Skip to Main content Skip to Navigation
Conference papers

Aligot: cryptographic function identification in obfuscated binary programs

Abstract : Analyzing cryptographic implementations has important ap- plications, especially for malware analysis where they are an integral part both of the malware payload and the unpacking code that decrypts this payload. These implementations are often based on well-known cryptographic functions, whose description is publicly available. While potentially very use- ful for malware analysis, the identification of such crypto- graphic primitives is made difficult by the fact that they are usually obfuscated. Current state-of-the-art identification tools are ineffective due to the absence of easily identifiable static features in obfuscated code. However, these imple- mentations still maintain the input-output (I/O) relation- ship of the original function. In this paper, we present a tool that leverages this fact to identify cryptographic functions in obfuscated programs, by retrieving their I/O parameters in an implementation-independent fashion, and comparing them with those of known cryptographic functions. In ex- perimental evaluation, we successfully identified the crypto- graphic functions TEA, RC4, AES and MD5 in obfuscated programs. In addition, our tool was able to recognize basic operations done in asymmetric ciphers such as RSA.
Complete list of metadatas

Cited literature [32 references]  Display  Hide  Download

https://hal.inria.fr/hal-00762924
Contributor : Jean-Yves Marion <>
Submitted on : Sunday, December 9, 2012 - 12:47:57 PM
Last modification on : Tuesday, December 18, 2018 - 4:48:02 PM
Document(s) archivé(s) le : Monday, March 11, 2013 - 12:07:36 PM

File

fp008-calvet.pdf
Publisher files allowed on an open archive

Identifiers

  • HAL Id : hal-00762924, version 1

Collections

Citation

Joan Calvet, José Fernandez, Jean-Yves Marion. Aligot: cryptographic function identification in obfuscated binary programs. ACM Conference on Computer and Communications Security, Oct 2012, Raleigh, United States. pp.169-182. ⟨hal-00762924⟩

Share

Metrics

Record views

310

Files downloads

2054