More Web Proxy on the site http://driver.im/

research-article

Aligot: cryptographic function identification in obfuscated binary programs

Authors:

José M. Fernandez,

Jean-Yves MarionAuthors Info & Claims

CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

Pages 169 - 182

https://doi.org/10.1145/2382196.2382217

Published: 16 October 2012 Publication History

Abstract

Analyzing cryptographic implementations has important applications, especially for malware analysis where they are an integral part both of the malware payload and the unpacking code that decrypts this payload. These implementations are often based on well-known cryptographic functions, whose description is publicly available. While potentially very useful for malware analysis, the identification of such cryptographic primitives is made difficult by the fact that they are usually obfuscated. Current state-of-the-art identification tools are ineffective due to the absence of easily identifiable static features in obfuscated code. However, these implementations still maintain the input-output (I/O) relationship of the original function. In this paper, we present a tool that leverages this fact to identify cryptographic functions in obfuscated programs, by retrieving their I/O parameters in an implementation-independent fashion, and comparing them with those of known cryptographic functions. In experimental evaluation, we successfully identified the cryptographic functions TEA, RC4, AES and MD5 both in synthetic examples protected by a commercial-grade packer (AsProtect), and in several obfuscated malware samples (Sality, Waledac, Storm Worm and SilentBanker). In addition, our tool was able to recognize basic operations done in asymmetric ciphers such as RSA.

References

[1]

AsProtect packer. http://www.aspack.com/asprotect.html.

[2]

Polar SSL library Web site. http://polarssl.org.

[3]

A. Aho, J. Ullman, and S. Biswas. Principles of Compiler Design. Addison-Wesley, 1977.

Digital Library

[4]

L. Auriemma. Signsrch tool. http://aluigi.altervista.org/mytoolz.htm.

[5]

F. Boldewin. Peacomm.c Cracking the nutshell. http://www.reconstructer.org/papers/Peacomm.C - Cracking the nutshell.zip.

[6]

J. Caballero, P. Poosankam, C. Kreibich, and D. Song. Dispatcher: Enabling active botnet infiltration using automatic protocol reverse-engineering. In Proc. 16th ACM Conf. on Computer and Communications Security (CCS), pages 621--634, 2009.

Digital Library

[7]

J. Calvet, C. Davis, and P. Bureau. Malware authors don't learn, and that's good! In Proc. 4th Int. Conf. on Malicious and Unwanted Software (MALWARE), pages 88--97. IEEE, 2009.

[8]

J. Daemen and V. Rijmen. The design of Rijndael: AES--the advanced encryption standard. Springer-Verlag, 2002.

Digital Library

[9]

N. Fallière. Reversing Trojan.Mebroot's Obfuscation. In Reverse Engineering Conference (REcon), 2010.

[10]

F. Gröbert, C. Willems, and T. Holz. Automated identification of cryptographic primitives in binary programs. In Proc. Recent Advances in Intrusion Detection (RAID), pages 41--60. Springer, 2011.

Digital Library

[11]

J. Halderman, S. Schoen, N. Heninger, W. Clarkson, W. Paul, J. Calandrino, A. Feldman, J. Appelbaum, and E. Felten. Lest we remember: cold-boot attacks on encryption keys. Comm. of the ACM, 52(5):91--98, 2009.

Digital Library

[12]

S. Henson et al. OpenSSL library. http://openssl.org.

[13]

J. Hopcroft, R. Motwani, and J. Ullman. Introduction to automata theory, languages, and computation. Addison-Wesley, 2007.

Digital Library

[14]

M. Kobayashi. Dynamic characteristics of loops. IEEE Trans. on Computers, 100(2):125--132, 1984.

Digital Library

[15]

I. O. Levin. Draft crypto analyzer (draca). http://www.literatecode.com/draca.

[16]

D. Litzenberger. PyCrypto - The python cryptography toolkit, 2011.

[17]

C. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. Reddi, and K. Hazelwood. Pin: building customized program analysis tools with dynamic instrumentation. ACM SIGPLAN Notices, 40:190--200, 2005.

Digital Library

[18]

N. Lutz. Towards revealing attacker's intent by automatically decrypting network traffic. Master's thesis, ETH Zürich, Switzerland, 2008.

