detection of cryptographic algorithms with grap
play

Detection of cryptographic algorithms with grap L eonard Benedetti - PowerPoint PPT Presentation

Oct 02, 2023 •275 likes •636 views

Detection of cryptographic algorithms with grap L eonard Benedetti benedetti@mlpo.fr Aur elien Thierry aurelien.thierry@airbus.com Julien Francq julien.francq@airbus.com GreHack 2017, November 17 th Introduction First example: ChaCha20

  1. Detection of cryptographic algorithms with grap L´ eonard Benedetti benedetti@mlpo.fr Aur´ elien Thierry aurelien.thierry@airbus.com Julien Francq julien.francq@airbus.com GreHack 2017, November 17 th

  2. Introduction First example: ChaCha20 AES Discussion Conclusion grap Detection of cryptographic algorithms? What is it? Detect, identify and locate a cryptographic operation in a program. What is it for? Useful in reverse-engineering ◮ Time saving ◮ Identification of interesting areas ◮ Malware analysis 2 / 33

  3. Introduction First example: ChaCha20 AES Discussion Conclusion grap Malware analysis: ransomware Ransomware: ◮ Modern cryptography: symmetric (file encryption) + asymmetric (key management) ◮ Symmetric algorithms: ◮ Block ciphers: AES, RC5. . . ◮ Stream ciphers: Salsa20, ChaCha20, RC4. . . ◮ Asymmetric algorithms: ◮ Key management: RSA, DH, ECDH ( e.g. NIST curves, X25519). . . Identification of crypto algorithms within binaries: ◮ Automatic feature detection: “This program uses AES” ◮ Assist a reverser: “This function implements ChaCha20” ◮ Extract cryptographic material: encryption keys. . . 3 / 33

  4. Introduction First example: ChaCha20 AES Discussion Conclusion grap Existing approaches Constant detection and byte-level pattern matching (FindCrypt2, Signsrch, IDAScope, IDA FLIRT, YARA) ◮ Very quick (AES, SHA1, SHA2. . . ) ◮ Easy to define patterns, hard to “get them right” ◮ Some algorithms don’t have constants (RC4, Salsa20, ChaCha20. . . ) ◮ Constant / byte modification or very light obfuscation ✙ no detection Function evaluation against known test values (Sybil, Aligot) ◮ Very precise ◮ Moderately difficult to write tests ◮ Slow ◮ Algorithm variant ✙ no detection Approach based on disassembled instructions and control flow graph (CFG)? 4 / 33

  5. Introduction First example: ChaCha20 AES Discussion Conclusion grap A quick example ChaCha20 ◮ Stream cipher, designed in 2008 by Daniel J. Bernstein ◮ Variant of Salsa20, by the same author ◮ Fast with a high level of security 5 / 33

  6. Introduction First example: ChaCha20 AES Discussion Conclusion grap ChaCha20 ChaCha20 encryption (LibreSSL compiled with gcc -O0) ◮ Repetition of ARX crypto: add , xor , rol Demo : simple detection with grap ◮ grap ” add - > * - > xor - > rol ” x64 libcrypto.so.37.0.0 O0 ◮ Easy to prototype patterns ◮ The inferred pattern can be inspected ( -v option) Demo : IDA plugin ◮ Select the interesting areas directly in IDA ◮ Produce quickly usable patterns ◮ Apply transformations to make them generic 6 / 33

  7. Introduction First example: ChaCha20 AES Discussion Conclusion grap ChaCha20: more generic grap pattern digraph ARX crypto simple { add [ cond =”opcode is add”, repeat =+] mov1 [ cond =”opcode is mov or opcode is lea”, repeat = ✯ ] xor [ cond =”opcode is xor” repeat =+] mov2 [ cond =”opcode is mov or opcode is lea”, repeat = ✯ ] rol [ cond =”opcode is rol” repeat =+] mov3 [ cond =”opcode is mov or opcode is lea”, repeat = ✯ ] add − > mov1 mov1 − > xor xor − > mov2 mov2 − > rol ◮ Node repetition rol − > mov3 ◮ Conditions on opcode } ◮ Variants: mov or lea 7 / 33

  8. Introduction First example: ChaCha20 AES Discussion Conclusion grap grap overview 8 / 33

  9. Introduction First example: ChaCha20 AES Discussion Conclusion grap grap project Patterns: ◮ grap ” add- > *- > xor- > rol ” x64 libcrypto.so.37.0.0 O0 ◮ grap pattern.grapp binary.exe ◮ pattern.grapp: DOT 1 file ◮ Standalone tool (CLI) with a Capstone-based disassembler (x86 and x86 64 only) ◮ IDA plugin: visually create and match patterns from IDA ◮ python bindings 1 The DOT Language: http://www.graphviz.org/content/dot-language 9 / 33

