detection of cryptographic algorithms with grap
play

Detection of cryptographic algorithms with grap L eonard Benedetti - PowerPoint PPT Presentation

Oct 02, 2023 •275 likes •636 views

Detection of cryptographic algorithms with grap L eonard Benedetti benedetti@mlpo.fr Aur elien Thierry aurelien.thierry@airbus.com Julien Francq julien.francq@airbus.com GreHack 2017, November 17 th Introduction First example: ChaCha20

  1. Detection of cryptographic algorithms with grap L´ eonard Benedetti benedetti@mlpo.fr Aur´ elien Thierry aurelien.thierry@airbus.com Julien Francq julien.francq@airbus.com GreHack 2017, November 17 th

  2. Introduction First example: ChaCha20 AES Discussion Conclusion grap Detection of cryptographic algorithms? What is it? Detect, identify and locate a cryptographic operation in a program. What is it for? Useful in reverse-engineering ◮ Time saving ◮ Identification of interesting areas ◮ Malware analysis 2 / 33

  3. Introduction First example: ChaCha20 AES Discussion Conclusion grap Malware analysis: ransomware Ransomware: ◮ Modern cryptography: symmetric (file encryption) + asymmetric (key management) ◮ Symmetric algorithms: ◮ Block ciphers: AES, RC5. . . ◮ Stream ciphers: Salsa20, ChaCha20, RC4. . . ◮ Asymmetric algorithms: ◮ Key management: RSA, DH, ECDH ( e.g. NIST curves, X25519). . . Identification of crypto algorithms within binaries: ◮ Automatic feature detection: “This program uses AES” ◮ Assist a reverser: “This function implements ChaCha20” ◮ Extract cryptographic material: encryption keys. . . 3 / 33

  4. Introduction First example: ChaCha20 AES Discussion Conclusion grap Existing approaches Constant detection and byte-level pattern matching (FindCrypt2, Signsrch, IDAScope, IDA FLIRT, YARA) ◮ Very quick (AES, SHA1, SHA2. . . ) ◮ Easy to define patterns, hard to “get them right” ◮ Some algorithms don’t have constants (RC4, Salsa20, ChaCha20. . . ) ◮ Constant / byte modification or very light obfuscation ✙ no detection Function evaluation against known test values (Sybil, Aligot) ◮ Very precise ◮ Moderately difficult to write tests ◮ Slow ◮ Algorithm variant ✙ no detection Approach based on disassembled instructions and control flow graph (CFG)? 4 / 33

  5. Introduction First example: ChaCha20 AES Discussion Conclusion grap A quick example ChaCha20 ◮ Stream cipher, designed in 2008 by Daniel J. Bernstein ◮ Variant of Salsa20, by the same author ◮ Fast with a high level of security 5 / 33

  6. Introduction First example: ChaCha20 AES Discussion Conclusion grap ChaCha20 ChaCha20 encryption (LibreSSL compiled with gcc -O0) ◮ Repetition of ARX crypto: add , xor , rol Demo : simple detection with grap ◮ grap ” add - > * - > xor - > rol ” x64 libcrypto.so.37.0.0 O0 ◮ Easy to prototype patterns ◮ The inferred pattern can be inspected ( -v option) Demo : IDA plugin ◮ Select the interesting areas directly in IDA ◮ Produce quickly usable patterns ◮ Apply transformations to make them generic 6 / 33

  7. Introduction First example: ChaCha20 AES Discussion Conclusion grap ChaCha20: more generic grap pattern digraph ARX crypto simple { add [ cond =”opcode is add”, repeat =+] mov1 [ cond =”opcode is mov or opcode is lea”, repeat = ✯ ] xor [ cond =”opcode is xor” repeat =+] mov2 [ cond =”opcode is mov or opcode is lea”, repeat = ✯ ] rol [ cond =”opcode is rol” repeat =+] mov3 [ cond =”opcode is mov or opcode is lea”, repeat = ✯ ] add − > mov1 mov1 − > xor xor − > mov2 mov2 − > rol ◮ Node repetition rol − > mov3 ◮ Conditions on opcode } ◮ Variants: mov or lea 7 / 33

