Abstract
Implementation flaws in cryptographic libraries, design flaws in underlying cryptographic primitives, and weaknesses in protocols using both, can all lead to exploitable vulnerabilities in software. Manually fixing such issues is challenging and resource consuming, especially when maintaining legacy software that contains broken or outdated cryptography, and for which source code may not be available. While there is existing work on identifying cryptographic primitives (often in the context of malware analysis), none of this prior work has focused on replacing such primitives with stronger (or more secure ones) after they have been identified. This paper explores feasibility of designing and implementing a toolchain for Augmentation and Legacy-software Instrumentation of Cryptographic Executables (ALICE). The key features of ALICE are: (i) automatically detecting and extracting implementations of weak or broken cryptographic primitives from binaries without requiring source code or debugging symbols, (ii) identifying the context and scope in which such primitives are used, and performing program analysis to determine the effects of replacing such implementations with more secure ones, and (iii) replacing implementations of weak primitives with those of stronger or more secure ones. We demonstrate practical feasibility of our approach on cryptographic hash functions with several popular cryptographic libraries and real-world programs of various levels of complexity. Our experimental results show that ALICE can locate and replace insecure hash functions, even in large binaries (we tested ones of size up to 1.5 MB), while preserving existing functionality of the original binaries, and while incurring minimal execution-time overhead in the rewritten binaries. We also open source ALICE ’s code at https://github.com/SRI-CSL/ALICE.
N. Rattanavipanon—Work done partially while at SRI International.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
We intentionally avoid rewriting at the instruction level as this can potentially incur significant run-time overhead for the rewritten/output binaries.
- 2.
References
Heninger, N., Durumeric, Z., Wustrow, E., Halderman, J.A.: Mining your Ps and Qs: detection of widespread weak keys in network devices. In: USENIX Security Symposium (2012)
Egele, M., Brumley, D., Fratantonio, Y., Kruegel, C.: An empirical study of cryptographic misuse in android applications. In: ACM Conference on Computer and Communications Security (2013)
Smart, N.P.: Physical side-channel attacks on cryptographic systems. Softw. Focus 1(2), 6–13 (2000)
Li, J., Lin, Z., Caballero, J., Zhang, Y., Gu, D.: K-Hunt: pinpointing insecure cryptographic keys from execution traces. In: ACM Conference on Computer and Communications Security (2018)
US-CERT: Openssl ’heartbleed’ vulnerability (cve-2014-0160) (2014). https://www.us-cert.gov/ncas/alerts/TA14-098A
US-CERT: Ssl 3.0 protocol vulnerability and padding oracle on downgraded legacy encryption(poodle) attack (2014). https://www.us-cert.gov/ncas/alerts/TA14-290A
Calzavara, S., Focardi, R., Nemec, M., Rabitti, A., Squarcina, M.: Postcards from the post-HTTP world: amplification of https vulnerabilities in the web ecosystem. In: IEEE Symposium on Security and Privacy (2019)
Adrian, D., et al.: Imperfect forward secrecy: how Diffie-Hellman fails in practice. In: ACM Conference on Computer and Communications Security (2015)
Stevens, M.: Counter-cryptanalysis. In: Annual Cryptology Conference (2013)
Leurent, G., Peyrin, T.: SHA-1 is a shambles - first chosen-prefix collision on SHA-1 and application to the PGP web of trust (2020). https://eprint.iacr.org/2020/014
Li, F., Paxson, V.: A large-scale empirical study of security patches. In: ACM Conference on Computer and Communications Security (2017)
Eldefrawy, K., Locasto, M., Rattanavipanon, N., Saidi, H.: Towards automated augmentation and instrumentation of legacy cryptographic executables: extended version. https://arxiv.org/abs/2004.09713
aldeid: Ida-pro/plugins/findcrypt2 (2019). https://www.aldeid.com/wiki/IDA-Pro/plugins/FindCrypt2
igNorAMUS, snaker, Maxx, and pusher, “Kanal - krypto analyzer for peid" (2019). http://www.dcs.fmph.uniba.sk/zri/6.prednaska/tools/PEiD/plugins/kanal.htm
apponic: Hash & Crypto detector (2019). https://hash-crypto-detector.apponic.com/
