CVE North Stars

Leveraging CVEs as North Stars in vulnerability discovery and comprehension.

About

• CVE North Stars Tutorial: https://cve-north-stars.github.io
• Blog Post: https://clearbluejar.github.io/posts/cve-north-stars/

CVE North Stars introduces a method to kickstart vulnerability research by taking advantage of the CVE information freely available (ie public blog posts, Github POCs, CVE Mitre database, etc). A CVE provides a compass of sorts that orients and guides a researcher towards a deeper understanding of the patched vulnerability and its vulnerability class. The idea is to treat CVEs as North Stars in vulnerability discovery and comprehension.

This short tutorial walks through practical CVE analysis, binary patch diffing, and root cause analysis. While these techniques for vulnerability research aren't new, this tutorial offers concise collection of practical examples and ideas for leveraging CVEs to get started in your vulnerability research.

Key Objectives

• Learn a practical method to focus on a set of CVEs to discover and generalize a vulnerability class or CWE - Common Weakness Enumeration via CVE analysis.
• Gain familiarity with the Microsoft Windows update process
• Improve Reverse Engineering and use of open source tools (Ghidra, symchk, patch-diff-correlator, etc.)
• Experience Patch Diffing With Ghidra
• Introduction to Root Cause Analysis

Versions

Originally hosted in github (v1.0.0), with recent upgrade to a Just-the-docs Jekyll template v2.0.0

• v1.0.0 - Github version
• v2.0.0 - Just the Docs version

Table of Contents

• CVE-Research
  • Identify platform
  • Identify CVE(s)
  • Seeking Patterns
• CVE-analysis
  • The Ideal Process
  • Template-for-CVE-analysis
  • Example CVE Analysis
  • Seeking Patterns
• Security-Patches
  • Platform Security Updates
  • Finding the relevant patch
  • Finding the binaries to compare
• Environment-Setup-and-Tooling
  • Binary Diffing Tools
• Patch-Diffing
  • Benefits
  • Feasibility
  • Tools
• Ghidra-Patch-Diffing
  • Patch Diffing With Ghidra
  • Version Tracker Workflow
• Patch-Diffing-Applied
  • CVE-2020-1048
  • CVE-2020-1337
  • CVE-2020-17001
• Root-Cause-Analysis
  • Treating the Symptom Rather Than the Cause
  • Formal Process
  • Practical Example
• Conclusion
  • CVE Analysis in the Light
  • Patch Diff in the Dark
  • Discovery

---

_{Photo by Faik Akmd from Pexels}