Where's Crypto?: Automated Identification and Classification of Proprietary Cryptographic Primitives in Binary Code

The continuing use of proprietary cryptography in embedded systems across many industry verticals, from physical access control systems and telecommunications to machine-to-machine authentication, presents a significant obstacle to black-box security-evaluation efforts. In-depth security analysis requires locating and classifying the algorithm in often very large binary images, thus rendering manual inspection, even when aided by heuristics, time consuming. In this paper, we present a novel approach to automate the identification and classification of (proprietary) cryptographic primitives within binary code. Our approach is based on Data Flow Graph (DFG) isomorphism, previously proposed by Lestringant et al. Unfortunately, their DFG isomorphism approach is limited to known primitives only, and relies on heuristics for selecting code fragments for analysis. By combining the said approach with symbolic execution, we overcome all limitations of their work, and are able to extend the analysis into the domain of unknown, proprietary cryptographic primitives. To demonstrate that our proposal is practical, we develop various signatures, each targeted at a distinct class of cryptographic primitives, and present experimental evaluations for each of them on a set of binaries, both publicly available (and thus providing reproducible results), and proprietary ones. Lastly, we provide a free and open-source implementation of our approach, called Where's Crypto?, in the form of a plug-in for the popular IDA disassembler.

[1]  Erik Tews,et al.  Security analysis of a widely deployed locking system , 2013, CCS.

[2]  S. Tavares,et al.  Linear cryptanalysis of substitution-permutation networks , 2004 .

[3]  Lei Hu,et al.  Cube Cryptanalysis of Hitag2 Stream Cipher , 2011, CANS.

[4]  Roel Verdult,et al.  Ciphertext-only Cryptanalysis on Hardened Mifare Classic Cards , 2015, CCS.

[5]  Jiang Ming,et al.  Cryptographic Function Detection in Obfuscated Binaries via Bit-Precise Symbolic Loop Mapping , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[6]  Roberto Maria Avanzi,et al.  A Salad of Block Ciphers , 2016, IACR Cryptol. ePrint Arch..

[7]  Elmar Gerhards-Padilla,et al.  CIS: The Crypto Intelligence System for automatic detection and localization of cryptographic functions in current malware , 2012, 2012 7th International Conference on Malicious and Unwanted Software.

[8]  Flavio D. Garcia,et al.  Gone in 360 Seconds: Hijacking with Hitag2 , 2012, USENIX Security Symposium.

[9]  Flavio D. Garcia,et al.  Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer , 2013, USENIX Security Symposium.

[10]  Julian R. Ullmann,et al.  An Algorithm for Subgraph Isomorphism , 1976, J. ACM.

[11]  Jorge Nakahara,et al.  Cryptanalysis of the ISDB Scrambling Algorithm (MULTI2) , 2009, FSE.

[12]  Matteo Favaro,et al.  SATURN - Software Deobfuscation Framework Based On LLVM , 2019, SPRO@CCS.

[13]  David Evans,et al.  Reverse-Engineering a Cryptographic RFID Tag , 2008, USENIX Security Symposium.

[14]  Peter Schwabe Press to unlock : Analysis , reverse-engineering and implementation of HITAG 2-based Remote Keyless Entry systems , 2018 .

[15]  Mike Bond,et al.  Cryptographic Processors-A Survey , 2006, Proceedings of the IEEE.

[16]  Robin David Formal Approaches for Automatic Deobfuscation and Reverse-engineering of Protected Codes. (Approches formelles de désobfuscation automatique et de rétro-ingénierie de codes protégés) , 2017 .

[17]  Dawn Xiaodong Song,et al.  Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering , 2009, CCS.

[18]  Eli Biham,et al.  A Related-Key Rectangle Attack on the Full KASUMI , 2005, ASIACRYPT.

[19]  Bart Jacobs,et al.  Dismantling MIFARE Classic , 2008, ESORICS.

[20]  Thanh Ha Le,et al.  Defeating Opaque Predicates Statically through Machine Learning and Binary Analysis , 2019, SPRO@CCS.

[21]  Axel Legay,et al.  Effectiveness of synthesis in concolic deobfuscation , 2017, Comput. Secur..

[22]  Eli Biham,et al.  Cryptanalysis of the A5/1 GSM Stream Cipher , 2000, INDOCRYPT.

