• Publication
  • PrePrints
  • Abstract - CipherXRay: Exposing Cryptographic Operations and Transient Secrets from Monitored Binary Execution
 This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
CipherXRay: Exposing Cryptographic Operations and Transient Secrets from Monitored Binary Execution
PrePrint
ISSN: 1545-5971
Xin Li, George Mason University, Fairfax
Xinyuan Wang, George Mason University, Fairfax
Wentao Chang, George Mason University, Fairfax
To enable more effective malware analysis, forensics and reverse engineering, we have developed CipherXRay - a novel binary analysis framework that can automatically identify and recover the cryptographic operations and transient secrets from the execution of potentially obfuscated binary executables. Based on the avalanche effect of cryptographic functions, CipherXRay is able to accurately pinpoint the boundary of cryptographic operation and recover truly transient cryptographic secrets that only exist in memory for one instant in between multiple nested cryptographic operations. CipherXRay can further identify certain operation modes (e.g., ECB, CBC, CFB) of the identified block cipher and tell whether the identified block cipher operation is encryption or decryption in certain cases. We have empirically validated CipherXRay with OpenSSL, popular password safe KeePassX, the ciphers used by malware Stuxnet, Kraken and Agobot, and a number of third party softwares with built-in compression and checksum. CipherXRay is able to identify various cryptographic operations and recover cryptographic secrets that exist in memory for only a few microseconds. Our results demonstrate that current software implementations of cryptographic algorithms hardly achieve any secrecy if their execution can be monitored.
Index Terms:
Reverse Engineering,Security and Privacy Protection,Operating Systems,Software/Software Engineering,Data,Data Encryption,Avalanche Effect,Malware Analysis,Binary Analysis
Citation:
Xin Li, Xinyuan Wang, Wentao Chang, "CipherXRay: Exposing Cryptographic Operations and Transient Secrets from Monitored Binary Execution," IEEE Transactions on Dependable and Secure Computing, 24 Sept. 2012. IEEE computer Society Digital Library. IEEE Computer Society, <http://doi.ieeecomputersociety.org/10.1109/TDSC.2012.83>
Usage of this product signifies your acceptance of the Terms of Use.