Fixing mermaidjs error in Patch Diffing Applined.md

minor edits and link fixes

CVE analysis.md

@@ -6,7 +6,11 @@ CVE analysis is **one road of many** that leads to the identification and compre
 
 ## Strategy
 
-The analysis of a CVE will grant experience with the specific software that contains the reported vulnerability. As the component is analyzed, it will highlight the current problem and help put you in the context to identify other areas the same problem might exist ([variant analysis](https://blog.semmle.com/intro_to_variant_analysis_part_1/)). The analysis of several CVEs within the same software can help to generalize common security issues or vulnerability classes found within a particular system.  
+The analysis of a CVE will grant experience with the specific software that contains the reported vulnerability. As the component is analyzed, it will highlight the current problem and help put you in the context to identify other areas the same problem might exist ([variant analysis](https://blog.semmle.com/intro_to_variant_analysis_part_1/)). 
+
+> Variant analysis is the process of using a known vulnerability as a seed to find similar problems in your code. Security engineers typically perform variant analysis to identify possible vulnerabilities and to ensure that these threats are properly fixed across multiple code bases. [Source](https://help.semmle.com/QL/ql-support/ql-training/#:~:text=Variant%20analysis%20is%20the%20process,fixed%20across%20multiple%20code%20bases.)
+
+The analysis of several CVEs within the same software can help to generalize common security issues or vulnerability classes found within a particular system.  
 
 ### Vulnerability Classes
 
@@ -18,7 +22,7 @@ As you study CVEs, your knowledge of vulnerability classes will increase with re
 
 ### The Ideal Process
 
-The basic idea presented in this course is to look at CVEs, build up your knowledge of vulnerability classes, and discover vulnerabilities.
+The basic idea is to look at CVEs, build up your knowledge of vulnerability classes, and discover vulnerabilities.
 
 More formally, the high level idea is to:
 1. Research relevant CVEs
@@ -204,7 +208,7 @@ Some of the metadata is straightforward (date, web links, ID) and some are more
 
 #### CWEs
 
-The most difficult metadata bullet.  The goal is to identify the vulnerability classes that relate to the particular CVE. Labeling a CVE with a CWE helps you to think about the specific vulnerability class and it's relationship in the context of your CVE. For CVE-2020-1048, two vulnerability classes were made explicit in the [blog](https://windows-internals.com/printdemon-cve-2020-1048/). 
+The most difficult metadata bullet.  The goal is to identify the vulnerability classes that relate to the particular CVE. Labeling a CVE with a CWE helps you to think about the specific vulnerability class and it's relationship in the context of your CVE. For CVE-2020-1048, two vulnerability classes were made explicit in the corresponding [blog](https://windows-internals.com/printdemon-cve-2020-1048/) post. 
 
 > ### Client Side Port Check Vulnerability 
 > Yes, it was that simple. The UI dialog has a client-side check… the server, does not. And PowerShell’s WMI Print Provider Module… does not. [](https://windows-internals.com/printdemon-cve-2020-1048/)
@@ -221,15 +225,15 @@ To standardize, match specific [CWEs](https://cwe.mitre.org/) to the identified
 	- [Improper Privilege Management \- (269)](https://cwe.mitre.org/data/definitions/269.html)
 		- [Privilege Context Switching Error \- (270)](https://cwe.mitre.org/data/definitions/270.html)
 
-Supply not only the direct matches (CWE-602 and CWE-270), but parent CWEs (parent CWEs generally being a more abstract version of the child). Explicitly mapping out the CWEs in this way can help a researcher identify relationships to other CVEs at a different level of abstraction. This is a convention that helps a novice researcher classify vulnerability classes and better understand their relationships. There are a few different [views](https://cwe.mitre.org/data/index.html) for CWEs, with the research view being suggested for vulnerability researchers.
+Consider not only the direct matches (CWE-602 and CWE-270), but parent CWEs (parent CWEs generally being a more abstract version of the child). Explicitly mapping out the CWEs in this way can help a researcher identify relationships to other CVEs at a different level of abstraction. This is a convention that helps a novice researcher classify vulnerability classes and better understand their relationships. There are a few different [views](https://cwe.mitre.org/data/index.html) for CWEs, with the research view being suggested for vulnerability researchers.
 