[19]

C. Maartmann-Moe, S. Thorkildsen, and A. Arnes. The persistence of memory: Forensic identification and extraction of cryptographic keys. Digital Investigation, 6:S132--S140, 2009.

Digital Library

[20]

P. Montgomery. Modular multiplication without trial division. Mathematics of Computation, 44(170):519--521, 1985.

[21]

M. Morgenstern and H. Pilz. Useful and useless statistics about viruses and anti-virus programs. In Proc. CARO Workshop, 2010.

[22]

L. O Murchu. Trojan.silentbanker decryption. http://www.symantec.com/connect/blogs/trojansilentbanker-decryption.

[23]

R. Rivest. RFC 1321: The MD5 message-digest algorithm. Internet Activities Board, 143, 1992.

Digital Library

[24]

R. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Comm. of the ACM, 21(2):120--126, 1978.

Digital Library

[25]

C. E. Shannon. Communication theory of secrecy systems. Bell System Technical Journal, 28(4):656--715, 1949.

[26]

N. Stewart. Inside the storm: Protocols and encryption of the Storm botnet. In Black Hat Technical Security Conference, 2008.

[27]

S. Trilling. Project Green Bay - Calling a Blitz on Packers. In CIO Digest: Strategies and Analysis from Symantec, 2008.

[28]

J. Tubella and A. González. Control speculation in multithreaded processors through dynamic loop detection. In Proc. 4th Int. Symp. on High-Performance Computer Architecture, pages 14--23. IEEE, 1998.

Digital Library

[29]

VeriSign. Silentbanker analysis. http://www.verisign.com/static/043671.pdf.

[30]

Russian TEA assembly code. http://www.xakep.ru/post/22086/default.asp.

[31]

C. Wang, J. Hill, J. Knight, and J. Davidson. Software tamper resistance: Obstructing static analysis of programs. Technical Report CS-2000-12, University of Virginia, 2000.

Digital Library

[32]

Z. Wang, X. Jiang, W. Cui, X. Wang, and M. Grace. ReFormat: Automatic reverse engineering of encrypted messages. In Proc. ESORICS, pages 200--215, 2009.

Digital Library

[33]

PEiD Krypto Analyzer (kanal). http://www.peid.info.

[34]

RC4 source code. http://cypherpunks.venona.com/date/1994/09/msg00304.html.

[35]

D. Wheeler and R. Needham. TEA, a tiny encryption algorithm. In Proc. Fast Software Encryption, pages 363--366. Springer, 1995.

[36]

V. Zakorzhevsky. A new version of Sality at large. http://www.securelist.com/en/blog/180/A_new_version_of_Sality_at_large.

[37]

R. Zhao, D. Gu, J. Li, and R. Yu. Detection and analysis of cryptographic data inside software. Information Security, pages 182--196, 2011.

Digital Library

Cited By

De Sutter BSchrittwieser SCoppens BKochberger P(2024)Evaluation Methodologies in Software Protection ResearchACM Computing Surveys10.1145/3702314Online publication date: 2-Nov-2024
https://dl.acm.org/doi/10.1145/3702314
Faingnaert TVan Iseghem WDe Sutter BSchrittwieser SIanni M(2024)K-Hunt++: Improved Dynamic Cryptographic Key ExtractionProceedings of the 2024 Workshop on Research on offensive and defensive techniques in the context of Man At The End (MATE) attacks10.1145/3689934.3690818(22-29)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689934.3690818
Damásio TCanesche MPacheco VBotacin MFaustino da Silva AQuintão Pereira FDubach CBruening DHardekopf B(2023)A Game-Based Framework to Compare Program Classifiers and EvadersProceedings of the 21st ACM/IEEE International Symposium on Code Generation and Optimization10.1145/3579990.3580012(108-121)Online publication date: 17-Feb-2023
https://dl.acm.org/doi/10.1145/3579990.3580012
Show More Cited By

Index Terms

Aligot: cryptographic function identification in obfuscated binary programs
1. Security and privacy

Recommendations

Detecting, validating and characterizing computer infections in the wild
IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference

Although network intrusion detection systems (IDSs) have been studied for several years, their operators are still overwhelmed by a large number of false-positive alerts. In this work we study the following problem: from a large archive of intrusion ...
Ransomware threat success factors, taxonomy, and countermeasures

