Paper 2017/928

Environmental Authentication in Malware

Jeremy Blackthorne, Benjamin Kaiser, Benjamin Fuller, and Bulent Yener

Abstract

Malware needs to execute on a target machine while simultaneously keeping its payload confidential from a malware analyst. Standard encryption can be used to ensure the confidentiality, but it does not address the problem of hiding the key. Any analyst can find the decryption key if it is stored in the malware or derived in plain view. One approach is to derive the key from a part of the environment which changes when the analyst is present. Such malware derives a key from the environment and encrypts its true functionality under this key. In this paper, we present a formal framework for environmental authentication. We formalize the interaction between malware and analyst in three settings: 1) blind: in which the analyst does not have access to the target environment, 2) basic: where the analyst can load a single analysis toolkit on an effected target, and 3) resettable: where the analyst can create multiple copies of an infected environment. We show necessary and sufficient conditions for malware security in the blind and basic games and show that even under mild conditions, the analyst can always win in the resettable scenario.

Metadata
Available format(s)
PDF
Publication info
Published elsewhere. Latincrypt 2017
Keywords
environmental keyingauthenticationmalware
Contact author(s)
benjamin fuller @ uconn edu
History
2017-09-25: received
Short URL
https://ia.cr/2017/928
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2017/928,
      author = {Jeremy Blackthorne and Benjamin Kaiser and Benjamin Fuller and Bulent Yener},
      title = {Environmental Authentication in Malware},
      howpublished = {Cryptology ePrint Archive, Paper 2017/928},
      year = {2017},
      note = {\url{https://eprint.iacr.org/2017/928}},
      url = {https://eprint.iacr.org/2017/928}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.