  8. Introduction First example: ChaCha20 AES Discussion Conclusion grap grap overview 8 / 33

  9. Introduction First example: ChaCha20 AES Discussion Conclusion grap grap project Patterns: ◮ grap ” add- > *- > xor- > rol ” x64 libcrypto.so.37.0.0 O0 ◮ grap pattern.grapp binary.exe ◮ pattern.grapp: DOT 1 file ◮ Standalone tool (CLI) with a Capstone-based disassembler (x86 and x86 64 only) ◮ IDA plugin: visually create and match patterns from IDA ◮ python bindings 1 The DOT Language: http://www.graphviz.org/content/dot-language 9 / 33

  10. Introduction First example: ChaCha20 AES Discussion Conclusion grap grap : detect graph patterns within binaries How to quickly match subgraphs? Control flow graphs: ◮ Children are ordered: call 0x4022e0 ◮ Child 1: next instruction (following address) ◮ Child 2: target instruction (address: 0x4022e0 ) ◮ Nodes have at most 2 children ✙ Quick (polynomial time) algorithm for graph matching (see paper) 10 / 33

  11. Introduction First example: ChaCha20 AES Discussion Conclusion grap grap : usage https://github.com/AirbusCyber/grap Applications: ◮ Malware families: detection, classification and feature extraction (REcon BRX 2017) ◮ Crypto detection Build & install: ◮ IDA 6.95 and IDA 7.0 (32 and 64 bits) supported ◮ Windows: Precompiled release ◮ Linux: cmake + make + sudo make install ◮ Linux: tested on Ubuntu LTS (16.04) and Debian stable (9.1.0) 11 / 33

  12. Introduction First example: ChaCha20 AES Discussion Conclusion grap Designing cryptographic patterns Example with AES 12 / 33

  13. Introduction First example: ChaCha20 AES Discussion Conclusion grap AES ◮ Block cipher, designed in 2000 by Daemen and Rijmen 13 / 33

  14. Introduction First example: ChaCha20 AES Discussion Conclusion grap AES Key schedule ◮ Round keys are derived from the secret key 14 / 33

  15. Introduction First example: ChaCha20 AES Discussion Conclusion grap AES AddRoundKey ◮ The state is combined with the round key using XOR 15 / 33

  16. Introduction First example: ChaCha20 AES Discussion Conclusion grap AES SubBytes ◮ The state is passed through a S-Box 16 / 33

  17. Introduction First example: ChaCha20 AES Discussion Conclusion grap AES ShiftRows ◮ Cyclically shifts each row of the state 17 / 33

  18. Introduction First example: ChaCha20 AES Discussion Conclusion grap AES MixColumns ◮ Linear transformation in GF ( 2 8 ) � × a 3 x 3 + a 2 x 2 + a 1 x + a 0 3 x 3 + x 2 + x + 2 mod x 4 + 1 � � � 18 / 33

  19. Introduction First example: ChaCha20 AES Discussion Conclusion grap AES ◮ Very specific structure ◮ Characteristic cyclically shifts in ShiftRows ◮ Arithmetic in MixColumns 19 / 33

  20. Introduction First example: ChaCha20 AES Discussion Conclusion grap Design process: example with AES 1. Choosing an implementation in particular ◮ LibreSSL 2. Compilation in various contexts ◮ GCC, Clang ◮ x86 and x64 ◮ Several levels of optimizations ( O0 , O1 , O2 . . . ) 20 / 33

  21. Introduction First example: ChaCha20 AES Discussion Conclusion grap Design process: example with AES 3. Assembly code study ◮ Search for invariants ◮ Form of the structure ◮ Analysis of semantics 4. Pattern prototyping ◮ Die and retry approach ◮ Attempt to generalize 21 / 33

  22. Introduction First example: ChaCha20 AES Discussion Conclusion grap Final AES pattern * ff * shr, mov, xor * shr, mov, xor * shr, mov, xor * shr, mov, xor * [condition on the number of rounds] * [InitialRound] * 22 / 33

