it and implement it in QSig, an automated binary patch detection solution based on semantic signatures. To face the challenges raised by this problem, QSig automatically generates a semantic signature by extracting the difference between the vulnerable and fixed version of the binary. Built to streamline the patches’ detection on filesystems, QSig uses a robust matching algorithm to scan target binaries. We demonstrate QSig versatility and our approach pertinence by conducting several experiments in different contexts: a cross-architecture matching on smartphone images (Pixel 4) to emphasize our semantic signatures, a Debian live image to highlight its efficiency, and against an hybrid solution to compare both techniques.
