Skip to Main content Skip to Navigation
Conference papers

Aligot: cryptographic function identification in obfuscated binary programs

Abstract : Analyzing cryptographic implementations has important ap- plications, especially for malware analysis where they are an integral part both of the malware payload and the unpacking code that decrypts this payload. These implementations are often based on well-known cryptographic functions, whose description is publicly available. While potentially very use- ful for malware analysis, the identification of such crypto- graphic primitives is made difficult by the fact that they are usually obfuscated. Current state-of-the-art identification tools are ineffective due to the absence of easily identifiable static features in obfuscated code. However, these imple- mentations still maintain the input-output (I/O) relation- ship of the original function. In this paper, we present a tool that leverages this fact to identify cryptographic functions in obfuscated programs, by retrieving their I/O parameters in an implementation-independent fashion, and comparing them with those of known cryptographic functions. In ex- perimental evaluation, we successfully identified the crypto- graphic functions TEA, RC4, AES and MD5 in obfuscated programs. In addition, our tool was able to recognize basic operations done in asymmetric ciphers such as RSA.
Document type :
Conference papers
Complete list of metadatas

Cited literature [32 references]  Display  Hide  Download

https://hal.inria.fr/hal-00762924
Contributor : Jean-Yves Marion <>
Submitted on : Sunday, December 9, 2012 - 12:47:57 PM
Last modification on : Tuesday, May 5, 2020 - 5:02:07 PM
Long-term archiving on: : Monday, March 11, 2013 - 12:07:36 PM

File

fp008-calvet.pdf
Publisher files allowed on an open archive

Identifiers

  • HAL Id : hal-00762924, version 1

Collections

Citation

Joan Calvet, José Fernandez, Jean-Yves Marion. Aligot: cryptographic function identification in obfuscated binary programs. ACM Conference on Computer and Communications Security, Oct 2012, Raleigh, United States. pp.169-182. ⟨hal-00762924⟩

Share

Metrics

Record views

329

Files downloads

2285