Cryptology ePrint Archive: Report 2017/928

Environmental Authentication in Malware

Jeremy Blackthorne and Benjamin Kaiser and Benjamin Fuller and Bulent Yener

Abstract: Malware needs to execute on a target machine while simultaneously keeping its payload confidential from a malware analyst. Standard encryption can be used to ensure the confidentiality, but it does not address the problem of hiding the key. Any analyst can find the decryption key if it is stored in the malware or derived in plain view.

One approach is to derive the key from a part of the environment which changes when the analyst is present. Such malware derives a key from the environment and encrypts its true functionality under this key.

In this paper, we present a formal framework for environmental authentication. We formalize the interaction between malware and analyst in three settings: 1) blind: in which the analyst does not have access to the target environment, 2) basic: where the analyst can load a single analysis toolkit on an effected target, and 3) resettable: where the analyst can create multiple copies of an infected environment. We show necessary and sufficient conditions for malware security in the blind and basic games and show that even under mild conditions, the analyst can always win in the resettable scenario.

Category / Keywords: environmental keying, authentication, malware

Original Publication (in the same form): Latincrypt 2017

Date: received 19 Sep 2017, last revised 24 Sep 2017

Contact author: benjamin fuller at uconn edu

Available format(s): PDF | BibTeX Citation

Version: 20170925:002554 (All versions of this report)

Short URL: ia.cr/2017/928

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]