Symmetric-Key Cryptographic Routine Detection in Anti-Reverse Engineered Binaries Using Hardware Tracing
Abstract
:1. Introduction
2. Problem Definition
3. Related Work
3.1. Cryptographic Algorithm Detection
3.2. Hardware Tracing
4. Proposed Scheme
4.1. Hardware Tracing Features and Capabilities
4.2. Symmetric Cryptographic Routine Detection Scheme
4.2.1. Making Instrumented Cryptographic Library
4.2.2. Hardware Tracing and Generated Pattern Integration
4.2.3. Making Database with Generated Patterns and Detecting the Cryptographic Algorithm
5. Implementation
5.1. Implementation Environment
5.2. Proposed Scheme Implementation
6. Experimental Results
6.1. Generated and Detected Cryptographic Algorithms
6.2. Experimental Results for Executable Files That Do Not Use Cryptography
6.3. Experimental Results for Executables That Use Anti-Reversing Technique
7. Conclusions
Author Contributions
Funding
Conflicts of Interest
Appendix A.
Algorithm | Key size (bit) | Block cipher mode of operation | Generated Pattern (top: key generation pattern bottom: block crypto routine patterns) | Note |
---|---|---|---|---|
AES | 128 | NNNTT | ||
CBC | NTTTT(NTTTTTT){k,}NTNT | |||
ECB | TTTTNT(TTTTTTTNT){k,} | |||
192 | NNNNNNT | |||
CBC | NTTTTT(NTTTTTTT){k,}NTNT | |||
ECB | TTTTTNT(TTTTTTTTNT){k,} | |||
256 | NNTNNNTTTTTTTN | |||
CBC | NTTTTTT(NTTTTTTTT){k,}NTNT | |||
ECB | TTTTTTNT(TTTTTTTTTNT){k,} | |||
AES-NI | 128 | NNNNNNTTTTTTTTTT | ||
CBC | NTTTTTTTT(NTTTTTTTTT){k,}NNN | |||
ECB | NTTT(NTTTTT){k,}NTNT | |||
192 | NNNTNTTTTTTTT | |||
CBC | NTTTTTTTTTT(NTTTTTTTTTTT){k,}NNN | |||
ECB | NTTTT(NTTTTTT){k,}NTNT | |||
256 | NNTNTTTTTTTTTTTTT | |||
CBC | NTTTTTTTTTTTT(NTTTTTTTTTTTTT){k,}NNN | |||
ECB | NTTTTT(NTTTTTTT){k,}NTNT | |||
BF | 128 | TTTTTTTTTTTTTTTTTNTTTTTTTTTTTTTTTTTN(T){1023}N | ||
CBC | N(T){k,}TNT | |||
CFB | N(NTNTTTTTTTTTTTTT){k,}NTNTTTTTTTTTTTTN | |||
ECB | T(NTTNT){k,} | |||
OFB | N(NTNTTTTTTTTTTTTT){k,}NTNTTTTTTTTTTTTNT | |||
CAST | 128 | NNTTN | ||
CBC | NN(TTN){k,}TNT | |||
CFB | N(NNTNTTTTTTTTTTTTT){k,}NNTNTTTTTTTTTTTTN | |||
ECB | NT(NTTNNT){k,} | |||
OFB | N(NNTNTTTTTTTTTTTTT){k,}NNTNTTTTTTTTTTTTNT | —Duplicate with DES-OFB, but can be distinguished with key generation pattern | ||
DES | 64 | NNNNTNTNTNTNTNTNNNTNTNTNTNTNTNNT | ||
CBC | NN(TTN){k,}TNT | |||
CFB | N(NNTNTTTTTTTTTTTTT){k,}NNTNTTTTTTTTTTTTN | |||
ECB | NT(NTTNT){k,} | |||
OFB | N(NNTNTTTTTTTTTTTTT){k,}NNTNTTTTTTTTTTTTNT | —Duplicate with CAST-OFB, but can be distinguished with key generation pattern | ||
DES3 | 128 (EDE) | NNNNTNTNTNTNTNTNNNTNTNTNTNTNTNNT | ||
CBC | N(NNTTTNTTNTTTTTTTTTTTTT){k,}NNTTTNTTNTTTTTTTTTTTTN | —In versions before 1.1.0, "NNTTNTNTNTNTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT" appears one time during an intermediate iteration pattern. —Duplicate with EDE3-CBC, can be distinguished by the number of key generation patterns (EDE: 2 times, EDE3: 3 times) | ||
CFB | NN(TTTN){k,}TTNT | —In versions before 1.1.0, "TTN" appears one time during an intermediate iteration pattern. —Duplicate with EDE3-CFB, can be distinguished by the number of key generation patterns (EDE: 2 times, EDE3: 3 times) | ||
OFB | N(TNTTTNTTTTNTNTNTNTNTNT){k,}TNTTTNTTTTNTNTNTNTNTNNT | —In versions before 1.1.0, "TNTTTNTTTNTNTNTNTNTNT " appears one time during an intermediate iteration pattern. | ||
192 (EDE3) | NNNNTNTNTNTNTNTNNNTNTNTNTNTNTNNT | |||
