27C3 - Automatic Identification of Cryptographic Primitives in Software

27th Chaos Communication Congress
Automatic Identification of Cryptographic Primitives in Software

In this talk I demonstrate our research and the implementation of methods to detect cryptographic algorithms and their parameters in software. Based on our observations on cryptographic code, I will point out several inherent characteristics to design signature-based and generic identification methods.

Using dynamic binary instrumentation, we record instructions of a program during runtime and create a fine-grained trace. We implement a trace analysis tool, which also provides methods to reconstruct high-level information from a trace, for example control flow graphs or loops, to detect cryptographic algorithms and their parameters.

With the results of this work, encrypted data, sent by a malicious program for example, may be decrypted and used by an analyst to gain further insight on the behavior of the analyzed binary executable. Applications include de-DRM'ing, security auditing, and malware C&C analysis. After the talk we will demonstrate the functionality with a ransomware which uses cryptographic primitives and release the implementation to the public.

Speaker: Felix Gröbert
source code: http://code.google.com/p/kerckhoffs
twitter: http://twitter.com/fel1x

Category:

Science & Technology

Tags:

• 27C3
• Felix Gröbert
• Cryptographic
• CCC
• algorithms
• gpcode
• RSA
• XOR
• AES
• encrypted
• ransomware
• malware

License:

Standard YouTube License