CipherTrace: automatic detection of ciphers from execution traces to neutralize ransomware

In 2021, the largest US pipeline system for refined oil products suffered a 6-day shutdown due to a ransomware attack [1]. In 2023, the sensitive systems of the US Marshals Service were attacked by a ransomware [2]. One of the most effective ways to fight ransomware is to extract the secret keys. Th...

Full description

Bibliographic Details
Main Authors: Hassanin, MA, Martinovic, I
Format: Journal article
Language:English
Published: Oxford University Press 2024
_version_ 1817930917049532416
author Hassanin, MA
Martinovic, I
author_facet Hassanin, MA
Martinovic, I
author_sort Hassanin, MA
collection OXFORD
description In 2021, the largest US pipeline system for refined oil products suffered a 6-day shutdown due to a ransomware attack [1]. In 2023, the sensitive systems of the US Marshals Service were attacked by a ransomware [2]. One of the most effective ways to fight ransomware is to extract the secret keys. The challenge of detecting and identifying cryptographic primitives has been around for over a decade. Many tools have been proposed, but the vast majority of them use templates or signatures, and their support for different operating systems and processor architectures is rather limited; neither have there been enough tools capable of extracting the secret keys. In this paper, we present CipherTrace, a generic and automated system to detect and identify the class of cipher algorithms in binary programs, and additionally, locate and extract the secret keys and cryptographic states accessed by the cipher. We focus on product ciphers, and evaluate CipherTrace using four standard cipher algorithms, four different hashing algorithms, and five of the most recent and popular ransomware specimens. Our results show that CipherTrace is capable of fully dissecting Fixed S-Box block ciphers (e.g. AES and Serpent) and can extract the secret keys and other cryptographic artefacts, regardless of the operating system, implementation, or input- or key-size, and without using signatures or templates. We show a significant improvement in performance and functionality compared to the closely related works. CipherTrace helps in fighting ransomware, and aids analysts in their malware analysis and reverse engineering efforts.
first_indexed 2024-09-25T04:08:28Z
format Journal article
id oxford-uuid:1ed736a2-4fc2-4a16-ad6d-5e7f36aca758
institution University of Oxford
language English
last_indexed 2024-12-09T03:13:44Z
publishDate 2024
publisher Oxford University Press
record_format dspace
spelling oxford-uuid:1ed736a2-4fc2-4a16-ad6d-5e7f36aca7582024-10-16T09:25:24ZCipherTrace: automatic detection of ciphers from execution traces to neutralize ransomwareJournal articlehttp://purl.org/coar/resource_type/c_dcae04bcuuid:1ed736a2-4fc2-4a16-ad6d-5e7f36aca758EnglishJisc Publications RouterOxford University Press2024Hassanin, MAMartinovic, IIn 2021, the largest US pipeline system for refined oil products suffered a 6-day shutdown due to a ransomware attack [1]. In 2023, the sensitive systems of the US Marshals Service were attacked by a ransomware [2]. One of the most effective ways to fight ransomware is to extract the secret keys. The challenge of detecting and identifying cryptographic primitives has been around for over a decade. Many tools have been proposed, but the vast majority of them use templates or signatures, and their support for different operating systems and processor architectures is rather limited; neither have there been enough tools capable of extracting the secret keys. In this paper, we present CipherTrace, a generic and automated system to detect and identify the class of cipher algorithms in binary programs, and additionally, locate and extract the secret keys and cryptographic states accessed by the cipher. We focus on product ciphers, and evaluate CipherTrace using four standard cipher algorithms, four different hashing algorithms, and five of the most recent and popular ransomware specimens. Our results show that CipherTrace is capable of fully dissecting Fixed S-Box block ciphers (e.g. AES and Serpent) and can extract the secret keys and other cryptographic artefacts, regardless of the operating system, implementation, or input- or key-size, and without using signatures or templates. We show a significant improvement in performance and functionality compared to the closely related works. CipherTrace helps in fighting ransomware, and aids analysts in their malware analysis and reverse engineering efforts.
spellingShingle Hassanin, MA
Martinovic, I
CipherTrace: automatic detection of ciphers from execution traces to neutralize ransomware
title CipherTrace: automatic detection of ciphers from execution traces to neutralize ransomware
title_full CipherTrace: automatic detection of ciphers from execution traces to neutralize ransomware
title_fullStr CipherTrace: automatic detection of ciphers from execution traces to neutralize ransomware
title_full_unstemmed CipherTrace: automatic detection of ciphers from execution traces to neutralize ransomware
title_short CipherTrace: automatic detection of ciphers from execution traces to neutralize ransomware
title_sort ciphertrace automatic detection of ciphers from execution traces to neutralize ransomware
work_keys_str_mv AT hassaninma ciphertraceautomaticdetectionofciphersfromexecutiontracestoneutralizeransomware
AT martinovici ciphertraceautomaticdetectionofciphersfromexecutiontracestoneutralizeransomware