[23]  Pierre-Alain Fouque,et al.  Automated Identification of Cryptographic Primitives in Binary Code with Data Flow Graph Isomorphism , 2015, AsiaCCS.

[24]  Flavio D. Garcia,et al.  Wirelessly Pickpocketing a Mifare Classic Card , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[25]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[26]  Christof Paar,et al.  Don't Trust Satellite Phones: A Security Analysis of Two Satphone Standards , 2012, 2012 IEEE Symposium on Security and Privacy.

[27]  Martin Novotný,et al.  Breaking Hitag2 with Reconfigurable Hardware , 2011, 2011 14th Euromicro Conference on Digital System Design.

[28]  Jean-Jacques Quisquater,et al.  Practical Algebraic Attacks on the Hitag2 Stream Cipher , 2009, ISC.

[29]  Alex Biryukov,et al.  Real Time Cryptanalysis of A5/1 on a PC , 2000, FSE.

[30]  Eli Biham,et al.  Related-Key Boomerang and Rectangle Attacks , 2005, EUROCRYPT.

[31]  Babak Yadegari,et al.  Automatic Deobfuscation and Reverse Engineering of Obfuscated Code , 2016 .

[32]  Jean-Yves Marion,et al.  Aligot: cryptographic function identification in obfuscated binary programs , 2012, CCS.

[33]  Christof Paar,et al.  On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoqCode Hopping Scheme , 2008, CRYPTO.

[34]  Peter C. Gutmann Cryptographic Security Architecture: Design and Verification , 2003 .

[35]  Gregory V. Bard,et al.  Algebraic and Slide Attacks on KeeLoq , 2008, FSE.

[36]  Nicolas Courtois,et al.  The Dark Side of Security by Obscurity - and Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime , 2009, SECRYPT.

[37]  Yu Fu,et al.  VMHunt: A Verifiable Approach to Partially-Virtualized Binary Code Simplification , 2018, CCS.

[38]  Alexander Maximov,et al.  An Improved Correlation Attack on A5/1 , 2004, Selected Areas in Cryptography.

[39]  Erik Tews,et al.  Cryptanalysis of the DECT Standard Cipher , 2010, FSE.

[40]  Mate Soos,et al.  Enhanced Gaussian Elimination in DPLL-based SAT Solvers , 2010, POS@SAT.

[41]  Moritz Contag,et al.  Syntia: Synthesizing the Semantics of Obfuscated Code , 2017, USENIX Security Symposium.

[42]  Roel Verdult,et al.  The (in)security of proprietary cryptography , 2015 .

[43]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[44]  Xavier J. A. Bellekens,et al.  Deep Learning Based Cryptographic Primitive Classification , 2017, ArXiv.

[45]  Jonathan Salwan,et al.  Symbolic Deobfuscation: From Virtualized Code Back to the Original , 2018, DIMVA.

[46]  Charalampos Manifavas,et al.  A survey of lightweight stream ciphers for embedded systems , 2016, Secur. Commun. Networks.

[47]  Flavio D. Garcia,et al.  A Practical Attack on the MIFARE Classic , 2008, CARDIS.

[48]  Andrey Bogdanov Cryptanalysis of the KeeLoq block cipher , 2007, IACR Cryptol. ePrint Arch..

[49]  Bart Preneel,et al.  Fast, Furious and Insecure: Passive Keyless Entry and Start Systems in Modern Supercars , 2019, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[50]  Thanh Ha Le,et al.  DoSE: Deobfuscation based on Semantic Equivalence , 2018, SSPREW@ACSAC.

[51]  Matthew Green,et al.  Security Analysis of a Cryptographically-Enabled RFID Device , 2005, USENIX Security Symposium.

[52]  Adi Shamir,et al.  A Practical-Time Related-Key Attack on the KASUMI Cryptosystem Used in GSM and 3G Telephony , 2010, Journal of Cryptology.

[53]  Eli Biham,et al.  How to Steal Cars - A Practical Attack on KeeLoq R , 2007 .

[54]  Christof Paar,et al.  An experimental security analysis of two satphone standards , 2013, TSEC.

[55]  Christof Paar,et al.  Fuming Acid and Cryptanalysis: Handy Tools for Overcoming a Digital Locking and Access Control System , 2013, CRYPTO.

[56]  Carsten Willems,et al.  Automated Identification of Cryptographic Primitives in Binary Programs , 2011, RAID.