 #### Main Content - CVE-2020-1048
 
 Now that the metadata is out of the way, time to tackle the main content of the template. Don't go overboard here, but try to think and answer each question with the information that is available. 
 
 ##### Summary
 
-In your own words, summarize the primary details of the vulnerability. It's OK to quote, but make sure you able to communicate the vulnerability in your own writing. It helps to build your understanding. 
+In your own words, summarize the primary details of the vulnerability. It's OK to quote, but make sure you able to communicate the vulnerability in your own writing. Paraphrasing helps to build your understanding.
 
 ```markdown
 >*PrintDemon is an elevation of privilege (EoP) vulnerability that exists in the Windows Print Spooler service as it improperly allows arbitrary file writing on the file system [](https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/)*
@@ -241,7 +245,7 @@ A local user can craft an print job (via a SHD file) which contains arbitrary da
 
 ##### Components Affected
 
-Depending on your platform, which software or operating system [components](https://en.wikipedia.org/wiki/Operating_system#Components) are affected by the CVE? Does it involve memory management? Kernel or user? File I/O? Authorization?  Networking? 
+Which software or operating system [components](https://en.wikipedia.org/wiki/Operating_system#Components) are affected by the CVE? Does it involve memory management? Kernel or user? File I/O? Authorization?  Networking? 
 
 ```markdown
 ## Components affected
@@ -279,7 +283,7 @@ This section is more open ended. It's single purpose is to help label relationsh
 
 ##### Requirements
 
-This section is a fun one.  It is the step for in which you can challenge yourself and is sure to increase your skill at spotting vulnerabitilties.  It is essentially the section that maps out the requirements for the CVE.  Take some time to think about the prerequisites needed to make this CVE a reality? What didn't the developer or software consider? What played a major role? What stars needed to align??
+This section is a fun one.  It is the step for in which you can challenge yourself and is sure to increase your skill at spotting vulnerabilities.  It is essentially the section that maps out the requirements for the CVE.  Take some time to think about the prerequisites needed to make this CVE a reality? What didn't the developer or software consider? What played a major role? What stars needed to align??
 
 ```markdown
 ## Requirements
@@ -299,7 +303,7 @@ This section is a fun one.  It is the step for in which you can challenge yourse
 
 ### Getting to the Root Cause
 
-As you approach the Root Cause section in the latter half if the [Template for CVE analysis](Templates/Template%20for%20CVE%20analysis.md), there are several things to keep in mind. The idea is to determine the underlying security issue that caused the vulnerability. Sometimes this is clear from the various blog post and CVE write ups and other times clarity will only come from digging deeper with [patch diffing](Patch%20Diffing.md). It's best to get a good understanding of the [root cause](Root%20Cause%20Analysis.md) to understand if the vulnerability was sufficiently patched or alternatively that there are potentially other ways to reach the vulnerability.
+As you approach the Root Cause section in the latter half if the [Template for CVE analysis](Templates/Template%20for%20CVE%20analysis.md), there are several things to keep in mind. The idea is to determine the underlying security issue that caused the vulnerability. Sometimes this is clear from the various blog post and CVE write ups and other times clarity will only come from digging deeper with [patch diffing](Patch%20Diffing.md). It's best to strive for a basic understanding of the [root cause](Root%20Cause%20Analysis.md) to determine if the vulnerability was sufficiently patched or alternatively if there are potentially other ways to reach the vulnerability that were not considered. 
 
 #### Fundamental Issue / Root Cause Section
 
@@ -340,7 +344,7 @@ There are alternate templates.  In July of 2020 Googe's Project zero shared a te
 
 
 ## Seeking Patterns
-We will now pivot. From information gathering and familiarization  to the process of finding patterns  within your analysis. Reviewing several CVEs for a particular piece of software should help connect some dots by defining the requirements (aka primitives) needed to enact the vulnerabilities. The more you can observe, the more likely a pattern will emerge.  As you being to become familiar with a particular software component, it will be easier to notice the security relevant areas of the software. 
+We will now pivot. From information gathering and familiarization to the process of finding patterns within your analysis. Reviewing several CVEs for a particular piece of software should help connect some dots by defining the requirements (aka primitives) needed to enact the vulnerabilities. The more you can observe, the more likely a pattern will emerge.  As you being to become familiar with a particular software component, it will be easier to notice the security relevant areas of the software. 
 
 Simply reviewing the [CVE search result](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Windows+print+spooler) table's text can give you some hint without looking any further. You can see that this is a Windows **service**, likely running at an **elevated** **privelege**, accessible by **RPC** and able to **write** **arbitrary** **files**. 
 

Conclusion.md

@@ -101,9 +101,4 @@ J --> K[Discover New and/or Related Vulnerabilities]
 
