D. Buhov, Patrick Kochberger, Richard Thron, S. Schrittwieser
{"title":"Discovering Cryptographic Algorithms in Binary Code Through Loop Enumeration","authors":"D. Buhov, Patrick Kochberger, Richard Thron, S. Schrittwieser","doi":"10.1109/ICSSA.2017.22","DOIUrl":null,"url":null,"abstract":"In benign programs, encryption is used to prevent sensitive data from being exposed. Malware, on the other hand, uses encryption to hide from analysis or perform malicious activities, e.g. ransomware. The challenge in detecting the presence of these cryptographic algorithms lies in the fact that it is generally not possible to identify the entire functionality of binary programs through static analysis. In this paper we present a novel approach for detecting specific cryptographic algorithms through control flow analysis based on symbolic execution. The control flow graph generated and symbolic execution done by the angr framework is used to search for loops. Nodes that are executed a certain number of times and in a specific order let us point out possible cryptographic activities. In the proof-of-concept implementation we were able to identify and differentiate DES, TripleDES and several variants of the AES algorithm. Our solution is able to detect the presence of these algorithms without access to the source code of the program. It also eliminates the need for a skilled operator to perform the analysis.","PeriodicalId":307280,"journal":{"name":"2017 International Conference on Software Security and Assurance (ICSSA)","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2017-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 International Conference on Software Security and Assurance (ICSSA)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICSSA.2017.22","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 2
Abstract
In benign programs, encryption is used to prevent sensitive data from being exposed. Malware, on the other hand, uses encryption to hide from analysis or perform malicious activities, e.g. ransomware. The challenge in detecting the presence of these cryptographic algorithms lies in the fact that it is generally not possible to identify the entire functionality of binary programs through static analysis. In this paper we present a novel approach for detecting specific cryptographic algorithms through control flow analysis based on symbolic execution. The control flow graph generated and symbolic execution done by the angr framework is used to search for loops. Nodes that are executed a certain number of times and in a specific order let us point out possible cryptographic activities. In the proof-of-concept implementation we were able to identify and differentiate DES, TripleDES and several variants of the AES algorithm. Our solution is able to detect the presence of these algorithms without access to the source code of the program. It also eliminates the need for a skilled operator to perform the analysis.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
