|
| This Article | ||
| ||
| Share | ||
| Bibliographic References | ||
| Add to: | ||
 Digg  Furl  Spurl  Blink  Simpy  Google  Del.icio.us  Y!MyWeb | ||
| Search | ||
| ||
CipherXRay: Exposing Cryptographic Operations and Transient Secrets from Monitored Binary Execution
PrePrint
ISSN: 1545-5971
| ASCII Text | x | ||
| Xin Li, Xinyuan Wang, Wentao Chang, "CipherXRay: Exposing Cryptographic Operations and Transient Secrets from Monitored Binary Execution," IEEE Transactions on Dependable and Secure Computing, vol. 99, no. 1, pp. 1, , 5555. | |||
| BibTex | x | ||
| @article{ 10.1109/TDSC.2012.83, author = {Xin Li and Xinyuan Wang and Wentao Chang}, title = {CipherXRay: Exposing Cryptographic Operations and Transient Secrets from Monitored Binary Execution}, journal ={IEEE Transactions on Dependable and Secure Computing}, volume = {99}, number = {1}, issn = {1545-5971}, year = {5555}, pages = {1}, doi = {http://doi.ieeecomputersociety.org/10.1109/TDSC.2012.83}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, } | |||
| RefWorks Procite/RefMan/Endnote | x | ||
| TY - JOUR JO - IEEE Transactions on Dependable and Secure Computing TI - CipherXRay: Exposing Cryptographic Operations and Transient Secrets from Monitored Binary Execution IS - 1 SN - 1545-5971 SP EP EPD - 1 A1 - Xin Li, A1 - Xinyuan Wang, A1 - Wentao Chang, PY - 5555 KW - Reverse Engineering KW - Security and Privacy Protection KW - Operating Systems KW - Software/Software Engineering KW - Data KW - Data Encryption KW - Avalanche Effect KW - Malware Analysis KW - Binary Analysis VL - 99 JA - IEEE Transactions on Dependable and Secure Computing ER - | |||
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TDSC.2012.83
To enable more effective malware analysis, forensics and reverse engineering, we have developed CipherXRay - a novel binary analysis framework that can automatically identify and recover the cryptographic operations and transient secrets from the execution of potentially obfuscated binary executables. Based on the avalanche effect of cryptographic functions, CipherXRay is able to accurately pinpoint the boundary of cryptographic operation and recover truly transient cryptographic secrets that only exist in memory for one instant in between multiple nested cryptographic operations. CipherXRay can further identify certain operation modes (e.g., ECB, CBC, CFB) of the identified block cipher and tell whether the identified block cipher operation is encryption or decryption in certain cases. We have empirically validated CipherXRay with OpenSSL, popular password safe KeePassX, the ciphers used by malware Stuxnet, Kraken and Agobot, and a number of third party softwares with built-in compression and checksum. CipherXRay is able to identify various cryptographic operations and recover cryptographic secrets that exist in memory for only a few microseconds. Our results demonstrate that current software implementations of cryptographic algorithms hardly achieve any secrecy if their execution can be monitored.
Index Terms:
Reverse Engineering,Security and Privacy Protection,Operating Systems,Software/Software Engineering,Data,Data Encryption,Avalanche Effect,Malware Analysis,Binary Analysis
Citation:
Xin Li, Xinyuan Wang, Wentao Chang, "CipherXRay: Exposing Cryptographic Operations and Transient Secrets from Monitored Binary Execution," IEEE Transactions on Dependable and Secure Computing, 24 Sept. 2012. IEEE computer Society Digital Library. IEEE Computer Society, <http://doi.ieeecomputersociety.org/10.1109/TDSC.2012.83>
Usage of this product signifies your acceptance of the Terms of Use.