 ```
 
-This course has covered quite a bit of ground, but yet to cover the discovery of new vulnerabilities. This step is left as an exercise for the reader.  If you are looking for examples of discovery via patch diffing take a look at the blog [[Patch Diffing In the Dark]]. There you will see this process applied and how increased understanding of patch diffed CVEs brought about the discovery of new vulnerabilities.  
-
-## After the Diff?
-		- Variant analysis
-		- Are there other paths that reach this code?
-		- Refraction thinking - Does this vulnerability exist in any other related subsystem?
+This course has covered quite a bit of ground, but yet to cover the discovery of new vulnerabilities. This step is left as an exercise for the reader.  If you are looking for examples of discovery via patch diffing take a look at the blog [[Patch Diffing In the Dark]]. There you will see this process applied and how increased understanding of patch diffed CVEs brought about the discovery of new vulnerabilities. 

Ghidra Version Tracking.md

@@ -2,7 +2,7 @@
 
 ![pexels-jakub-novacek-924824](Resources/images/pexels-jakub-novacek-924824.jpg)[](https://www.pexels.com/photo/time-lapse-photo-of-stars-on-night-924824/)
 
-Patch Diffing with Ghidra can be performed by its **[Version Tracking Tool](https://ghidra.re/courses/GhidraClass/Intermediate/VersionTracking_withNotes.html#VersionTracking.html)**.  Not to be confused with it's [Program Difference Tool](https://github.com/NationalSecurityAgency/ghidra/blob/master/Ghidra/Features/ProgramDiff/src/main/help/help/topics/Diff/Diff.htm) (which identifies changes in two applications for *porting changes* (aka binary patching) rather than *identifying* them for comparison.)
+Patch Diffing with Ghidra can be performed by its **[Version Tracking Tool](https://ghidra.re/courses/GhidraClass/Intermediate/VersionTracking_withNotes.html#VersionTracking.html)**.  Not to be confused with its [Program Difference Tool](https://github.com/NationalSecurityAgency/ghidra/blob/master/Ghidra/Features/ProgramDiff/src/main/help/help/topics/Diff/Diff.htm) (which identifies changes in two applications for *porting changes* (aka binary patching) rather than *identifying* them for comparison.)
 
 > Version Tracking refers to the process used by reverse engineers to identify matching code or data between different software binaries. One common use case is to version track two different versions of the same binary.  [Version Tracking Ghidra - ghidra2018](https://raw.githubusercontent.com/NationalSecurityAgency/ghidra/master/Ghidra/Features/VersionTracking/src/main/help/help/topics/VersionTrackingPlugin/Version_Tracking_Intro.html)
 

Patch Diffing Applied.md

@@ -32,8 +32,8 @@ Assuming we already have the [prep](Ghidra%20Version%20Tracking.md#Setup%20and%2
 graph TD;
 
 subgraph Prep
-	A[Create Session] ---> B[Load Binary Version A];
-	A ---> C[Load Binary Version B];
+	A[Create Session] --> B[Load Binary Version A];
+	A --> C[Load Binary Version B];
 	B --> D[Pass Preconditions];
 	C --> D;
 	D --> E[Auto Analyze A/B];