  23. Introduction First example: ChaCha20 AES Discussion Conclusion grap Final AES pattern * shr, mov, xor * and *, 0x ff 000000 * shr, mov, xor * shr, mov, xor * shr, mov, xor * shr, mov, xor * [end of the basic block] 23 / 33

  24. Introduction First example: ChaCha20 AES Discussion Conclusion grap Results on AES ◮ Effective pattern on several reference implementations ◮ Detection of variants (independent of the constants) ◮ Strongly based on the structure of the algorithm ◮ AES-NI detection Demo 24 / 33

  25. Introduction First example: ChaCha20 AES Discussion Conclusion grap Difficulties and limitations with cryptographic patterns ◮ Designing effective and generic patterns is not always possible ◮ Rely on semantics and topology of the CFGs, if neither is generic, the patterns won’t be ◮ Examples: RC4, SHA-1, SHA-2 ◮ Cryptographic code is protean ◮ Use specialized instructions: specialized opcodes (AES-NI) or vectorization (SSE, AVX, . . . ) ◮ Ciphers can be integrated directly into other routines (mode of operation, protocols) ◮ May be absent and left to the OS ( e.g. CryptoAPI) ◮ Design and prototyping may take time 25 / 33

  26. Introduction First example: ChaCha20 AES Discussion Conclusion grap Discussion 26 / 33

  27. Introduction First example: ChaCha20 AES Discussion Conclusion grap Performance Detect AES and ARX patterns on libsodium and LibreSSL: grap -q patterns/crypto/ * 27 / 33

  28. Introduction First example: ChaCha20 AES Discussion Conclusion grap Performance Detect AES and ARX patterns on libsodium and LibreSSL: grap -q patterns/crypto/ * libsodium.so.18.2.0.grapcfg - AES NI (106), ARX crypto (3) x64 libcrypto.so.41.1.0 clang O3.grapcfg - ARX crypto (64), LibreSSL AES compact (1) x64 libcrypto.so.37.0.0 O3.grapcfg - ARX crypto (12), LibreSSL AES common (1) x64 libcrypto.so.37.0.0 O0.grapcfg - ARX crypto (58), LibreSSL AES common (2) x86 libcrypto.so.37.0.0 O0.grapcfg - ARX crypto (58), LibreSSL AES common (2) 27 / 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Detection of cryptographic algorithms with grap Lonard Benedetti a , Aurlien Thierry a and

Detection of cryptographic algorithms with grap Lonard Benedetti a , Aurlien Thierry a and

Detection of cryptographic algorithms with grap Lonard Benedetti a , Aurlien Thierry a and Julien Francq a a Airbus CyberSecurity MetaPole, 1 bd Jean Moulin, CS 40001, 78996 lancourt Cedex, France benedetti@mlpo.fr

250 views • 14 slides
outline development of cryptographic algorithms for a real life application introduction

outline development of cryptographic algorithms for a real life application introduction

Design and Analysis of Cryptographic Algorithms for Mobile Communication Systems Henri Gilbert Orange Labs {firstname.lastname@orange-ftgroup.com} research & development outline development of cryptographic algorithms for a real life

486 views • 12 slides
CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools Cryptographic Tools Cryptographic algorithms important element in security services Review various types of elements symmetric encryption secure

1.27k views • 23 slides
Suggestions for Hardware Evaluation of Cryptographic Algorithms Frank K. G urkaynak

Suggestions for Hardware Evaluation of Cryptographic Algorithms Frank K. G urkaynak

Suggestions for Hardware Evaluation of Cryptographic Algorithms Frank K. G urkaynak Microelectronics Design Center, ETH Z urich 6 July 2012 My Goal To improve the quality of hardware evaluations for crypto algorithms. Microelectronics

798 views • 51 slides
Collision Detection I Motivation F d X S, X Collision Force detection response F d F r

Collision Detection I Motivation F d X S, X Collision Force detection response F d F r