CBC | N(NNTTTNTTNTTTTTTTTTTTTT){k,}NNTTTNTTNTTTTTTTTTTTTN | —In versions before 1.1.0, "NNTTNTNTNTNTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT" appears one time during an intermediate iteration pattern. —Duplicate with EDE-CBC, can be distinguished by the number of key generation patterns (EDE: 2 times, EDE3: 3 times) | ||
CFB | NN(TTTN){k,}TTNT | —In versions before 1.1.0, "TTN" appears one time during an intermediate iteration pattern .—Duplicate with EDE-CFB, can be distinguished by the number of key generation patterns (EDE: 2 times, EDE3: 3 times) | ||
IDEA | 128 | CBC | N(NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNTT){k,}NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNTNT | —Failed to generate key generation pattern |
CFB | N(NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNTNTTTTTTTTTTTTT){k,} | |||
ECB | NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNT(NTTNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNT){k,} | |||
OFB | (NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNTNTTTTTTTTTTTTT){k,}NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNTNTTTTTTTTTTTTNT | |||
RC2 | 40 | NNNTTTTTNN(T){133}NN(T){122}N(T){63}N | ||
CBC | NTTTTNTTTTTTNTTTTTNN(TTTTTTNTTTTTTNTTTTTNN){k,}TNT | |||
64 | NNNTTTTTTTTNN(T){133}NN(T){119}N(T){63}N | |||
CBC | NTTTTNTTTTTTNTTTTTNN(TTTTTTNTTTTTTNTTTTTNN){k,}TNT | |||
128 | NNNNTTN(T){119}NNT(T){121}N(T){63}N | |||
CBC | NTTTT(NTTTTTT){k,}NNTNT | |||
CFB | NNTTTTNTTTTTTNTTTTTNNTN(TTTTTTTTTTTTTNTTTTNTTTTTTNTTTTTNNTN){k,}TTTTTTTTTTTTN | |||
ECB | TTTTNTTTTTTNTTTTTNNT(NTTNTTTTNTTTTTTNTTTTTNNT){k,} | |||
OFB | NNTTTTNTTTTTTNTTTTTNNTN(TTTTTTTTTTTTTNTTTTNTTTTTTNTTTTTNNTN){k,}TTTTTTTTTTTTNT | |||
RC4 | 40 | (T){63}NNNNNTTNNNTNTNNTNNTNTNNN(TTNNNNTTNNNTNTNNTNNTNTNNN){11}TTNNNNTTNNNTNTNNTNNTNN | ||
Stream | N(T){k,}NT | |||
128 | (T){63}NNNNNTNNNNTNNNNTNNN(TTNNNNTNNNNTNNNNTNNN){15}TN | |||
Stream | N(T){k,}NT | |||
ARIA | 128 | NNTTT | ||
CBC | NNTNTTTTN(TTNNTNTTTTN){k,} | |||
CFB | NNTNTTTTN(TNNTNNTNTTTTN){k,} | |||
ECB | NNTNTTTTN(TTTTNNTNTTTTN){k,} | |||
OFB | NNTNTTTTN(TNNTNNTNTTTTN){k,} | |||
192 | NNTNTNT | |||
CBC | NNTNTTTTTN(TTNNTNTTTTTN){k,} | |||
CFB | NNTNTTTTTN(TNNTNNTNTTTTTN){k,} | |||
CTR | NNTNTTTTTN(TTNNTNTTTTTN){k,} | |||
ECB | NNTNTTTTTN(TTTTNNTNTTTTTN){k,} | |||
OFB | NNTNTTTTTN(TNNTNNTNTTTTTN){k,} | |||
256 | NNNNNNNN | |||
CBC | NNNNNTTTTTTN(TTNNNNNTTTTTTN){k,} | |||
CFB | NNNNNTTTTTTN(TNNTNNNNNTTTTTTN){k,} | |||
CTR | NNNNNTTTTTTN(TTNNNNNTTTTTTN){k,} | |||
ECB | NNNNNTTTTTTN(TTTTNNNNNTTTTTTN){k,} | |||
OFB | NNNNNTTTTTTN(TNNTNNNNNTTTTTTN){k,} | |||
SEED | 128 | CBC | N(T){k,}NT | —Failed to generate key generation pattern |
CFB | TNNT(NNTT){k,}NNNT | |||
ECB | T(TTNT){k,} | |||
OFB | NNT(NNTT){k,}NNNT | |||
SM4 | 128 | TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTN | —Failed to generate block cryptographic pattern |
References
- Filiol, É.; Raynal, F. Malicious cryptography... reloaded. In Proceedings of the CanSecWest Conference, Vancouver, BC, Canada, 20 March 2008. [Google Scholar]
- Filiol, É. Malicious cryptography techniques for unreversable (malicious or not) binaries. arXiv 2010, arXiv:1009.4000. [Google Scholar]
- Orman, H. Evil offspring-ransomware and crypto technology. IEEE Internet Comput. 2016, 20, 89–94. [Google Scholar] [CrossRef]
- Mohurle, S.; Patil, M. A brief study of wannacry threat: Ransomware attack 2017. Inter. J. Adv. Res. Comput. 2017, 8, 1938–1940. [Google Scholar]
