Paper 2017/1119

Detection of cryptographic algorithms with grap

Léonard Benedetti, Aurélien Thierry, and Julien Francq

Abstract

The disassembled code of an executable program can be seen as a graph representing the possible sequence of instructions (Control Flow Graph). grap is a YARA-like tool, completely open-source, and able to detect graph patterns, defined by the analyst, within an executable program. We used grap to detect cryptographic algorithms: we created patterns for AES and ChaCha20 that are based on parts of the assembly code produced by compiling popular implementations (available in LibreSSL and libsodium). Our approach is thus based on the algorithms and their structure and does not rely on constant detection.

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Published elsewhere. 5th International Symposium on Research in Grey-Hat Hacking (GreHack 2017)
Keywords
detectioncontrol flow graphreverse engineeringAES
Contact author(s)
benedetti @ mlpo fr
History
2017-11-24: received
Short URL
https://ia.cr/2017/1119
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2017/1119,
      author = {Léonard Benedetti and Aurélien Thierry and Julien Francq},
      title = {Detection of cryptographic algorithms with grap},
      howpublished = {Cryptology ePrint Archive, Paper 2017/1119},
      year = {2017},
      note = {\url{https://eprint.iacr.org/2017/1119}},
      url = {https://eprint.iacr.org/2017/1119}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.