CPSC 599.86 / 601.86 Sonny Chan - University of Calgary Collision Detection I Motivation F d X S, X Collision Force detection response F d F r Control algorithms Haptic rendering Problem Definition We seek efficient algorithms to

822 views • 42 slides
Why you shouldn't write cryptographic algorithms yourself Experience why writing your own crypto

Why you shouldn't write cryptographic algorithms yourself Experience why writing your own crypto

Why you shouldn't write cryptographic algorithms yourself Experience why writing your own crypto is harder than it seems at frst. Simo Sorce Sr. Principal Sw. Engineer RHEL Crypto Team 2019-01-26 Everyone tells you that you shouldnt

348 views • 30 slides
Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin CSC & SnT, University of Luxembourg CryptoLUX Team ; supervised by Alex Biryukov July 5th 2018 Introduction What is cryptography?

1.14k views • 71 slides
RUN-TIME ATTACK DETECTION IN CRYPTOGRAPHIC APIS Marco Squarcina 1 , joint work with Riccardo

RUN-TIME ATTACK DETECTION IN CRYPTOGRAPHIC APIS Marco Squarcina 1 , joint work with Riccardo

RUN-TIME ATTACK DETECTION IN CRYPTOGRAPHIC APIS Marco Squarcina 1 , joint work with Riccardo Focardi 1 August 23, 2017 1 Universit Ca Foscari Venezia (IT) / Cryptosense (FR) 30th IEEE Computer Security Foundations Symposium (CSF2017) Santa

1.1k views • 46 slides
Several possibilities for combination: So far: had cryptographic algorithms to achieve

Several possibilities for combination: So far: had cryptographic algorithms to achieve

Several possibilities for combination: So far: had cryptographic algorithms to achieve Encrypt-then MAC: encrypt message, then compute MAC of Privacy: use encryption ciphertext. Integrity: use MAC MAC-then-encrypt: First compute MAC, and then

203 views • 3 slides
Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin SnT, University of Luxembourg April 25, 2017 PhD Defence Introduction On S-Box Reverse-Engineering On Lightweight Cryptography Conclusion

1.76k views • 137 slides
7.3. Cryptographic algorithms Message M (plaintext, a sequence of bits); key K; published

7.3. Cryptographic algorithms Message M (plaintext, a sequence of bits); key K; published

7.3. Cryptographic algorithms Message M (plaintext, a sequence of bits); key K; published encryption functions E, D; {M} K is the ciphertext (another sequence of bits) Symmetric (secret key) cryptography E(K, M) = {M} K D(K, E(K, M)) = M

571 views • 30 slides
Introduction to the Design and Title of Presentation Cryptanalysis of Cryptographic Hash

Introduction to the Design and Title of Presentation Cryptanalysis of Cryptographic Hash

Introduction to the Design and Title of Presentation Cryptanalysis of Cryptographic Hash Functions Bart Preneel KU Leuven - COS IC firstname.lastname@ esat.kuleuven.be Design and S ecurity of Cryptographic Functions, Algorithms and Devices

982 views • 67 slides
SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna Ors Yal cn Istanbul Technical University Department of Electronics and Communication Engineering Introduction A side-channel analysis attack

1.81k views • 99 slides
HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume that secret keys are utilized by implementations of the algorithm in a secure fashion, with access only allowed through the I/Os Unfortunately,

363 views • 12 slides
application Powered by Gian Luca Farina Perseu | www.21-style.com Mu s eoTo rin o | Grap h DB

application Powered by Gian Luca Farina Perseu | www.21-style.com Mu s eoTo rin o | Grap h DB

Mu s eoTo rin o | Grap h DB | L in ked Op en Data | Web 3 . 0 A real case of NOSQL-GraphDB, Linked Data and Semantic Web application Powered by Gian Luca Farina Perseu | www.21-style.com Mu s eoTo rin o | Grap h DB | L in ked Op en

998 views • 51 slides
Proposed Standard of GRAP on Living and Non-living Resources Background DP 10 Accounting for

Proposed Standard of GRAP on Living and Non-living Resources Background DP 10 Accounting for