The paper surveys state-of-the-art studies on ransomware analysis, detection, and prediction.The work describes the enabling technologies and factors that contribute to successful ransomware attacks.The paper proposes a general taxonomy for the ...
Countering cyber threats for industrial applications

The widespread adoption of Internet of Things (IoT) in industrial systems has made malware propagation more voluminous and sophisticated. Detection and prevention against these malware threats rely on automated dynamic analysis techniques. Malware ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

October 2012

1088 pages

ISBN:9781450316514

DOI:10.1145/2382196

General Chair:
Ting Yu
North Carolina State University, USA
,
Program Chairs:
George Danezis
Microsoft Research Cambridge, UK
,
Virgil Gligor
Carnegie Mellon University, USA

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 October 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'12

Sponsor:

SIGSAC

CCS'12: the ACM Conference on Computer and Communications Security

October 16 - 18, 2012

North Carolina, Raleigh, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

54
Total Citations
View Citations
866
Total Downloads

Downloads (Last 12 months)57
Downloads (Last 6 weeks)9

Reflects downloads up to 13 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

De Sutter BSchrittwieser SCoppens BKochberger P(2024)Evaluation Methodologies in Software Protection ResearchACM Computing Surveys10.1145/3702314Online publication date: 2-Nov-2024
https://dl.acm.org/doi/10.1145/3702314
Faingnaert TVan Iseghem WDe Sutter BSchrittwieser SIanni M(2024)K-Hunt++: Improved Dynamic Cryptographic Key ExtractionProceedings of the 2024 Workshop on Research on offensive and defensive techniques in the context of Man At The End (MATE) attacks10.1145/3689934.3690818(22-29)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689934.3690818
Damásio TCanesche MPacheco VBotacin MFaustino da Silva AQuintão Pereira FDubach CBruening DHardekopf B(2023)A Game-Based Framework to Compare Program Classifiers and EvadersProceedings of the 21st ACM/IEEE International Symposium on Code Generation and Optimization10.1145/3579990.3580012(108-121)Online publication date: 17-Feb-2023
https://dl.acm.org/doi/10.1145/3579990.3580012
Kim DKim ECha SSon SKim Y(2023)Revisiting Binary Code Similarity Analysis Using Interpretable Feature Engineering and Lessons LearnedIEEE Transactions on Software Engineering10.1109/TSE.2022.318768949:4(1661-1682)Online publication date: 1-Apr-2023
https://doi.org/10.1109/TSE.2022.3187689
Asghar HZhao BIkram MNguyen GKaafar DLamont SCoscia D(2023)Use of cryptography in malware obfuscationJournal of Computer Virology and Hacking Techniques10.1007/s11416-023-00504-yOnline publication date: 25-Sep-2023
https://doi.org/10.1007/s11416-023-00504-y
Schrittwieser SKochberger PPucher MLawitschka CKönig PWeippl E(2023)Obfuscation-Resilient Semantic Functionality Identification Through Program SimulationSecure IT Systems10.1007/978-3-031-22295-5_15(273-291)Online publication date: 1-Jan-2023
https://doi.org/10.1007/978-3-031-22295-5_15
Yang WPark Y(2021)Identifying Symmetric-Key Algorithms Using CNN in Intel Processor TraceElectronics10.3390/electronics1020249110:20(2491)Online publication date: 13-Oct-2021
https://doi.org/10.3390/electronics10202491
Wu QZhu XLiu B(2021)A Survey of Android Malware Static Detection Technology Based on Machine LearningMobile Information Systems10.1155/2021/88960132021(1-18)Online publication date: 3-Mar-2021
https://doi.org/10.1155/2021/8896013
Wright CMoeglein WBagchi SKulkarni MClements A(2021)Challenges in Firmware Re-Hosting, Emulation, and AnalysisACM Computing Surveys10.1145/342316754:1(1-36)Online publication date: 2-Jan-2021
https://dl.acm.org/doi/10.1145/3423167
Benoit TMarion JBardin S(2021)Binary level toolchain provenance identification with graph neural networks2021 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER50967.2021.00021(131-141)Online publication date: Mar-2021
https://doi.org/10.1109/SANER50967.2021.00021
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents