The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.02 - March-April (2014 vol.11)
pp: 101-114
Xin Li , George Mason University, Fairfax
Xinyuan Wang , George Mason University, Fairfax
Wentao Chang , George Mason University, Fairfax
ABSTRACT
Malwares are becoming increasingly stealthy, more and more malwares are using cryptographic algorithms (e.g., packing, encrypting C&C communication) to protect themselves from being analyzed. The use of cryptographic algorithms and truly transient cryptographic secrets inside the malware binary imposes a key obstacle to effective malware analysis and defense. To enable more effective malware analysis, forensics, and reverse engineering, we have developed CipherXRay a novel binary analysis framework that can automatically identify and recover the cryptographic operations and transient secrets from the execution of potentially obfuscated binary executables. Based on the avalanche effect of cryptographic functions, CipherXRay is able to accurately pinpoint the boundary of cryptographic operation and recover truly transient cryptographic secrets that only exist in memory for one instant in between multiple nested cryptographic operations. CipherXRay can further identify certain operation modes (e.g., ECB, CBC, CFB) of the identified block cipher and tell whether the identified block cipher operation is encryption or decryption in certain cases. We have empirically validated CipherXRay with OpenSSL, popular password safe KeePassX, the ciphers used by malware Stuxnet, Kraken and Agobot, and a number of third party softwares with built-in compression and checksum. CipherXRay is able to identify various cryptographic operations and recover cryptographic secrets that exist in memory for only a few microseconds. Our results demonstrate that current software implementations of cryptographic algorithms hardly achieve any secrecy if their execution can be monitored.
INDEX TERMS
Transient analysis, Malware, Encryption, Monitoring, Algorithm design and analysis,reverse engineering, Binary analysis, avalanche effect, key recovery attack on cryptosystem, transient cryptographic secret recovery, secrecy of monitored execution
CITATION
Xin Li, Xinyuan Wang, Wentao Chang, "CipherXRay: Exposing Cryptographic Operations and Transient Secrets from Monitored Binary Execution", IEEE Transactions on Dependable and Secure Computing, vol.11, no. 2, pp. 101-114, March-April 2014, doi:10.1109/TDSC.2012.83
REFERENCES
[1] An Encoder/Decoder for the VCDIFF (RFC3284) Format. http://code.google.com/popen-vcdiff/, 2012.
[2] bzip2 High-Quality Data Compressor,http:/www.bzip.org/, 2012.
[3] Creates Simple File Verification (.sfv) Listings and Tests Existing sfv Files. http://linux.softpedia.com/get/Utilities cksfv-6520. shtml, 2012.
[4] Detailed Information about the Security of KeePass. http://keepass.info/help/basesecurity.html , 2012.
[5] Intel Advanced Encryption Standard (AES) Instructions Set - Rev 3. http://software.intel.com/en-us/articles intel-advanced-encryption-standard- aes-instructions-set/, 2012.
[6] KeePass Password Safe, http:/keepass.info, 2012.
[7] KeePassX, Cross Platform Password Manager, http:/www. keepassx.org, 2012.
[8] Run Windows Applications on Linux, BSD, Solaris and Mac OS X. http:/www.winehq.org, 2012.
[9] The OpenSSL Project. http:/www.openssl.org/, 2012.
[10] Ultimate Packer for eXecutables. http:/upx.sourceforge.net/, 2012.
[11] White-Box Cryptography, http:/whiteboxcrypto.com, 2012.
[12] C.K. Andreas Moser and E. Kirda, "Exploring Multiple Execution Paths for Malware Analysis," Proc. IEEE Symp. Security and Privacy (S&P '07), pp. 231-245, May 2007.
[13] B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. Vadhan, and K. Yang, "On the (Im)Possibility of Obfuscating Programs (Extended Abstract)," Proc. 21st Ann. Int'l Cryptology Conf. Advances in Cryptology (CRYPTO '01), pp. 1-18, 2001.
[14] D. Brumley and D. Boneh, "Remote Timing Attacks Are Practical," Proc. 12th USENIX Security Symp., pp. 1-14, 2003.