  10. Introduction First example: ChaCha20 AES Discussion Conclusion grap grap : detect graph patterns within binaries How to quickly match subgraphs? Control flow graphs: ◮ Children are ordered: call 0x4022e0 ◮ Child 1: next instruction (following address) ◮ Child 2: target instruction (address: 0x4022e0 ) ◮ Nodes have at most 2 children ✙ Quick (polynomial time) algorithm for graph matching (see paper) 10 / 33

  11. Introduction First example: ChaCha20 AES Discussion Conclusion grap grap : usage https://github.com/AirbusCyber/grap Applications: ◮ Malware families: detection, classification and feature extraction (REcon BRX 2017) ◮ Crypto detection Build & install: ◮ IDA 6.95 and IDA 7.0 (32 and 64 bits) supported ◮ Windows: Precompiled release ◮ Linux: cmake + make + sudo make install ◮ Linux: tested on Ubuntu LTS (16.04) and Debian stable (9.1.0) 11 / 33

  12. Introduction First example: ChaCha20 AES Discussion Conclusion grap Designing cryptographic patterns Example with AES 12 / 33

  13. Introduction First example: ChaCha20 AES Discussion Conclusion grap AES ◮ Block cipher, designed in 2000 by Daemen and Rijmen 13 / 33

  14. Introduction First example: ChaCha20 AES Discussion Conclusion grap AES Key schedule ◮ Round keys are derived from the secret key 14 / 33

  15. Introduction First example: ChaCha20 AES Discussion Conclusion grap AES AddRoundKey ◮ The state is combined with the round key using XOR 15 / 33

  16. Introduction First example: ChaCha20 AES Discussion Conclusion grap AES SubBytes ◮ The state is passed through a S-Box 16 / 33

  17. Introduction First example: ChaCha20 AES Discussion Conclusion grap AES ShiftRows ◮ Cyclically shifts each row of the state 17 / 33

  18. Introduction First example: ChaCha20 AES Discussion Conclusion grap AES MixColumns ◮ Linear transformation in GF ( 2 8 ) � × a 3 x 3 + a 2 x 2 + a 1 x + a 0 3 x 3 + x 2 + x + 2 mod x 4 + 1 � � � 18 / 33

  19. Introduction First example: ChaCha20 AES Discussion Conclusion grap AES ◮ Very specific structure ◮ Characteristic cyclically shifts in ShiftRows ◮ Arithmetic in MixColumns 19 / 33

  20. Introduction First example: ChaCha20 AES Discussion Conclusion grap Design process: example with AES 1. Choosing an implementation in particular ◮ LibreSSL 2. Compilation in various contexts ◮ GCC, Clang ◮ x86 and x64 ◮ Several levels of optimizations ( O0 , O1 , O2 . . . ) 20 / 33

  21. Introduction First example: ChaCha20 AES Discussion Conclusion grap Design process: example with AES 3. Assembly code study ◮ Search for invariants ◮ Form of the structure ◮ Analysis of semantics 4. Pattern prototyping ◮ Die and retry approach ◮ Attempt to generalize 21 / 33

  22. Introduction First example: ChaCha20 AES Discussion Conclusion grap Final AES pattern * ff * shr, mov, xor * shr, mov, xor * shr, mov, xor * shr, mov, xor * [condition on the number of rounds] * [InitialRound] * 22 / 33

  23. Introduction First example: ChaCha20 AES Discussion Conclusion grap Final AES pattern * shr, mov, xor * and *, 0x ff 000000 * shr, mov, xor * shr, mov, xor * shr, mov, xor * shr, mov, xor * [end of the basic block] 23 / 33

  24. Introduction First example: ChaCha20 AES Discussion Conclusion grap Results on AES ◮ Effective pattern on several reference implementations ◮ Detection of variants (independent of the constants) ◮ Strongly based on the structure of the algorithm ◮ AES-NI detection Demo 24 / 33

  25. Introduction First example: ChaCha20 AES Discussion Conclusion grap Difficulties and limitations with cryptographic patterns ◮ Designing effective and generic patterns is not always possible ◮ Rely on semantics and topology of the CFGs, if neither is generic, the patterns won’t be ◮ Examples: RC4, SHA-1, SHA-2 ◮ Cryptographic code is protean ◮ Use specialized instructions: specialized opcodes (AES-NI) or vectorization (SSE, AVX, . . . ) ◮ Ciphers can be integrated directly into other routines (mode of operation, protocols) ◮ May be absent and left to the OS ( e.g. CryptoAPI) ◮ Design and prototyping may take time 25 / 33

  26. Introduction First example: ChaCha20 AES Discussion Conclusion grap Discussion 26 / 33

  27. Introduction First example: ChaCha20 AES Discussion Conclusion grap Performance Detect AES and ARX patterns on libsodium and LibreSSL: grap -q patterns/crypto/ * 27 / 33