- Calvet, J.; Fernandez, J.M.; Marion, J.Y. Aligot: Cryptographic function identification in obfuscated binary programs. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, Raleigh, NC, USA, 16–18 October 2012. [Google Scholar]
- PEiD Krypto Analyzer (kanal). Available online: https://www.aldeid.com/wiki/PEiD#Krypto_Analyzer (accessed on 3 May 2020).
- Draft Crypto Analyzer (Draca). Available online: http://www.literatecode.com/draca (accessed on 3 May 2020).
- FindCrypt2. Available online: https://www.aldeid.com/wiki/IDA-Pro/plugins/FindCrypt2 (accessed on 28 April 2020).
- Signsrch. Available online: https://github.com/nihilus/IDA_Signsrch (accessed on 28 April 2020).
- Zhang, Q. Polymorphic and Metamorphic Malware Detection. Ph.D. Thesis, North Carolina State University, Raleigh, NC, USA, 2009. [Google Scholar]
- Xu, D.; Ming, J.; Wu, D. Cryptographic function detection in obfuscated binaries via bit-precise symbolic loop mapping. In Proceedings of the 2017 IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA, 22–24 May 2017; pp. 921–937. [Google Scholar]
- Li, J.; Lin, Z.; Caballero, J.; Zhang, Y.; Gu, D. K-Hunt: Pinpointing insecure cryptographic keys from execution traces. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, Toronto, ON, Canada, 15–19 October 2018; pp. 412–425. [Google Scholar]
- Shijo, P.; Salim, A. Integrated static and dynamic analysis for malware detection. Procedia Comput. Sci. 2015, 46, 804–811. [Google Scholar] [CrossRef] [Green Version]
- Themida. Available online: https://www.oreans.com/Themida.php (accessed on 30 May 2020).
- Enigma Protector. Available online: https://enigmaprotector.com/ (accessed on 30 May 2020).
- Bazús, M.; Rodrıguez, R.J. Qualitative and Quantitative Evaluation of Software Packers; Universidad Zaragoza: Zaragoza, Aragon, Spain, 2015. [Google Scholar]
- ARM®. ARM CoreSight. ARM® CoreSight Technical Introduction: A Quickstart for Designers; ARM®: Cambridge, UK, 2013; pp. 3–4. [Google Scholar]
- Intel®. Intel Processor Trace. Intel® 64 and IA-32 Architectures Software Developer’s Manual: System Programming Guide; Intel®: Santa Clara, CA, USA, 2016; pp. 257–295. [Google Scholar]
- Bao, T.; Burket, J.; Woo, M.; Turner, R.; Brumley, D. {BYTEWEIGHT}: Learning to recognize functions in binary code. In Proceedings of the 23rd {USENIX} Security Symposium ({USENIX} Security 14), San Diego, CA, USA, 20–22 August 2014; pp. 845–860. [Google Scholar]
- Gangwar, K.; Mohanty, S.; Mohapatra, A.K. Analysis and detection of ransomware through its delivery methods. Int. Conf. Recent Dev. Sci. Eng. Technol. 2017, 799, 353–362. [Google Scholar]
- Golshan, A.; Gong, F.; Jas, F.; Bilogorskiy, N.; Vu, N.; Lu, C.; Burt, A.; Kenyan, M.; Ting, Y. Systems and Methods for Malware Detection and Mitigation. U.S. Patent No. 9,686,293, 20 June 2017. [Google Scholar]
- Kolodenker, E.; Koch, W.; Stringhini, G.; Egele, M. Paybreak: Defense against cryptographic ransomware. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, Abu Dhabi, United Arab Emirates, 2–6 April 2017; pp. 599–611. [Google Scholar]
- Jung, S.; Won, Y. Ransomware detection method based on context-aware entropy analysis. Soft Comput. 2018, 22, 6731–6740. [Google Scholar] [CrossRef]
- Mehnaz, S.; Mudgerikar, A.; Bertino, E. Rwguard: A real-time detection system against cryptographic ransomware. Int. Conf. Recent Dev. Sci. Eng. Technol. 2018. [Google Scholar] [CrossRef]
- Hill, G.; Bellekens, X. Cryptoknight: Generating and modelling compiled cryptographic primitives. Information. 2018, 9, 231. [Google Scholar] [CrossRef] [Green Version]
