It's easy enough to see the differences in two similar code files using diff, but when security researchers want to compare malware samples, they need binary comparison tools such as BinDiff. By making BinDiff available free of charge, Google puts a valuable reverse engineering tool in the hands of more security researchers and engineers.
BinDiff disassembles binaries to identify similarities and differences in the resulting code, much in the same way that diff compares text files. It allows engineers to see at a glance which code sections have been modified or whether the files share code. Security researchers and engineers typically use BinDiff to analyze malware variants to identify families based on common code.
"We have been committed to keeping our most valuable tools available to the security research community," Christian Blichmann, a Google software engineer, wrote on the Google Security Blog.
Researchers and engineers can now download BinDiff 4.2 for both Linux and Windows for free from the Zynamics website. Since BinDiff is a plug-in for IDA Pro, a multiprocessor disassembler and debugger from Hex-Rays, the software requires IDA Pro 6.8 or later to run.
Google scooped up BinDiff, along with other reverse engineering tools BinNavi, VxClass, BinCrowd, and PDF Dissector, as part of its Zynamics acquisition back in 2011. Since then, Google has been using the BinDiff core engine to power a large-scale malware processing pipeline used to protect both internal and external users. BinDiff and BinNavi are still available.
BinDiff can be used to compare binary files for x86, MIPS, ARM/AArch64, PowerPC, and other architectures. Code theft and patent infringement remain a big problem, and BinDiff can help identify cases by looking for duplicate block of code within the suspicious file. BinDiff can look for identical and similar functions across multiple binaries, as well as find examples of a common function in the code which had been modified recently.
Security researchers can also use BinDiff to analyze software updates and security patches to understand what was changed and how the vulnerability was fixed. By the same token, malicious developers can use the tool to reverse engineer security patches to find the software flaw and create an exploit capable of triggering that flaw. BinDiff, like any other software, can be used for both good and bad.
Engineers can port function names, comments, and local variable names from one file to another. They can transfer the results of their analysis from one binary file to another so that they can examine multiple files without having to start from scratch each time. This ensures researchers don't wind up duplicating the work, especially when analyzing malware samples.
"BinDiff provides the underlying comparison results needed to cluster the world's malware into related families with billions of comparisons performed so far," Blichmann wrote.