Discovering Cryptographic Algorithms in Binary Code Through Loop Enumeration

2017 International Conference on Software Security and Assurance (ICSSA) Pub Date : 2017-07-01 DOI:10.1109/ICSSA.2017.22

D. Buhov, Patrick Kochberger, Richard Thron, S. Schrittwieser

{"title":"Discovering Cryptographic Algorithms in Binary Code Through Loop Enumeration","authors":"D. Buhov, Patrick Kochberger, Richard Thron, S. Schrittwieser","doi":"10.1109/ICSSA.2017.22","DOIUrl":null,"url":null,"abstract":"In benign programs, encryption is used to prevent sensitive data from being exposed. Malware, on the other hand, uses encryption to hide from analysis or perform malicious activities, e.g. ransomware. The challenge in detecting the presence of these cryptographic algorithms lies in the fact that it is generally not possible to identify the entire functionality of binary programs through static analysis. In this paper we present a novel approach for detecting specific cryptographic algorithms through control flow analysis based on symbolic execution. The control flow graph generated and symbolic execution done by the angr framework is used to search for loops. Nodes that are executed a certain number of times and in a specific order let us point out possible cryptographic activities. In the proof-of-concept implementation we were able to identify and differentiate DES, TripleDES and several variants of the AES algorithm. Our solution is able to detect the presence of these algorithms without access to the source code of the program. It also eliminates the need for a skilled operator to perform the analysis.","PeriodicalId":307280,"journal":{"name":"2017 International Conference on Software Security and Assurance (ICSSA)","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2017-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 International Conference on Software Security and Assurance (ICSSA)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICSSA.2017.22","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

Abstract

In benign programs, encryption is used to prevent sensitive data from being exposed. Malware, on the other hand, uses encryption to hide from analysis or perform malicious activities, e.g. ransomware. The challenge in detecting the presence of these cryptographic algorithms lies in the fact that it is generally not possible to identify the entire functionality of binary programs through static analysis. In this paper we present a novel approach for detecting specific cryptographic algorithms through control flow analysis based on symbolic execution. The control flow graph generated and symbolic execution done by the angr framework is used to search for loops. Nodes that are executed a certain number of times and in a specific order let us point out possible cryptographic activities. In the proof-of-concept implementation we were able to identify and differentiate DES, TripleDES and several variants of the AES algorithm. Our solution is able to detect the presence of these algorithms without access to the source code of the program. It also eliminates the need for a skilled operator to perform the analysis.

查看原文本刊更多论文

通过循环枚举发现二进制代码中的加密算法

在良性程序中，加密用于防止敏感数据暴露。另一方面，恶意软件使用加密来隐藏分析或执行恶意活动，例如勒索软件。检测这些加密算法存在的挑战在于，通常不可能通过静态分析来识别二进制程序的全部功能。本文提出了一种基于符号执行的控制流分析来检测特定密码算法的新方法。使用angr框架生成的控制流图和符号执行来搜索循环。以特定顺序执行一定次数的节点可以让我们指出可能的加密活动。在概念验证实现中，我们能够识别和区分DES、TripleDES和AES算法的几个变体。我们的解决方案能够检测这些算法的存在，而无需访问程序的源代码。它还消除了对熟练操作员执行分析的需要。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2017 International Conference on Software Security and Assurance (ICSSA)

自引率

0.00%

发文量

文献相关原料

公司名称	产品信息	采购帮参考价格