How 0patch accelerates vulnerability analysis with esReven

0patch's mission is to enable customers to protect their Microsoft Windows systems by delivering miniature code patches ("micropatches") blocking 0-day or N-day vulnerabilities in Windows OS or various Windows applications.

Their customers deploy these in-memory patches to protect their systems immediately, without waiting for a vendor patch, which may not even be available for a long period of time or which may require a computer update and restart that could disrupt production.

Moreover, 0patch protects older software that original vendors do not support anymore.

0patch chose to accelerate the analysis of vulnerability root cause, deepen their understanding of the black-box systems they face, and identify potential side effects of their patches.

How the 0patch analysis team works

To accomplish their mission, the 0patch team must quickly acquire a clear understanding of the vulnerability at hand, write a patch for it, and test all its execution paths. They start with an exploit or a proof-of-concept to trigger the vulnerability, and then work backwards to find the root cause. This is generally a hard problem, as various system monitors provide very limited information while debuggers execute code in the direction of the future, not the past. Even though time-travel debugging has lately become available, tracking the root cause often transcends process boundaries, which is an insurmountable obstacle for debuggers.

The team regularly employs esReven for finding execution path or data flow back from an observable symptom - such as process crash - to the vulnerable code that needs to be corrected with a micropatch. In this, esReven helps them especially in situations where the bug is complex and involves many moving pieces.

From that point on, they look at how they can develop a patch that will block any attack while not changing the normal behavior of the software or introducing any other issues. They must get a good understanding of the product they are patching, even though it is an undocumented black box. In this, esReven provides them with extensive insight, notably because it allows them to observe the entire system.

To protect their customers, they must do all this as quickly as possible, and out-run the potential threats. In this, esReven's advanced features such as the taint analysis allows them to take shortcuts & narrow down the perimeter of their analysis quickly.

When esReven comes into play

With simple software and a simple bug, the analysis team will use their regular tool set like IDA Pro and WinDbg. However, there are plenty of cases where the analysis becomes too complicated or requires too much time. That's exactly when they turn to.

The situations that trigger the usage of esReven's analysis integrated in esReverse often have one of the following characteristics:

• Multiple threads or multiple processes with Interprocess communication (IPC), - Low level Windows kernel issues,
• Type confusion issues, double free issues involving garbage collectors, logical vulnerabilities etc.

What 0patch loves about esReven

At the end of the day, 0patch loves that esReven enables them to do their work much more efficiently and to quickly provide patches to their customers. However, we asked them to be more specific and to rank their 3 favorite esReven features. They listed:

• Number One: esReven Full System Timeless Analysis

Why: Being able to move back in time, starting from a point of interest then following back a path saves a lot of time as it avoids lot of debugging sessions.The full system is also key as soon as there are inter-process communication (IPC), multiple-threads, or the path goes into or through the Windows kernel.

• Number Two: esReven Data Tainting

Why: it enables them to get to the root cause very quickly in most cases regardless of the complexity of the underlying issue or software. With esReven Taint, you just jump back in time following the path of the data you are interested in. Going over thousands of instructions that are irrelevant to the problem you focus on to get precisely to the point you are looking for is just magic.

• Number Three: literally every other feature

Why: depending on the nature of the bug or the execution flow it produces, they find various esReven's features useful and it is too difficult to choose. Sometimes it is the Memory History, other times the Call Tree or the integration with static analysers like IDA, etc.

The final word goes to 0patch co-founder, Mitja Kolsek:

"Our customers often tell us that our product, with instant in-memory patching of running applications, feels somewhat like magic. Similarly, even after years of regular use, esReven (previously Reven) feels somewhat like magic to us. Sure, we understand how it works, but its capabilities are on a whole different level compared to any other tools we know and it's continually saving us valuable hours and days where time is critical."

More on 0patch

0patch delivers miniature patches of code ("micropatches") to computers worldwide in order to fix software vulnerabilities in various, even closed source products. With , there are no reboots or downtime when patching and no fear that a huge official update will break production. Corporate users and administrators appreciate the lightness and simplicity of 0patch, as it is shortening the patch deployment time from months to just hours. Reviewing tiny micro patches is inexpensive, and the ability to instantly apply and remove them locally or remotely significantly simplifies production testing.