This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
CipherXRay: Exposing Cryptographic Operations and Transient Secrets from Monitored Binary Execution
March-April 2014 (vol. 11 no. 2)
pp. 101-114
Xin Li, George Mason University, Fairfax
Xinyuan Wang, George Mason University, Fairfax
Wentao Chang, George Mason University, Fairfax
Malwares are becoming increasingly stealthy, more and more malwares are using cryptographic algorithms (e.g., packing, encrypting C&C communication) to protect themselves from being analyzed. The use of cryptographic algorithms and truly transient cryptographic secrets inside the malware binary imposes a key obstacle to effective malware analysis and defense. To enable more effective malware analysis, forensics, and reverse engineering, we have developed CipherXRay a novel binary analysis framework that can automatically identify and recover the cryptographic operations and transient secrets from the execution of potentially obfuscated binary executables. Based on the avalanche effect of cryptographic functions, CipherXRay is able to accurately pinpoint the boundary of cryptographic operation and recover truly transient cryptographic secrets that only exist in memory for one instant in between multiple nested cryptographic operations. CipherXRay can further identify certain operation modes (e.g., ECB, CBC, CFB) of the identified block cipher and tell whether the identified block cipher operation is encryption or decryption in certain cases. We have empirically validated CipherXRay with OpenSSL, popular password safe KeePassX, the ciphers used by malware Stuxnet, Kraken and Agobot, and a number of third party softwares with built-in compression and checksum. CipherXRay is able to identify various cryptographic operations and recover cryptographic secrets that exist in memory for only a few microseconds. Our results demonstrate that current software implementations of cryptographic algorithms hardly achieve any secrecy if their execution can be monitored.
Index Terms:
Transient analysis,Malware,Encryption,Monitoring,Algorithm design and analysis,reverse engineering,Binary analysis,avalanche effect,key recovery attack on cryptosystem,transient cryptographic secret recovery,secrecy of monitored execution
Citation:
Xin Li, Xinyuan Wang, Wentao Chang, "CipherXRay: Exposing Cryptographic Operations and Transient Secrets from Monitored Binary Execution," IEEE Transactions on Dependable and Secure Computing, vol. 11, no. 2, pp. 101-114, March-April 2014, doi:10.1109/TDSC.2012.83
Usage of this product signifies your acceptance of the Terms of Use.