- Nethercote, N. Dynamic Binary Analysis and Instrumentation. (No. UCAM-CL-TR-606). Ph.D. Thesis, University of Cambridge, Cambridge, UK, 2004. [Google Scholar]
- Lestringant, P. Identification of Cryptographic Algorithms in Binary Programs. Ph.D. Thesis, Université Rennes 1, Rennes, Brittany, 2017. [Google Scholar]
- Luk, C.K.; Cohn, R.; Muth, R.; Patil, H.; Klauser, A.; Lowney, G.; Wallace, S.; Reddi, V.J.; Hazelwood, K. Pin: building customized program analysis tools with dynamic instrumentation. Acm Sigplan Not. 2005, 40, 190–200. [Google Scholar] [CrossRef]
- Lee, Y.; Lee, J.; Heo, I.; Hwang, D.; Paek, Y. Using CoreSight PTM to integrate CRA monitoring IPs in an ARM-Based SoC. ACM Trans. Des. Autom. Electron. Syst. 2017, 22, 1–25. [Google Scholar] [CrossRef]
- Pena-Fernandez, M.; Lindoso, A.; Entrena, L.; Garcia-Valderas, M.; Philippe, S.; Morilla, Y.; Martin-Holgado, P. PTM-based hybrid error-detection architecture for ARM microprocessors. Microelectron. Reliab. 2018, 88, 925–930. [Google Scholar] [CrossRef]
- Ge, X.; Cui, W.; Jaeger, T. Griffin: Guarding control flows using intel processor trace. ACM Sigplan Not. 2017, 52, 585–598. [Google Scholar] [CrossRef] [Green Version]
- Liu, Y.; Shi, P.; Wang, X.; Chen, H.; Zang, B.; Guan, H. Transparent and efficient cfi enforcement with intel processor trace. In Proceedings of the 2017 IEEE International Symposium on High Performance Computer Architecture (HPCA), Austin, TX, USA, 4–8 February 2017; pp. 529–540. [Google Scholar]
- Gu, Y.; Zhao, Q.; Zhang, Y.; Lin, Z. PT-CFI: Transparent backward-edge control flow violation detection using intel processor trace. In Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy, Scottsdale, AR, USA, 22–24 March 2017; pp. 173–184. [Google Scholar]
- Simple-Pt. Available online: https://github.com/andikleen/simple-pt (accessed on 28 April 2020).
- Simple-Pt Issue. Available online: https://github.com/andikleen/simple-pt/issues/22 (accessed on 28 April 2020).
- Allievi, A.; Johnson, R. Harnessing Intel Processor Trace on Windows for Vulnerability Discovery. In Proceedings of the REcon Brussels, Brussels, Belgium, 27–29 January 2017. [Google Scholar]
- Bruening, D.; Amarasinghe, S. Efficient, Transparent, and Comprehensive Runtime Code Manipulation. Ph.D. Thesis, Massachusetts Institute of Technology, Cambridge, MA, USA, 2004. [Google Scholar]
- Li, G.; Chen, Y.; Li, T.; Li, T.; Wu, X.; Zhang, C.; Han, X. POSTER: PT-DBG: Bypass Anti-debugging with Intel Processor Tracing. In Proceedings of the 39th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, 21–23 May 2018; p. 14. [Google Scholar]
- Chen, L.; Sultana, S.; Sahita, R. Henet: A deep learning approach on intel® processor trace for effective exploit detection. Proceedings of 2018 IEEE Security and Privacy Workshops (SPW), San Francisco, CA, USA, 24 May 2018; pp. 109–115. [Google Scholar]
- ARM®. ARM CoreSight. ARM® CoreSight Program Trace Flow PFT v1.0 and PFTv1.1: Architecture Specification; ARM®: Cambridge, UK, 2011; pp. 19–23. [Google Scholar]
- ARM®. ARM CoreSight. ARM® CoreSight Components: Technical Reference Manual; ARM®: Cambridge, UK, 2009; pp. 297–304. [Google Scholar]
- Intel®. PTWRITE. Intel® 64 and IA-32 Architectures Software Developer’s Manual: System Programming Guide; Intel®: Santa Clara, CA, USA, 2016; pp. 489–490. [Google Scholar]
- Regexper. Available online: https://regexper.com/ (accessed on 1 May 2020).