[15] J. Caballero, N.M. Johnson, S. McCamant, and D. Song, "Binary Code Extraction and Interface Identification for Security Applications," Proc. 17th Network and Distributed System Security Symp. (NDSS '10), Feb. 2010.
[16] J. Caballero, P. Poosakam, S. McCamant, D. Babić, and D. Song, "Input Generation via Decomposition and Re-Stitching: Finding Bugs in Malware," Proc. 17th ACM Conf. Computer and Comm. Security (CCS '10), pp. 413-425, Oct. 2010.
[17] J. Caballero, P. Poosankam, C. Kreibich, and D. Song, "Dispatcher: Enabling Active Botnet Infiltration Using Automatic Protocol Reverse-engineering," Proc. 16th ACM Conf. Computer and Comm. Security (CCS '09), pp. 621-634, Oct. 2009.
[18] J. Caballero and D. Song, "Polyglot: Automatic Extraction of Protocol Format Using Dynamic Binary Analysis," Proc. 14th ACM Conf. Computer and Comm. Security (CCS '07), pp. 317-329, Oct. 2007.
[19] L. Cavallaro, P. Saxena, and R. Sekar, "On the Limits of Information Flow Techniques for Malware Analysis and Containment," Proc. Fifth Int'l Conf. Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA '08), pp. 143-163, July 2008.
[20] P.M. Comparetti, G. Salvaneschi, E. Kirda, C. Kolbitsch, C. Kruegel, and S. Zanero, "Identifying Dormant Functionality in Malware Programs," Proc. IEEE Symp. Security and Privacy (S&P '10), pp. 61-76, May 2010.
[21] P.M. Comparetti, G. Wondracek, C. Kruegel, and E. Kirda, "Prospex: Protocol Specification Extraction," Proc. IEEE Symp. Security and Privacy (S&P 2009), pp. 110-125, May 2009.
[22] W. Drewry and T. Ormandy, "Flayer: Exposing Application Internals," Proc. First USENIX Workshop Offensive Technologies (WOOT '07), Aug. 2007.
[23] T. Duong and J. Rizzo, "Cryptography in the Web: The Case of Cryptographic Design Flaws in ASP.NET," Proc. IEEE Symp. Security & Privacy (S&P '11), pp. 481-489, May 2011.
[24] M. Egele, C. Kruegel, E. Kirda, H. Yin, and D. Song, "Dynamic Spyware Analysis," Proc. USENIX Ann. Technical Conf. (ATC '07), pp. 233-246, June 2007.
[25] K. Gandolfi, C. Mourtel, and F. Olivier, "Results of Electromagnetic Analysis," Proc. Third Int'l Workshop Cryptographic Hardware and Embedded Systems (CHES '01), May 2001.
[26] F. Gröbert, "Automatic Identification of Cryptographic Primitives in Software," Deplima thesis, Ruhr-Univ. Bochum, Germany, Feb. 2010.
[27] F. Gröbert, C. Willems, and T. Holz, "Automated Identification of Cryptographic Primitives in Binary Programs," Proc. 14th Int'l Symp. Recent Advances in Intrusion Detection (RAID '11), Sept. 2011.
[28] D. Gullasch, E. Bangerter, and S. Krenn, "Cache Games Bringing Access-Based Cache Attacks on AES to Practice," Proc. IEEE Symp. Security & Privacy (S&P '11), pp. 490-505, May 2011.
[29] J.A. Halderman, S.D. Schoen, N. Heninger, W. Clarkson, W. Paul, J.A. Calandrino, A.J. Feldman, J. Appelbaum, and E.W. Felten, "Lest We Remember: Cold Boot Attacks on Encryption Keys," Proc. 17th USENIX Security Symp., pp. 45-60, Aug. 2008.
[30] J. Jonsson and B. Kaliski, "Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1," RFC 3447, IETF, Feb. 2003.
[31] P.C. Kocher, "Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems," Proc. 16th Ann. Int'l Cryptology Conf. Advances in Cryptology (CRYPTO '96), pp. 104-113, 1996.
[32] P.C. Kocher, J. Jaffe, and B. Jun, "Differential Power Analysis," Proc. 19th Ann. Int'l Cryptology Conf. Advances in Cryptology (CRYPTO '99), pp. 388-397, 1999.
