基于动态二进制插桩的密钥安全性检测

doi:10.11959/j.issn.2096-109x.2017.00213

Abstract

Abstract:

For the key security problem in the cryptographic software,the method of key security detection based on dynamic binary instrumentation was proposed.Aimed at CryptoAPI cryptographic software,the method firstly pointed out the potential key security vulnerabilities by analyzing the key applying patterns of CryptoAPI.Then it recorded cryptographic data information during the execution of the program dynamically using Pin platform.On this basis,a relevance vulnerability detection algorithm was designed to detect the key security.Test result indicated that it can effectively detect the two kinds of key security vulnerabilities.

Key words: key security detection, dynamic binary instrumentation, Pin platform, CryptoAPI cryptographic software

CLC Number:

TP309

Hao LIN,Fei KANG,Yan GUANG. Key security detection based on dynamic binary instrumentation[J]. Chinese Journal of Network and Information Security, 2017, 3(11): 50-58.

Figures/Tables 9

References 19

[1]	段钢 . 加密与解密(第三版)[M]. 北京：电子工业出版社. 2008.
	DUAN G . Encryption and decryption(Third Edition)[M]. Beijing: Electronic Industry Press. 2008.
[2]	李舟军，张俊贤，廖湘科，等. 软件安全漏洞检测技术[J]. 计算机学报， 2015,38(4): 717-732.
	LI Z J , ZHANG J X , LIAO X K , et al. Software security vulnerability detection technology[J]. Chinese Journal of Computers. 2015,38(4): 717-732.
[3]	EGELE M , BRUMLEY D , FRATANTONIO Y , et al. An empirical study of cryptographic misuse in android applications[C]// ACM Sigsac Conference on Computer ＆ Communications Security. 2013:73-84.
[4]	SHAO S , DONG G , GUO T , et al. Modelling analysis and au-to-detection of cryptographic misuse in android applications[C]// IEEE International Conference on Dependable,Autonomic and Secure Computing. 2014:75-80.
[5]	LI Y , ZHANG Y , LI J , et al. iCryptoTracer:Dynamic Analysis on Misuse of Cryptography Functions in iOS Applications[C]// Interna-tional Conference on Network and System Security. 2014:349-362.
[6]	MA S , LO D , LI T , et al. CDRep:automatic repair of cryptographic misuses in android applications[C]// ACM on Asia Conference on Computer and Communications Security. 2016:711-722.
[7]	CHATZIKONSTANTINOU A , NTANTOGIAN C , KAROPOU-LOS G , et al. Evaluation of cryptography usage in android applica-tions[C]// Eai International Conference on Bio-Inspired Information and Communications Technologies. 2016:83-90.
[8]	ALMEIDA J B , BARBOSA M , FILLI?TRE J C , et al. CAOVerif:an open-source deductive verification platform for cryptographic software implementations[J]. Science of Computer Programmin, 2014,91(91): 216-333.
[9]	FAHL S , HARBACH M , MUDERS T , et al. Why eve and mallory love Android:an analysis of android SSL (in)security[C]// ACM Confe-rence on Computer and Communications Security. 2012:50-61.
[10]	RIZZO J , DUONG T . Practical padding oracle attacks[C]// Usenix Conference on Offensive Technologies. 2010:1-8.
[11]	BARENGHI A , BREVEGLIERI L , KOREN I , et al. Fault injection attacks on cryptographic devices:theory,practice,and countermeasures[C]// Proceedings of the IEEE. 2012:3056-3076.
[12]	Automated testing of crypto software using differential fuzz-ing[EB/OL]. .
[13]	LAZAR D , CHEN H , WANG X , et al. Why does cryptographic software fail?case study and open problems[C]// Asia-Pacific Workshop. 2014:1-7.
[14]	安天针对勒索蠕虫“魔窟”(WannaCry)的深度分析报告[EB/OL]. .
[15]	NEWSOME J , SONG D . Dynamic taint analysis for automatic detection,analysis,and signature generation of exploits on com-modity software[C]// Conference on NDSS. 2015.
[16]	NETHERCOTE N . Dynamic binary analysis and instrumentation or building tools is easy[D]. Trinity Lane,Cambridge:University of Cambridge. 2004.
[17]	LUK C K , COHN R , MUTH R , et al. Pin:building customized program analysis tools with dynamic instrumentation[J]. ACM Sig-plan Notices, 2005,40(6): 190-200.
[18]	BRUENING D L . Efficient,transparent,and comprehensive run-time code manipulation[C]// Massachusetts Institute of Technolo-gy. 2004.
[19]	NETHERCOTE N , SEWARD J . Valgrind:a framework for heavyweight dynamic binary instrumentation[C]// ACM Sigplan Conference on Pro-gramming Language Design ＆ Implementation. 2007:89-100.

