| Presentation | 2015-06-11 An Empirical Evaluation of Locating Cryptographic Functions on the Memory Ryoya Furukawa, Ryoichi Isawa, Masakatu Morii, Daisuke Inoue, Koji Nakao, |
|---|---|
| PDF Download Page |  PDF download Page Link |
| Abstract(in Japanese) | (See Japanese page) |
| Abstract(in English) | This paper presents a simple and effective idea to locate cryptographic functions on the memory for malware analysis. This leads an analyst to obtain plain-text packets that are encrypted on a secure channel established by malware when she analyzes it on a sandbox environment. Our idea is to observe a memory area where an encrypted packet is loaded. Besides, it is also to observe the areas where any pieces of data created from that encrypted packet are loaded. This is based on the fact that although a malware sample can load a sheer number of functions, functions that access to those memory areas de nitely include cryptographic functions. With experiments using ten cryptographic programs, we extracted 37% of 134{460 functions as candidates on average, and extracted3% of them at best. In future work, the idea will be expanded for uniquely locating cryptographic functions. |
| Keyword(in Japanese) | (See Japanese page) |
| Keyword(in English) | Binary Analysis / Malware Analysis / Network Security / Cryptography |
| Paper # | IA2015-4,ICSS2015-4 |
| Date of Issue | 2015-06-04 (IA, ICSS) |
| Conference Information | |
| Committee | IA / ICSS |
|---|---|
| Conference Date | 2015/6/11(2days) |
| Place (in Japanese) | (See Japanese page) |
| Place (in English) | Kyushu Institute of Technology Univ. |
| Topics (in Japanese) | (See Japanese page) |
| Topics (in English) | Internet Security, etc. |
| Chair | Ken-ichi Yoshida(Univ. of Tsukuba) / Yutaka Miyake(KDDI R&D Labs.) |
| Vice Chair | Hiroyuki Osaki(Kwansei Gakuin Univ.) / Masahiro Jibiki(NICT) / Yutaka Nakamura(Kyushu Inst. of Tech.) / Takashi Nishide(Univ. of Tsukuba) / Yoshiaki Shiraishi(Kobe Univ.) |
| Secretary | Hiroyuki Osaki(Tokyo Inst. of Tech.) / Masahiro Jibiki(Osaka Univ.) / Yutaka Nakamura(Mitsubishi Electric) / Takashi Nishide(NII) / Yoshiaki Shiraishi |
| Assistant | Yuichiro Hei(KDDI R&D Labs.) / Hiroshi Yamamoto(Ritsumeikan Univ.) / Toshiki Watanabe(NEC) / Katsunari Yoshioka(Yokohama National Univ.) / Kazunori Kamiya(NTT) |
| Paper Information | |
| Registration To | Technical Committee on Internet Architecture / Technical Committee on Information and Communication System Security |
|---|---|
| Language | JPN |
| Title (in Japanese) | (See Japanese page) |
| Sub Title (in Japanese) | (See Japanese page) |
| Title (in English) | An Empirical Evaluation of Locating Cryptographic Functions on the Memory |
| Sub Title (in English) | |
| Keyword(1) | Binary Analysis |
| Keyword(2) | Malware Analysis |
| Keyword(3) | Network Security |
| Keyword(4) | Cryptography |
| 1st Author's Name | Ryoya Furukawa |
| 1st Author's Affiliation | Kobe University(Kobe Univ.) |
| 2nd Author's Name | Ryoichi Isawa |
| 2nd Author's Affiliation | National Institute of Information and Communications Technology(NICT) |
| 3rd Author's Name | Masakatu Morii |
| 3rd Author's Affiliation | Kobe University(Kobe Univ.) |
| 4th Author's Name | Daisuke Inoue |
| 4th Author's Affiliation | National Institute of Information and Communications Technology(NICT) |
| 5th Author's Name | Koji Nakao |
| 5th Author's Affiliation | National Institute of Information and Communications Technology(NICT) |
| Date | 2015-06-11 |
| Paper # | IA2015-4,ICSS2015-4 |
| Volume (vol) | vol.115 |
| Number (no) | IA-80,ICSS-81 |
| Page | pp.pp.15-20(IA), pp.15-20(ICSS), |
| #Pages | 6 |
| Date of Issue | 2015-06-04 (IA, ICSS) |