BinDiff is a constant presence inside a security researcher’s toolbox, ideal for patch and malware analysis or reverse engineering of code. The Google-owned software allows researchers to conduct side-by-side comparisons of binary files in disassembled code looking for differences in the samples.
Until last week, BinDiff came with a price, but on Friday Google announced that it was making the plug-in available for free. Researchers still have purchase the Hex-Rays IDA Pro disassembler, 6.8 or later to use the plug-in, however.
Nonetheless, researchers are quick to applaud the fact that Google has removed a barrier to entry for advanced analysis.
“BinDiff is an invaluable tool for security researchers, allowing one to rapidly see what’s different between programs,” said Mark Dufresne, director of malware research and threat intelligence at Endgame. “With polymorphism becoming increasingly common and the rate of change in malicious software accelerating, BinDiff’s abilities to help researchers cluster new samples to known malware families and isolate new behaviors in malware are both critical.
“Further, BinDiff allows for analysis of the correctness of patches by showing exactly what’s been changed to fix a security hole,” Dufresne said.
Google acquired BinDiff via its purchase of zynamics in 2011. It’s been invaluable to security research teams in the comparison of binary files on a number of architectures, including x86, MIPS, ARM/AArch64 and PowerPC. Google said that the core BinDiff engine also powers its internal malware processing pipeline.
“BinDiff provides the underlying comparison results needed to cluster the world’s malware into related families with billions of comparisons performed so far,” Google software engineer Christian Blichmann wrote on Friday.
ZScaler head of security research Deepen Desai said now that BinDiff is free, it will help application security and malware coverage.
“The graphical view provided by BinDiff makes it easier to spot the similarities as well as differences in the disassembled code. This tool can be used for identifying new vulnerabilities as well verifying vulnerability fixes by comparing the vendor patches with the original file,” Desai said. “Another popular use of this tool as Google highlights is to help automated malware analysis frameworks, aiding in quick signature coverage in addition to analysis.”