README.md

@@ -4,14 +4,13 @@
 ![pexels-faik-akmd-1025469](Resources/images/pexels-faik-akmd-1025469.jpg)
 <sub>Photo by [Faik Akmd](https://www.pexels.com/@creationsbyfaik?utm_content=attributionCopyText&utm_medium=referral&utm_source=pexels) from [Pexels](https://www.pexels.com/photo/photo-of-night-sky-1025469)</sub>
 
-
 Created: 2020-12-15
 Updated: 2022-01-24
 
 ## Overview 
-**CVE analysis** provides an opportunity to gain more insight into the vulnerability classes responsible for the security issues within everyday software. Applying **Patch Differential Analysis (Patch Diffing)** to the relevant security updates will provide clarity into security related sections of vulnerable software. Finally, **Root Cause Analysis** will determine whether a specific security patch was effective, and may hint that there are more vulnerabilities ready to be discovered. 
+**CVE analysis** provides an opportunity to gain more insight into vulnerabilities and the vulnerability classes responsible for the security issues within everyday software. Applying **Patch Differential Analysis (Patch Diffing)** to the relevant security updates will provide clarity into security related sections of vulnerable software. Finally, **Root Cause Analysis** will determine whether a specific security patch was effective, and may hint that there are more vulnerabilities ready to be discovered. 
 
-This course introduces the skill of Common Vulnerabilities and Exposures (CVE) analysis and binary patch diffing. The hope is to provide techniques to help familiarize a researcher with a specific software domain, vulnerability classification ideation, and the ability to focus on a chosen topic to eventually map out vulnerability hot spots. To treat **CVEs as North Stars in vulnerability discovery and comprehension**. 
+CVE North Stars introduces the skill of Common Vulnerabilities and Exposures (CVE) analysis and binary patch diffing. The hope is to provide techniques to help familiarize a researcher with a specific software domain, vulnerability classification ideation, and the ability to focus on a chosen topic to eventually map out vulnerability hot spots. To treat **CVEs as North Stars in vulnerability discovery and comprehension**. 
 
 Along the way, this course analyzes [several](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1048) [recent](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1337) [Windows](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17001) [Print](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1030) [Spooler](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1678) CVEs that clearly demonstrate the need for understanding the root cause of vulnerabilities when attempting to patch them.  
 
@@ -22,8 +21,7 @@ Along the way, this course analyzes [several](https://cve.mitre.org/cgi-bin/cven
 - Introduction to [Root Cause Analysis](Root%20Cause%20Analysis.md)
 
 
-## Course
-- [Course Plan](Course%20Plan.md)
+## Table of Contents
 - [Research](Research.md)
 	- Identify platform
 	- Identify CVE(s)		
@@ -44,23 +42,19 @@ Along the way, this course analyzes [several](https://cve.mitre.org/cgi-bin/cven
 	-  Feasibility
 	-  Tools
 - [Ghidra Version Tracking](Ghidra%20Version%20Tracking.md)
-	- The Process
+	- Patch Diffing With Ghidra
 	- Version Tracker Workflow
 - [Patch Diffing Applied](Patch%20Diffing%20Applied.md)
-	- CVE
+	- CVE-2020-1048
+	- CVE-2020-1337
+	- CVE-2020-17001
 - [Root Cause Analysis](Root%20Cause%20Analysis.md)
 	- Treating the Symptom Rather Than the Cause
 	- Formal Process
 	- Practical Example
 - [Conclusion](Conclusion.md)
-
-TODO:
-- [ ] Make clear: which ones are conceptual/ practical?  
-- [ ] determine correct level/scope for course: what is the audience?
-- [ ] remove the personal pronouns found throughout?
-- [ ] add back-matter  (links to main page, next page, etc)
-- [ ] grammar checks
-
+	- CVE Analysis in the Light
+	- Patch Diff in the Dark
+	- Discover
 
 ---
-tags: #project