Aligot: cryptographic function identification in obfuscated binary programs

Abstract : Analyzing cryptographic implementations has important ap- plications, especially for malware analysis where they are an integral part both of the malware payload and the unpacking code that decrypts this payload. These implementations are often based on well-known cryptographic functions, whose description is publicly available. While potentially very use- ful for malware analysis, the identification of such crypto- graphic primitives is made difficult by the fact that they are usually obfuscated. Current state-of-the-art identification tools are ineffective due to the absence of easily identifiable static features in obfuscated code. However, these imple- mentations still maintain the input-output (I/O) relation- ship of the original function. In this paper, we present a tool that leverages this fact to identify cryptographic functions in obfuscated programs, by retrieving their I/O parameters in an implementation-independent fashion, and comparing them with those of known cryptographic functions. In ex- perimental evaluation, we successfully identified the crypto- graphic functions TEA, RC4, AES and MD5 in obfuscated programs. In addition, our tool was able to recognize basic operations done in asymmetric ciphers such as RSA.
Type de document :
Communication dans un congrès
ACM Conference on Computer and Communications Security, Oct 2012, Raleigh, United States. pp.169-182, 2012
Liste complète des métadonnées

Littérature citée [32 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-00762924
Contributeur : Jean-Yves Marion <>
Soumis le : dimanche 9 décembre 2012 - 12:47:57
Dernière modification le : jeudi 11 janvier 2018 - 06:21:25
Document(s) archivé(s) le : lundi 11 mars 2013 - 12:07:36

Fichier

fp008-calvet.pdf
Fichiers éditeurs autorisés sur une archive ouverte

Identifiants

  • HAL Id : hal-00762924, version 1

Collections

Citation

Joan Calvet, José Fernandez, Jean-Yves Marion. Aligot: cryptographic function identification in obfuscated binary programs. ACM Conference on Computer and Communications Security, Oct 2012, Raleigh, United States. pp.169-182, 2012. 〈hal-00762924〉

Partager

Métriques

Consultations de la notice

221

Téléchargements de fichiers

1176