Metrics

Recommended 0

No Suggested Reading articles found!

漏洞类型	加解密过程信息
漏洞类型	调用点	函数名称	参数信息
Key-Weak	sqlite3.dll 0x102B1	CryptHashData	RTX!
Predicable	sqlite3.dll 0x102D2	CryptDeriveKey	Null

工具	技术手段	目标漏洞类型
本文方法	动态二进制分析	密钥安全性漏洞
CryptoLint	静态程序切片	6条漏洞经验规则
CMA	静态与动态混合分析	简单密码学误用
iCryptoTracer	静态扫描与动态跟踪	敏感数据泄露
POET	Fuzzing	Padding Oracle Attacks
FIAT	Fault Injection	Side Channel Attacks
CDF	Differential Fuzzing	逻辑漏洞

Key security detection based on dynamic binary instrumentation

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 9

References 19

Related Articles 15

Metrics

Recommended 0

[1]	Yilong WANG, Zhenyu LI, Daofu GONG, Fenlin LIU. Image double fragile watermarking algorithm based on block neighborhood [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 38-48.
[2]	Renfeng CHEN, Hongbin ZHU. Research on credit card transaction security supervision based on PU learning [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 73-78.
[3]	Guanyun FENG, Cai FU, Jianqiang LYU, Lansheng HAN. Insider threat detection based on operational attention and data augmentation [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 102-112.
[4]	Genlin XIE, Guozhen CHENG, Yawen WANG, Qingfeng WANG. Software diversity evaluating method based on gadget feature analysis [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 161-173.
[5]	Peng HOU, Zhixin LI, Fei ZHANG, Xu SUN, Dan CHEN, Yihao CUI, Hanbing ZHANG, Yinan JIN, Hongfeng CHAI. Technology and practice of intelligent governance for financial data security [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 174-187.
[6]	Min XIAO, Faying MAO, Yonghong HUANG, Yunfei CAO. Anonymous trust management scheme of VANET based on attribute signature [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 33-45.
[7]	Jianlong XU, Jian LIN, Yusen LI, Zhi XIONG. Distributed user privacy preserving adjustable personalized QoS prediction model for cloud services [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 70-80.
[8]	Xunxun CHEN, Mingzhe LI, Ning LYU, Liang HUANG. Intrinsic assurance: a systematic approach towards extensible cybersecurity [J]. Chinese Journal of Network and Information Security, 2023, 9(1): 92-102.
[9]	Jiashuo SONG, Zhenzhen LI, Haiyang DING, Zichen LI. Efficient and fully simulated oblivious transfer protocol on elliptic curve [J]. Chinese Journal of Network and Information Security, 2023, 9(1): 158-166.
[10]	Fenghua LI, Hui LI, Ben NIU, Weidong QIU. Academic connotation and research trends of privacy computing [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 1-8.
[11]	Fei TANG, Ning GAN, Xianggui YANG, Jinyang WANG. Anti malicious KGC certificateless signature scheme based on blockchain and domestic cryptographic SM9 [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 9-19.
[12]	Xue BAI, Baodong QIN, Rui GUO, Dong ZHENG. Two-party cooperative blind signature based on SM2 [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 39-51.
[13]	Jun LIU, Lin YUAN, Zhishang FENG. Survey of key management schemes for cluster networks [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 52-69.
[14]	Min XIAO, Tao YAO, Yuanni LIU, Yonghong HUANG. Dynamic and efficient vehicular cloud management scheme with privacy protection [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 70-83.
[15]	Jiaying LIN, Wenbo ZHOU, Weiming ZHANG, Nenghai YU. Lip forgery detection via spatial-frequency domain combination [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 146-155.