  28. Introduction First example: ChaCha20 AES Discussion Conclusion grap Performance Detect AES and ARX patterns on libsodium and LibreSSL: grap -q patterns/crypto/ * libsodium.so.18.2.0.grapcfg - AES NI (106), ARX crypto (3) x64 libcrypto.so.41.1.0 clang O3.grapcfg - ARX crypto (64), LibreSSL AES compact (1) x64 libcrypto.so.37.0.0 O3.grapcfg - ARX crypto (12), LibreSSL AES common (1) x64 libcrypto.so.37.0.0 O0.grapcfg - ARX crypto (58), LibreSSL AES common (2) x86 libcrypto.so.37.0.0 O0.grapcfg - ARX crypto (58), LibreSSL AES common (2) 27 / 33

Recommend

Detection of cryptographic algorithms with grap Lonard Benedetti a , Aurlien Thierry a and

Detection of cryptographic algorithms with grap Lonard Benedetti a , Aurlien Thierry a and

Detection of cryptographic algorithms with grap Lonard Benedetti a , Aurlien Thierry a and Julien Francq a a Airbus CyberSecurity MetaPole, 1 bd Jean Moulin, CS 40001, 78996 lancourt Cedex, France benedetti@mlpo.fr

250 views • 14 slides
outline development of cryptographic algorithms for a real life application introduction

outline development of cryptographic algorithms for a real life application introduction

Design and Analysis of Cryptographic Algorithms for Mobile Communication Systems Henri Gilbert Orange Labs {firstname.lastname@orange-ftgroup.com} research & development outline development of cryptographic algorithms for a real life

486 views • 12 slides
CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools Cryptographic Tools Cryptographic algorithms important element in security services Review various types of elements symmetric encryption secure

1.27k views • 23 slides
Suggestions for Hardware Evaluation of Cryptographic Algorithms Frank K. G urkaynak

Suggestions for Hardware Evaluation of Cryptographic Algorithms Frank K. G urkaynak

Suggestions for Hardware Evaluation of Cryptographic Algorithms Frank K. G urkaynak Microelectronics Design Center, ETH Z urich 6 July 2012 My Goal To improve the quality of hardware evaluations for crypto algorithms. Microelectronics

798 views • 51 slides
Collision Detection I Motivation F d X S, X Collision Force detection response F d F r

Collision Detection I Motivation F d X S, X Collision Force detection response F d F r

CPSC 599.86 / 601.86 Sonny Chan - University of Calgary Collision Detection I Motivation F d X S, X Collision Force detection response F d F r Control algorithms Haptic rendering Problem Definition We seek efficient algorithms to

822 views • 42 slides
Why you shouldn't write cryptographic algorithms yourself Experience why writing your own crypto

Why you shouldn't write cryptographic algorithms yourself Experience why writing your own crypto

Why you shouldn't write cryptographic algorithms yourself Experience why writing your own crypto is harder than it seems at frst. Simo Sorce Sr. Principal Sw. Engineer RHEL Crypto Team 2019-01-26 Everyone tells you that you shouldnt

348 views • 30 slides
Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin CSC & SnT, University of Luxembourg CryptoLUX Team ; supervised by Alex Biryukov July 5th 2018 Introduction What is cryptography?

1.14k views • 71 slides
RUN-TIME ATTACK DETECTION IN CRYPTOGRAPHIC APIS Marco Squarcina 1 , joint work with Riccardo

RUN-TIME ATTACK DETECTION IN CRYPTOGRAPHIC APIS Marco Squarcina 1 , joint work with Riccardo

RUN-TIME ATTACK DETECTION IN CRYPTOGRAPHIC APIS Marco Squarcina 1 , joint work with Riccardo Focardi 1 August 23, 2017 1 Universit Ca Foscari Venezia (IT) / Cryptosense (FR) 30th IEEE Computer Security Foundations Symposium (CSF2017) Santa

1.1k views • 46 slides
Several possibilities for combination: So far: had cryptographic algorithms to achieve

Several possibilities for combination: So far: had cryptographic algorithms to achieve

Several possibilities for combination: So far: had cryptographic algorithms to achieve Encrypt-then MAC: encrypt message, then compute MAC of Privacy: use encryption ciphertext. Integrity: use MAC MAC-then-encrypt: First compute MAC, and then

203 views • 3 slides
Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin SnT, University of Luxembourg April 25, 2017 PhD Defence Introduction On S-Box Reverse-Engineering On Lightweight Cryptography Conclusion

1.76k views • 137 slides
7.3. Cryptographic algorithms Message M (plaintext, a sequence of bits); key K; published

7.3. Cryptographic algorithms Message M (plaintext, a sequence of bits); key K; published

7.3. Cryptographic algorithms Message M (plaintext, a sequence of bits); key K; published encryption functions E, D; {M} K is the ciphertext (another sequence of bits) Symmetric (secret key) cryptography E(K, M) = {M} K D(K, E(K, M)) = M

