Author : Anitha Abraham 1
Date of Publication :7th July 2015
Abstract: Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems. Nowadays malwares are becoming increasingly stealthy, most of malwares are using cryptographic algorithms to protect themselves from being analyzed. The use of cryptographic algorithms and truly transient cryptographic secrets inside the malware binary imposes a key obstacle to effective malware analysis and defense. CipherXRay is a novel binary analysis framework that can be used for effective malware analysis and defense. It can automatically identify and recover the cryptographic operations and transient secrets from the execution of potentially obfuscated binary executables. CipherXRay is based on the avalanche effect, which is a desirable property of cryptographic functions. The avalanche effect means that, a slight change in the input causes a significant change in the output, ie flipping a single bit in the input changes half of the output bits. Another feature of the avalanche effect is that it allows us to accurately pinpoint the location, size and boundary of both the input and output buffers. Using avalanche effect, CipherXRay is able to accurately pinpoint the boundary of cryptographic operation and recover truly transient cryptographic secrets that only exist in memory for one instant in between multiple nested cryptographic operations.
Reference :
-
- Xin Li, Xinyuan Wang, Wentao Chang, “CipherXRay: Exposing Cryptographic Operations and Transient Secrets from Monitored Binary Execution” IEEE Transactions on Dependable and Secure computing, vol. 11, no. 2, March/April 2014
- A. Shamir and N. van Someren. Playing Hide and Seek with Stored Keys. In Proceedings of the Third International Conference on Financial Cryptography (FC 1999), pages 118 – 124, February 1999.
- T. Pettersson. Cryptographic Key Recovery from Linux Memory Dumps.In Presentation, Chaos Communication Camp, August 2007
- J. A. Halderman, S. D. Schoen, N. Heninger, W. Clarkson, W. Paul, J. A. Calandrino, A. J. Feldman, J. Appelbaum, and E. W. Felten. Lest We Remember: Cold Boot Attacks on Encryption Keys. In Proceedings of the 17th USENIX Security Symposium, pages 45–60. USENIX, August 2008
- Z. Wang, X. Jiang, W. Cui, X. Wang, and M. Grace. ReFormat: Automatic Reverse Engineering of Encrypted Messages. In Proceedings of the 14th European Symposium on Research in Computer Security (ESORICS 2009), pages 200–215, September 2009
- F. Gr¨obert, C. Willems, and T. Holz. Automated Identification of Cryptographic Primitives in Binary Programs. In Proceedings of the 14th International Symposium on Recent Advances in Intrusion Detection (RAID 2011), September 2011.
- J. Caballero, P. Poosankam, C. Kreibich, and D. Song. Dispatcher: Enabling Active Botnet Infiltration using Automatic Protocol Reverse engineering. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS 2009), pages 621–634. ACM, October 2009