- Intel Developer Zone. Available online: https://software.intel.com/en-us/forums/intel-isa-extensions/topic/704356 (accessed on 1 May 2020).
- Nethercote, N.; Seward, J. Valgrind: A framework for heavyweight dynamic binary instrumentation. ACM Sigplan Not. 2014, 42, 89–100. [Google Scholar] [CrossRef]
- Zhechev, Z. Security Evaluation of Dynamic Binary Instrumentation Engines. Master’s Thesis, Technical University of Munich, Munich, Bavaria, 2018. [Google Scholar]
7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | ||
---|---|---|---|---|---|---|---|---|---|
0 | 1 | B1 | B2 | B3 | B4 | B5 | B6 | 0 | Short TNT |
Cryptographic Algorithm | AES | AES-NI | BF | CAST | DES | DES3 | IDEA | RC2 | RC4 | ARIA | SEED | SM4 | Aver age |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Key Generation | O | O | O | O | O | O | X | O | O | O | X | O | |
Block Crypto Routine | O | O | O | O | O | O | O | O | O | O | O | X | |
Average Elapsed Time (s) | 3.249 | 3.163 | 3.177 | 3.176 | 3.172 | 3.177 | 3.184 | 3.207 | 3.183 | 3.202 | 3.179 | 3.177 | 3.187 |
Cryptographic Algorithm | # of key size | # of block cipher mode of operation | # of target executable | # of success |
---|---|---|---|---|
AES | 3 | 2 | 6 | 6 |
AES-NI | 3 | 2 | 6 | 6 |
BF | 1 | 4 | 4 | 4 |
CAST | 1 | 4 | 4 | 4 |
DES | 1 | 4 | 4 | 4 |
DES3 | 2 | 3 (128 bits), 2 (192 bits) | 5 | 5 |
RC2 | 3 | 1 (40 bits), 1 (64 bits), 4 (128 bits) | 6 | 6 |
RC4 | 2 | 1 | 1 | 1 |
ARIA | 3 | 4 (128 bits), 5 (192 bits), 5 (256 bits) | 14 | 14 |
Total | 50 | 50 |
L1 | L2 | ||||||
---|---|---|---|---|---|---|---|
1 | 2 | 3 | 4 | 5 | 6 (threshold) | ||
bc | multiple | CAST | CAST | X | X | X | X |
cal | multiple | CAST | CAST | CAST | X | X | X |
cat | multiple | CAST | CAST | X | X | X | X |
expr | multiple | CAST | CAST | X | X | X | X |
feh | multiple | CAST, AES, AES-NI | CAST | CAST | CAST | CAST | X |
gcc | multiple | CAST, AES, AES-NI | CAST, AES | CAST | CAST | CAST | X |
ls | multiple | CAST | CAST | CAST | X | X | X |
touch | multiple | CAST | CAST | X | X | X | X |
telnet | multiple | CAST | CAST | X | X | X | X |
vim | multiple | CAST | CAST | X | X | X | X |
FPR | 100% | 100% | 100% | 40% | 20% | 20% | 0% |
© 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).
Share and Cite
Park, J.; Park, Y. Symmetric-Key Cryptographic Routine Detection in Anti-Reverse Engineered Binaries Using Hardware Tracing. Electronics 2020, 9, 957. https://doi.org/10.3390/electronics9060957
Park J, Park Y. Symmetric-Key Cryptographic Routine Detection in Anti-Reverse Engineered Binaries Using Hardware Tracing. Electronics. 2020; 9(6):957. https://doi.org/10.3390/electronics9060957
Chicago/Turabian StylePark, Juhyun, and Yongsu Park. 2020. "Symmetric-Key Cryptographic Routine Detection in Anti-Reverse Engineered Binaries Using Hardware Tracing" Electronics 9, no. 6: 957. https://doi.org/10.3390/electronics9060957
APA StylePark, J., & Park, Y. (2020). Symmetric-Key Cryptographic Routine Detection in Anti-Reverse Engineered Binaries Using Hardware Tracing. Electronics, 9(6), 957. https://doi.org/10.3390/electronics9060957