571 views • 30 slides
Introduction to the Design and Title of Presentation Cryptanalysis of Cryptographic Hash

Introduction to the Design and Title of Presentation Cryptanalysis of Cryptographic Hash

Introduction to the Design and Title of Presentation Cryptanalysis of Cryptographic Hash Functions Bart Preneel KU Leuven - COS IC firstname.lastname@ esat.kuleuven.be Design and S ecurity of Cryptographic Functions, Algorithms and Devices

982 views • 67 slides
SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna Ors Yal cn Istanbul Technical University Department of Electronics and Communication Engineering Introduction A side-channel analysis attack

1.81k views • 99 slides
HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume that secret keys are utilized by implementations of the algorithm in a secure fashion, with access only allowed through the I/Os Unfortunately,

363 views • 12 slides
application Powered by Gian Luca Farina Perseu | www.21-style.com Mu s eoTo rin o | Grap h DB

application Powered by Gian Luca Farina Perseu | www.21-style.com Mu s eoTo rin o | Grap h DB

Mu s eoTo rin o | Grap h DB | L in ked Op en Data | Web 3 . 0 A real case of NOSQL-GraphDB, Linked Data and Semantic Web application Powered by Gian Luca Farina Perseu | www.21-style.com Mu s eoTo rin o | Grap h DB | L in ked Op en

998 views • 51 slides
Proposed Standard of GRAP on Living and Non-living Resources Background DP 10 Accounting for

Proposed Standard of GRAP on Living and Non-living Resources Background DP 10 Accounting for

Proposed Standard of GRAP on Living and Non-living Resources Background DP 10 Accounting for Living and Non-Living Resources issued August 2014 Comment due January 2015 Considered comment agreed to develop a Standard of GRAP

560 views • 35 slides
Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

452 views • 14 slides
Overview Goals of Cryptography Cryptographic Technologies Encryption and Decryption

Overview Goals of Cryptography Cryptographic Technologies Encryption and Decryption

Overview Goals of Cryptography Cryptographic Technologies Encryption and Decryption Algorithms Symmetric Algorithms: DES and AES Asymmetric Algorithm: RSA Pretty Good Privacy (PGP) Chapter 5 Symmetric vs. Asymmetric

363 views • 8 slides
So far: had cryptographic algorithms to achieve Privacy: use encryption Integrity: use MAC Want

So far: had cryptographic algorithms to achieve Privacy: use encryption Integrity: use MAC Want

So far: had cryptographic algorithms to achieve Privacy: use encryption Integrity: use MAC Want both privacy and integrity Achieve this by combining encryption and MAC in appropriate way Eike Ritter Cryptography 2014/15 39 Several

1.18k views • 12 slides
Cryptographic Logical Relations What is the contextual equivalence for cryptographic

Cryptographic Logical Relations What is the contextual equivalence for cryptographic

Cryptographic Logical Relations What is the contextual equivalence for cryptographic protocols and how to prove it? Yu ZHANG Including joint work with J. Goubault-Larrecq, D. Nowak and S. Lasota EVEREST, INRIA Sophia-Antipolis February

487 views • 37 slides
Secure Logic Styles ECRYPT II summer school on Design and Security of Cryptographic Algorithms

Secure Logic Styles ECRYPT II summer school on Design and Security of Cryptographic Algorithms

Embedded Security Group Secure Logic Styles ECRYPT II summer school on Design and Security of Cryptographic Algorithms and Devices 1. June 2011 Amir Moradi Embedded Security Group Agenda Power Consumption Characteristics of CMOS Circuits

387 views • 24 slides
How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic

How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic

Department of Informatics Security and Privacy Maximilian Blochberger How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic pitfalls by design Goal Raise awareness of cryptographic misuse Disclaimer

910 views • 29 slides
Voice Activity Detection Voice Activity Detection Speaker Recognition Feature Extraction

Voice Activity Detection Voice Activity Detection Speaker Recognition Feature Extraction

Voice Activity Detection Introduction Voice Activity Detection Voice Activity Detection Speaker Recognition Feature Extraction Algorithms Victor Lenoir Threshold VAD Gaussian Mixture Model VAD LRDE Experiments Laboratoire de Recherche

367 views • 35 slides
Overview Yandex Services Car Detection Yandex.Taxi 3D Car Detection Yandex

Overview Yandex Services Car Detection Yandex.Taxi 3D Car Detection Yandex

Overview Yandex Services Car Detection Yandex.Taxi 3D Car Detection Yandex Technologies Windup SDC Yandex Taxi Upcoming Plans Algorithms Design Evolvement since1989 search engine technology 1997 yandex.ru

575 views • 23 slides

More recommend