CipherTrace: automatic detection of ciphers from execution traces to neutralize ransomware
In 2021, the largest US pipeline system for refined oil products suffered a 6-day shutdown due to a ransomware attack [1]. In 2023, the sensitive systems of the US Marshals Service were attacked by a ransomware [2]. One of the most effective ways to fight ransomware is to extract the secret keys. Th...
Main Authors: | , |
---|---|
Format: | Journal article |
Language: | English |
Published: |
Oxford University Press
2024
|
_version_ | 1817930917049532416 |
---|---|
author | Hassanin, MA Martinovic, I |
author_facet | Hassanin, MA Martinovic, I |
author_sort | Hassanin, MA |
collection | OXFORD |
description | In 2021, the largest US pipeline system for refined oil products suffered a 6-day shutdown due to a ransomware attack [1]. In 2023, the sensitive systems of the US Marshals Service were attacked by a ransomware [2]. One of the most effective ways to fight ransomware is to extract the secret keys. The challenge of detecting and identifying cryptographic primitives has been around for over a decade. Many tools have been proposed, but the vast majority of them use templates or signatures, and their support for different operating systems and processor architectures is rather limited; neither have there been enough tools capable of extracting the secret keys. In this paper, we present CipherTrace, a generic and automated system to detect and identify the class of cipher algorithms in binary programs, and additionally, locate and extract the secret keys and cryptographic states accessed by the cipher. We focus on product ciphers, and evaluate CipherTrace using four standard cipher algorithms, four different hashing algorithms, and five of the most recent and popular ransomware specimens. Our results show that CipherTrace is capable of fully dissecting Fixed S-Box block ciphers (e.g. AES and Serpent) and can extract the secret keys and other cryptographic artefacts, regardless of the operating system, implementation, or input- or key-size, and without using signatures or templates. We show a significant improvement in performance and functionality compared to the closely related works. CipherTrace helps in fighting ransomware, and aids analysts in their malware analysis and reverse engineering efforts. |
first_indexed | 2024-09-25T04:08:28Z |
format | Journal article |
id | oxford-uuid:1ed736a2-4fc2-4a16-ad6d-5e7f36aca758 |
institution | University of Oxford |
language | English |
last_indexed | 2024-12-09T03:13:44Z |
publishDate | 2024 |
publisher | Oxford University Press |
record_format | dspace |
spelling | oxford-uuid:1ed736a2-4fc2-4a16-ad6d-5e7f36aca7582024-10-16T09:25:24ZCipherTrace: automatic detection of ciphers from execution traces to neutralize ransomwareJournal articlehttp://purl.org/coar/resource_type/c_dcae04bcuuid:1ed736a2-4fc2-4a16-ad6d-5e7f36aca758EnglishJisc Publications RouterOxford University Press2024Hassanin, MAMartinovic, IIn 2021, the largest US pipeline system for refined oil products suffered a 6-day shutdown due to a ransomware attack [1]. In 2023, the sensitive systems of the US Marshals Service were attacked by a ransomware [2]. One of the most effective ways to fight ransomware is to extract the secret keys. The challenge of detecting and identifying cryptographic primitives has been around for over a decade. Many tools have been proposed, but the vast majority of them use templates or signatures, and their support for different operating systems and processor architectures is rather limited; neither have there been enough tools capable of extracting the secret keys. In this paper, we present CipherTrace, a generic and automated system to detect and identify the class of cipher algorithms in binary programs, and additionally, locate and extract the secret keys and cryptographic states accessed by the cipher. We focus on product ciphers, and evaluate CipherTrace using four standard cipher algorithms, four different hashing algorithms, and five of the most recent and popular ransomware specimens. Our results show that CipherTrace is capable of fully dissecting Fixed S-Box block ciphers (e.g. AES and Serpent) and can extract the secret keys and other cryptographic artefacts, regardless of the operating system, implementation, or input- or key-size, and without using signatures or templates. We show a significant improvement in performance and functionality compared to the closely related works. CipherTrace helps in fighting ransomware, and aids analysts in their malware analysis and reverse engineering efforts. |
spellingShingle | Hassanin, MA Martinovic, I CipherTrace: automatic detection of ciphers from execution traces to neutralize ransomware |
title | CipherTrace: automatic detection of ciphers from execution traces to neutralize ransomware |
title_full | CipherTrace: automatic detection of ciphers from execution traces to neutralize ransomware |
title_fullStr | CipherTrace: automatic detection of ciphers from execution traces to neutralize ransomware |
title_full_unstemmed | CipherTrace: automatic detection of ciphers from execution traces to neutralize ransomware |
title_short | CipherTrace: automatic detection of ciphers from execution traces to neutralize ransomware |
title_sort | ciphertrace automatic detection of ciphers from execution traces to neutralize ransomware |
work_keys_str_mv | AT hassaninma ciphertraceautomaticdetectionofciphersfromexecutiontracestoneutralizeransomware AT martinovici ciphertraceautomaticdetectionofciphersfromexecutiontracestoneutralizeransomware |