27C3 - Version 1.6.3

27th Chaos Communication Congress
We come in peace

Felix Gröbert
Day Day 1 - 2010-12-27
Room Saal 3
Start time 16:00
Duration 01:00
ID 4160
Event type Lecture
Track Hacking
Language used for presentation English

Automatic Identification of Cryptographic Primitives in Software

In this talk I demonstrate our research and the implementation of methods to detect cryptographic algorithms and their parameters in software. Based on our observations on cryptographic code, I will point out several inherent characteristics to design signature-based and generic identification methods.

Using dynamic binary instrumentation, we record instructions of a program during runtime and create a fine-grained trace. We implement a trace analysis tool, which also provides methods to reconstruct high-level information from a trace, for example control flow graphs or loops, to detect cryptographic algorithms and their parameters.

With the results of this work, encrypted data, sent by a malicious program for example, may be decrypted and used by an analyst to gain further insight on the behavior of the analyzed binary executable. Applications include de-DRM'ing, security auditing, and malware C&C analysis. After the talk we will demonstrate the functionality with a ransomware which uses cryptographic primitives and release the implementation to the public.