AutoPiff Integration
Using AutoPiff's automated patch diffing pipeline with KernelSight.
Overview
AutoPiff is an automated Windows kernel driver patch diffing pipeline that:
- Monitors WinBIndex and VirusTotal for new driver builds
- Downloads vulnerable and fixed driver pairs
- Decompiles with Ghidra and diffs function-level changes
- Applies semantic rules to classify patch patterns
- Performs reachability analysis to prioritize user-accessible changes
- Scores and ranks findings
Rule Mapping
AutoPiff's semantic rules map directly to KernelSight techniques. See index/autopiff_rule_map.yaml for the complete mapping.
Detection Categories
| AutoPiff Category | KernelSight Technique |
|---|---|
bounds_check |
Buffer Overflow |
lifetime_fix |
Use-After-Free |
user_boundary_check |
Arbitrary R/W Primitives |
int_overflow |
Integer Overflow |
race_condition |
Race Conditions |
type_confusion |
Type Confusion |
authorization |
Logic Bugs |
info_disclosure |
Uninitialized Memory |
ioctl_hardening |
IOCTL Handlers |
mdl_handling |
MDL Mapping |
Case Studies
All 28 CVE case studies in KernelSight were bootstrapped from AutoPiff's validation corpus. Each includes:
- Vulnerable and fixed builds with KB numbers
- Expected detection rules and categories
- Function patterns where patches were applied