Abstract
This paper proposes an idea on how to use existing techniques from late stage software customization to improve the security of software employing cryptographic functions. In our vision, we can verify an implemented algorithm and replace it with a faster or more trusted implementation if necessary. We also want to be able to add encryption to binaries that currently do not employ any, or gain access to unencrypted data if an application depends on encryption.
To corroborate the feasibility of our vision, we developed a prototype that is able to identify cryptographic functions in highly optimized binary code and tests the identified functions for functional correctness, potentially also revealing backdoors.
The research leading to this paper has received funding from the AMASS project (H2020-ECSEL no. 692474).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Thompson, K.: Reflections on trusting trust. Commun. ACM 27(8), 761–763 (1984)
Egele, M., Brumley, D., Fratantonio, Y., Kruegel, C.: An empirical study of cryptographic misuse in Android applications. In: CCS 2013, pp. 73–84 (2013)
CCC: Analyse einer Regierungs-Malware. Technical report, Chaos Computer Club (2011)
Codenomicon, Google-Security: CVE-2014-0160. Available from MITRE, CVE-ID CVE-2014-0160, 3 Dec 2013
Bello, L.: CVE-2008-0166. Available from MITRE, CVE-ID CVE-2008-0166, 9 Jan 2008
Bruening, D., Zhao, Q., Amarasinghe, S.: Transparent dynamic instrumentation. ACM SIGPLAN Not. 47(7), 133–144 (2012)
Hiser, J., Nguyen-Tuong, A., Hawkins, W., McGill, M., Co, M., Davidson, J.: Zipr++: exceptional binary rewriting. In: FEAST 2017, pp. 9–15 (2017)
Majlesi-Kupaei, A., Kim, D., Anand, K., ElWazeer, K., Barua, R.: RL-Bin, robust low-overhead binary rewriter. In: FEAST 2017, pp. 17–22 (2017)
Chipounov, V., Kuznetsov, V., Candea, G.: The S2E platform: design, implementation, and applications. TOCS 30(1), 2 (2012)
Shoshitaishvili, Y., Wang, R., Salls, C., Stephens, N., Polino, M., Dutcher, A., Grosen, J., Feng, S., Hauser, C., Kruegel, C., Vigna, G.: SoK: (state of) the art of war: offensive techniques in binary analysis. In: S&P 2016 (2016)
Saudel, F., Salwan, J.: Triton: a dynamic symbolic execution framework. In: Symposium sur la sécurité des Technologies de l’information et des Communications, SSTIC, France, Rennes, June 3–5 2015, SSTIC, pp. 31–54 (2015)
Cadar, C., Dunbar, D., Engler, D.R., et al.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: OSDI. vol. 8, pp. 209–224 (2008)
Jiang, Y., Zhang, C., Wu, D., Liu, P.: Feature-based software customization: preliminary analysis, formalization, and methods. In: HASE 2016, pp. 122–131 (2016)
Kim, D., Sumner, W.N., Zhang, X., Xu, D., Agrawal, H.: Reuse-oriented reverse engineering of functional components from x86 binaries. In: ICSE 2014, pp. 1128–1139 (2014)
Xu, D., Ming, J., Wu, D.: Cryptographic function detection in obfuscated binaries via bit-precise symbolic loop mapping. In: S&P 2017, pp. 921–937 (2017)
Dockins, R., Foltzer, A., Hendrix, J., Huffman, B., McNamee, D., Tomb, A.: Constructing semantic models of programs with the software analysis workbench. In: VSTTE 2016, pp. 56–72 (2016)
Bassham III, L.E.: The advanced encryption standard algorithm validation suite (AESAVS). NIST Information Technology Laboratory (2002)
McKeeman, W.M.: Differential testing for software. Digit. Techn. J. 10(1), 100–107 (1998)
Papp, D., Buttyán, L., Ma, Z.: Towards semi-automated detection of trigger-based behavior for software security assurance. In: SAW 2018 (2018)
ARM: mbedTLS. https://tls.mbed.org/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Brechelmacher, O., Krenn, W., Tarrach, T. (2018). A Vision for Enhancing Security of Cryptography in Executables. In: Payer, M., Rashid, A., Such, J. (eds) Engineering Secure Software and Systems. ESSoS 2018. Lecture Notes in Computer Science(), vol 10953. Springer, Cham. https://doi.org/10.1007/978-3-319-94496-8_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-94496-8_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-94495-1
Online ISBN: 978-3-319-94496-8
eBook Packages: Computer ScienceComputer Science (R0)