27C3 - Version 1.6.3
27th Chaos Communication Congress
We come in peace
| Speakers | |
|---|---|
|
Felix Gröbert |
| Schedule | |
|---|---|
| Day | Day 1 - 2010-12-27 |
| Room | Saal 3 |
| Start time | 16:00 |
| Duration | 01:00 |
| Info | |
| ID | 4160 |
| Event type | Lecture |
| Track | Hacking |
| Language used for presentation | English |
| Feedback | |
|---|---|
|
Did you attend this event? Give Feedback |
Automatic Identification of Cryptographic Primitives in Software
In this talk I demonstrate our research and the implementation of methods to detect cryptographic algorithms and their parameters in software. Based on our observations on cryptographic code, I will point out several inherent characteristics to design signature-based and generic identification methods.
Using dynamic binary instrumentation, we record instructions of a program during runtime and create a fine-grained trace. We implement a trace analysis tool, which also provides methods to reconstruct high-level information from a trace, for example control flow graphs or loops, to detect cryptographic algorithms and their parameters.
With the results of this work, encrypted data, sent by a malicious program for example, may be decrypted and used by an analyst to gain further insight on the behavior of the analyzed binary executable. Applications include de-DRM'ing, security auditing, and malware C&C analysis. After the talk we will demonstrate the functionality with a ransomware which uses cryptographic primitives and release the implementation to the public.