D. Buhov, Patrick Kochberger, Richard Thron, S. Schrittwieser
{"title":"通过循环枚举发现二进制代码中的加密算法","authors":"D. Buhov, Patrick Kochberger, Richard Thron, S. Schrittwieser","doi":"10.1109/ICSSA.2017.22","DOIUrl":null,"url":null,"abstract":"In benign programs, encryption is used to prevent sensitive data from being exposed. Malware, on the other hand, uses encryption to hide from analysis or perform malicious activities, e.g. ransomware. The challenge in detecting the presence of these cryptographic algorithms lies in the fact that it is generally not possible to identify the entire functionality of binary programs through static analysis. In this paper we present a novel approach for detecting specific cryptographic algorithms through control flow analysis based on symbolic execution. The control flow graph generated and symbolic execution done by the angr framework is used to search for loops. Nodes that are executed a certain number of times and in a specific order let us point out possible cryptographic activities. In the proof-of-concept implementation we were able to identify and differentiate DES, TripleDES and several variants of the AES algorithm. Our solution is able to detect the presence of these algorithms without access to the source code of the program. It also eliminates the need for a skilled operator to perform the analysis.","PeriodicalId":307280,"journal":{"name":"2017 International Conference on Software Security and Assurance (ICSSA)","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2017-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":"{\"title\":\"Discovering Cryptographic Algorithms in Binary Code Through Loop Enumeration\",\"authors\":\"D. Buhov, Patrick Kochberger, Richard Thron, S. Schrittwieser\",\"doi\":\"10.1109/ICSSA.2017.22\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"In benign programs, encryption is used to prevent sensitive data from being exposed. Malware, on the other hand, uses encryption to hide from analysis or perform malicious activities, e.g. ransomware. The challenge in detecting the presence of these cryptographic algorithms lies in the fact that it is generally not possible to identify the entire functionality of binary programs through static analysis. In this paper we present a novel approach for detecting specific cryptographic algorithms through control flow analysis based on symbolic execution. The control flow graph generated and symbolic execution done by the angr framework is used to search for loops. Nodes that are executed a certain number of times and in a specific order let us point out possible cryptographic activities. In the proof-of-concept implementation we were able to identify and differentiate DES, TripleDES and several variants of the AES algorithm. Our solution is able to detect the presence of these algorithms without access to the source code of the program. It also eliminates the need for a skilled operator to perform the analysis.\",\"PeriodicalId\":307280,\"journal\":{\"name\":\"2017 International Conference on Software Security and Assurance (ICSSA)\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2017-07-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"2\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2017 International Conference on Software Security and Assurance (ICSSA)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ICSSA.2017.22\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 International Conference on Software Security and Assurance (ICSSA)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICSSA.2017.22","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Discovering Cryptographic Algorithms in Binary Code Through Loop Enumeration
In benign programs, encryption is used to prevent sensitive data from being exposed. Malware, on the other hand, uses encryption to hide from analysis or perform malicious activities, e.g. ransomware. The challenge in detecting the presence of these cryptographic algorithms lies in the fact that it is generally not possible to identify the entire functionality of binary programs through static analysis. In this paper we present a novel approach for detecting specific cryptographic algorithms through control flow analysis based on symbolic execution. The control flow graph generated and symbolic execution done by the angr framework is used to search for loops. Nodes that are executed a certain number of times and in a specific order let us point out possible cryptographic activities. In the proof-of-concept implementation we were able to identify and differentiate DES, TripleDES and several variants of the AES algorithm. Our solution is able to detect the presence of these algorithms without access to the source code of the program. It also eliminates the need for a skilled operator to perform the analysis.