Lestringant, P., Guihéry, F., Fouque, P.-A.: Automated identification of cryptographic primitives in binary code with data flow graph isomorphism. In: ACM ASIA Conference on Computer and Communications Security (2015)
Calvet, J., Fernandez, J.M., Marion, J.-Y.: Aligot: cryptographic function identification in obfuscated binary programs. In: ACM Conference on Computer and Communications Security (2012)
Lutz, N.: Towards revealing attacker’s intent by automatically decrypting network traffic. Mémoire de maıtrise, ETH Zürich, Switzerland (2008)
Gröbert, F., Willems, C., Holz, T.: Automated identification of cryptographic primitives in binary programs. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 41–60. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23644-0_3
Xu, D., Ming, J., Wu, D.: Cryptographic function detection in obfuscated binaries via bit-precise symbolic loop mapping. In: 2017 IEEE Symposium on Security and Privacy, May 2017
Hunt, G., Brubacher, D.: Detours: binary interception of Win32 functions. In: 3rd USENIX Windows NT Symposium (1999)
Bauman, E., Lin, Z., et al.: Superset disassembly: statically rewriting x86 binaries without heuristics. In: Network and Distributed System Security Symposium (2018)
Anand, K., Smithson, M., et al.: A compiler-level intermediate representation based binary analysis and rewriting system. In: ACM European Conference on Computer Systems (2013)
Edwards, A., Vo, H., Srivastava, A., Srivastava, A.: Vulcan binary transformation in a distributed environment. Technical report, Microsoft Research (2001)
Wang, S., Wang, P., Wu, D.: Reassembleable disassembling. In: USENIX Security Symposium, pp. 627–642 (2015)
Wang, R., et al.: Ramblr: making reassembly great again. In: Network and Distributed System Security Symposium (2017)
Nethercote, N., Seward, J.: Valgrind: a program supervision framework. Electron. Notes Theor. Comput. Sci. 89(2), 44–66 (2003)
Luk, C.-K., Cohn, R., et al.: Pin: building customized program analysis tools with dynamic instrumentation. ACM SIGPLAN Not. 40, 190–200 (2005)
Dynamic instrumentation tool platform (2017). http://www.dynamorio.org/
Perkins, J.H., Kim, S., et al.: Automatically patching errors in deployed software. In: ACM SIGOPS (2009)
Klima, V.: Tunnels in hash functions: Md5 collisions within a minute. IACR Cryptology ePrint Archive 2006/105 (2006)
Sasaki, Yu., Aoki, K.: Finding preimages in full MD5 faster than exhaustive search. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 134–152. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_8
Yadegari, B., Debray, S.: Bit-level taint analysis. In: 2014 IEEE 14th International Working Conference on Source Code Analysis and Manipulation (SCAM). IEEE, pp. 255–264 (2014)
Shoshitaishvili, Y., et al.: Sok:(state of) the art of war: offensive techniques in binary analysis. In: 2016 IEEE Symposium on Security and Privacy. IEEE, pp. 138–157 (2016)
Saudel, F., Salwan, J.: Triton: a dynamic symbolic execution framework. In: Symposium sur la sécurité des technologies de l’information et des communications, SSTIC, SSTIC 2015, France, Rennes, 3–5 June, pp. 31–54 (2015)
Hileman, R.: Binary patching from Python (2018). https://github.com/lunixbochs/patchkit
Quynh, N.A.: Keystone - the ultimate assembler (2019). http://www.keystone-engine.org/
Andriesse, D., Chen, X., et al.: An in-depth analysis of disassembly on full-scale x86/x64 binaries. In: USENIX Security Symposium (2016)
Acknowledgments
This work was sponsored by the U.S. Department of Homeland Security (DHS) Science and Technology (S&T) Directorate under Contract No. HSHQDC-16-C-00034. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of DHS and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of DHS or the U.S. government. The authors thank the anonymous reviewers for their valuable comments.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Eldefrawy, K., Locasto, M., Rattanavipanon, N., Saidi, H. (2020). Towards Automated Augmentation and Instrumentation of Legacy Cryptographic Executables. In: Conti, M., Zhou, J., Casalicchio, E., Spognardi, A. (eds) Applied Cryptography and Network Security. ACNS 2020. Lecture Notes in Computer Science(), vol 12147. Springer, Cham. https://doi.org/10.1007/978-3-030-57878-7_18
Download citation
DOI: https://doi.org/10.1007/978-3-030-57878-7_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-57877-0
Online ISBN: 978-3-030-57878-7
eBook Packages: Computer ScienceComputer Science (R0)