A method for obtaining digital signatures and public-key cryptosystems
Communications of the ACM
The Design of Rijndael
Control Speculation in Multithreaded Processors through Dynamic Loop Detection
HPCA '98 Proceedings of the 4th International Symposium on High-Performance Computer Architecture
Software Tamper Resistance: Obstructing Static Analysis of Programs
Software Tamper Resistance: Obstructing Static Analysis of Programs
Pin: building customized program analysis tools with dynamic instrumentation
Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
Principles of Compiler Design (Addison-Wesley series in computer science and information processing)
Principles of Compiler Design (Addison-Wesley series in computer science and information processing)
Dynamic Characteristics of Loops
IEEE Transactions on Computers
Introduction to Automata Theory, Languages, and Computation
Introduction to Automata Theory, Languages, and Computation
Lest we remember: cold-boot attacks on encryption keys
Communications of the ACM - Security in the Browser
Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering
Proceedings of the 16th ACM conference on Computer and communications security
ReFormat: automatic reverse engineering of encrypted messages
ESORICS'09 Proceedings of the 14th European conference on Research in computer security
Detection and analysis of cryptographic data inside software
ISC'11 Proceedings of the 14th international conference on Information security
Automated identification of cryptographic primitives in binary programs
RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
The persistence of memory: Forensic identification and extraction of cryptographic keys
Digital Investigation: The International Journal of Digital Forensics & Incident Response
| Hi-index | 0.00 |
Analyzing cryptographic implementations has important applications, especially for malware analysis where they are an integral part both of the malware payload and the unpacking code that decrypts this payload. These implementations are often based on well-known cryptographic functions, whose description is publicly available. While potentially very useful for malware analysis, the identification of such cryptographic primitives is made difficult by the fact that they are usually obfuscated. Current state-of-the-art identification tools are ineffective due to the absence of easily identifiable static features in obfuscated code. However, these implementations still maintain the input-output (I/O) relationship of the original function. In this paper, we present a tool that leverages this fact to identify cryptographic functions in obfuscated programs, by retrieving their I/O parameters in an implementation-independent fashion, and comparing them with those of known cryptographic functions. In experimental evaluation, we successfully identified the cryptographic functions TEA, RC4, AES and MD5 both in synthetic examples protected by a commercial-grade packer (AsProtect), and in several obfuscated malware samples (Sality, Waledac, Storm Worm and SilentBanker). In addition, our tool was able to recognize basic operations done in asymmetric ciphers such as RSA.