Proposed Standard of GRAP on Living and Non-living Resources Background DP 10 Accounting for Living and Non-Living Resources issued August 2014 Comment due January 2015 Considered comment agreed to develop a Standard of GRAP

560 views • 35 slides
WEEK 2 FEBRUARY 4 & 6 MAKING AS MAINTENANCE & REPAIR 2 Why I Am Not a Maker

WEEK 2 FEBRUARY 4 & 6 MAKING AS MAINTENANCE & REPAIR 2 Why I Am Not a Maker

CRITICAL MAKING [MCC-UE 1033] 1 WEEK 2 FEBRUARY 4 & 6 MAKING AS MAINTENANCE & REPAIR 2 Why I Am Not a Maker Debbie Chachra The Atlantic , January 23, 2015 3 OBJECTS OVER PEOPLE? the shift from the corporate

594 views • 31 slides
Scientific Data Asset Management The Missing Link in Data Driven Discovery Carl Kesselman

Scientific Data Asset Management The Missing Link in Data Driven Discovery Carl Kesselman

Scientific Data Asset Management The Missing Link in Data Driven Discovery Carl Kesselman University of Southern California Acknowledgements 4 Karl Czajkowski, Mike DArcy, Hongsuda Tangmunarunkit, Robert Schuler, Anoop Kumar, Alejendro

348 views • 34 slides
Vehicle Electrification Lubrication Challenges Edward P. Becker, P.E., Ph.D. Friction & Wear

Vehicle Electrification Lubrication Challenges Edward P. Becker, P.E., Ph.D. Friction & Wear

Vehicle Electrification Lubrication Challenges Edward P. Becker, P.E., Ph.D. Friction & Wear Solutions, LLC Brighton, MI frictionandwearsolutions@gmail.com www.frictionandwearsolutions.com Research engineers are now at work seeking

646 views • 30 slides
Advances in Programming Languages APL1: Whats so important about language? Ian Stark and David

Advances in Programming Languages APL1: Whats so important about language? Ian Stark and David

Advances in Programming Languages APL1: Whats so important about language? Ian Stark and David Aspinall School of Informatics The University of Edinburgh Tuesady 21 September 2010 Semester 1 Week 1 N I V E U R S E I H T T Y O

503 views • 39 slides
SOVEREIGN DEBT CONFERENCE Professor Elias Karakitsos, Global Economic Research Hubert de

SOVEREIGN DEBT CONFERENCE Professor Elias Karakitsos, Global Economic Research Hubert de

A E D B F SOVEREIGN DEBT CONFERENCE Professor Elias Karakitsos, Global Economic Research Hubert de Vauplane, Kramer Levin Naftalis & Frankel LLP Andrew Yianni, Clifford Chance LLP Dr Rodrigo Olivares-Caminal, Queen Mary, University

787 views • 61 slides
Walking in Love through the Darkness Theres nothing you can do that cant be done. Nothing

Walking in Love through the Darkness Theres nothing you can do that cant be done. Nothing

Walking in Love through the Darkness Theres nothing you can do that cant be done. Nothing you can sing that cant be sung. Nothing you can do but you can learn how to be you in time its easy. All you need is love. The Beatles

458 views • 13 slides
Coins, Clubs, and Crowds: Coins, Clubs, and Crowds: Scaling and Decentralization in Scaling and

Coins, Clubs, and Crowds: Coins, Clubs, and Crowds: Scaling and Decentralization in Scaling and

Coins, Clubs, and Crowds: Coins, Clubs, and Crowds: Scaling and Decentralization in Scaling and Decentralization in Next-Generation Blockchains Next-Generation Blockchains Prof. Bryan Ford Prof. Bryan Ford Decentralized and Distributed

1.69k views • 120 slides
THE Theres going to be a fundamental change in the WORLD OF global economy unlike

THE Theres going to be a fundamental change in the WORLD OF global economy unlike

THE Theres going to be a fundamental change in the WORLD OF global economy unlike anything we have had since CHANGE the cavemen began bartering. Arnold Baker, Chief Economist, Sandia National Laboratories My ancestors were

402 views • 14 slides

More recommend