[33] C. Kolbitsch, T. Holz, C. Kruegel, and E. Kirda, "Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries," Proc. IEEE Symp. Security and Privacy (S&P '10), pp. 29-44, May 2010.
[34] F.S. Leder and P. Martini, "NGBPA Next Generation BotNet Protocol Analysis," Proc. 24th Int'l Conf. Information Security (IFIP/Sec '09), May 2009.
[35] Z. Lin, X. Jiang, D. Xu, and X. Zhang, "Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution," Proc. 15th Network and Distributed System Security Symp. (NDSS '08), Feb. 2008.
[36] Z. Lin, X. Zhang, and D. Xu, "Automatic Reverse Engineering of Data Structures from Binary Execution," Proc. 17th Network and Distributed System Security Symp. (NDSS 2010), Feb. 2010.
[37] C. Linn and S. Debray, "Obfuscation of Executable Code to Improve Resistance to Static Disassembly," Proc. 10th ACM Conf. Computer and Comm. Security (CCS '03), pp. 272-280, Oct. 2003.
[38] N. Lutz, "Towards Revealing Attackers' Intent by Automatically Decrypting Network Traffic," master's thesis MA-2008-08, Swiss Fed. Inst. of Technology Zurich, 2008.
[39] A. Matrosov, E. Rodionov, D. Harley, and J. Malcho, "Stuxnet under the Microscope (Revision 1.31)," http://www.eset.com/resources/white-papers Stuxnet_Under_the_Microscope.pdf, 2012.
[40] J. Mulroy, "Attackers Get Sneakier with Encrypted Malware," http://www.pcworld.com/businesscenter/article/ 243721 attackers, _get_sneakier_with_encrypted_malware.html? 2012.
[41] N. Nethercote and J. Seward, "Valgrind: A Framework for Heavyweight Dynamic Binary Instrumentation," Proc. ACM SIGPLAN Conf. Programming Language Design and Implementation (PLDI '07), pp. 89-100, 2007.
[42] J. Newsome and D. Song, "Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software," Proc. 12th Network and Distributed System Security Symp. (NDSS '05), Feb. 2005.
[43] T. Pettersson, "Cryptographic Key Recoveryfrom Linux Memory Dumps," Presentation, Chaos Communication Camp, Aug. 2007.
[44] I. Popov, S. Debray, and G. Andrews, "Binary Obfuscation Using Signals," Proc. 16th USENIX Security Symp., pp. 275-290, Aug. 2007.
[45] A. Shamir and N. van Someren, "Playing Hide and Seek with Stored Keys," Proc. Third Int'l Conf. Financial Cryptography (FC '99), pp. 118-124, Feb. 1999.
[46] M. Sharif, A. Lanzi, J. Giffin, and W. Lee, "Impeding Malware Analysis Using Conditional Code Obfuscation," Proc. 15th Network and Distributed System Security Symp. (NDSS '08), Feb. 2008.
[47] S.K. Udupa, S.K. Debray, and M. Madou, "Deobfuscation: Reverse Engineering Obfuscated Code," Proc. 12th Working Conf. Reverse Eng. (WCRE '05), Nov. 2005.
[48] T. Wang, T. Wei, G. Gu, and W. Zou, "TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection," Proc. IEEE Symp. Security and Privacy (S&P '10), pp. 497-512, May 2010.
[49] Z. Wang, X. Jiang, W. Cui, X. Wang, and M. Grace, "ReFormat: Automatic Reverse Engineering of Encrypted Messages," Proc. 14th European Symp. Research in Computer Security (ESORICS '09), pp. 200-215, Sept. 2009.
[50] B. Wyseur, "White-Box Cryptography," PhD thesis, Katholieke Universiteit Leuven, 2009.
[51] W. Yan, Z. Zhang, and N. Ansari, "Revealing Packed Malware," IEEE Security and Privacy, vol. 6, no. 5, pp. 65-69, Oct. 2008.
[52] H. Yin, D. Song, M. Egele, E. Kirda, and C. Kruegel, "Panorama: Capturing System-Wide Information Flow for Malware Detection and Analysis," Proc. 14th ACM Conf. Computer and Comm. Security (CCS '07), pp. 497-512, Oct. 2007.
88 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool