Menu
Publications
2024
2023
2022
2021
2020
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
Editor-in-Chief
Nikiforov
Vladimir O.
D.Sc., Prof.
Partners
doi: 10.17586/2226-1494-2020-20-5-708-713
DETERMINATION OF PACKED AND ENCRYPTED DATA IN EMBEDDED SOFTWARE
Read the full article ';
Article in Russian
For citation:
Abstract
For citation:
Iuganson A.N. Determination of packed and encrypted data in embedded software. Scientific and Technical Journal of Information Technologies, Mechanics and Optics, 2020, vol. 20, no. 5, pp. 708–713 (in Russian). doi: 10.17586/2226-1494-2020-20-5-708-713
Abstract
Subject of Research. Embedded software research for security faults can be handicapped by various anti-debugging techniques (encryption) and code wrappers (compression). The paper presents an overview of existing tools for definition of anti-debugging techniques. The disadvantages of existing solutions lie in the use of signature-based methods for analysis of executable files, that limits the scope of their application to the number of the known signatures. The existing statistical tests based on the entropy analysis of files give an ambiguous result. To determine the data conversion technique, a method is proposed for detection of packed and encrypted data in an executable firmware file. Method. The embedded software is represented as a finite sequence of bytes, where each byte can take one of 256 possible values. The proposed method combines the approaches based on the use of Pearson’s chi-squared test to check the hypothesis of a uniform distribution of bytes in a file, as well as the use of the Monte Carlo method to approximate the number π in order to calculate the characteristics of the distribution of bytes in a file. The higher approximation accuracy of the number π and the closer the distribution of bytes in the file to a uniform one is, the more likely is the application of encryption algorithms for data transformation. Main Results. It is shown that the proposed criteria are more sensitive to deviations of a uniformly distributed random variable than the entropy analysis. Applying of these approaches to an experimental sample of files with various sizes, which were compressed/encrypted with a variety of algorithms, have shown correlations, that with a high degree of confidence give the possibility to state which algorithm (compression or encryption) the embedded software was subjected to. Practical Relevance. An approach is presented for determination of packed and encrypted data obtained as a result of the use of various anti-debugging techniques. The proposed method is applicable both in the analysis of malicious software and in the search and identification of security defects in embedded software.
Keywords: embedded software, statistical tests, entropy analysis, Pearson’s chi-squared test, Monte Carlo method, anti-debugging techniques, information security
References
References
1. Langner R. Stuxnet: Dissecting a cyberwarfare weapon. IEEE Security & Privacy, 2011, vol. 9, no. 3, pp. 49–51. doi: 10.1109/MSP.2011.67
2. Falliere N., Murchu L. O., Chien E. W32. stuxnet dossier. White paper, Symantec Corp., Security Response, 2011, vol. 5, no. 6, pp. 29.
3. Antonakakis M., April T., Bailey M., Bernhard M., Bursztein E., Cochran J., Durumeric Z., Halderman J.A., Invernizzi L., Kallitsis M., Kumar D., Lever C., Ma Z., Mason J., Menscher D., Seaman C., Sullivan N., Thomas K., Zhou Y. Understanding the mirai botnet. Proc. 26th USENIX Security Symposium, 2017, pp. 1093–1110.
4. Kolias C., Kambourakis G., Stavrou A., Voas J. DDoS in the IoT: Mirai and other botnets. Computer, 2017, vol. 50, no. 7, pp. 80–84. doi: 10.1109/MC.2017.201
5. Cui A. Costello M., Stolfo S.J. When firmware modifications attack: A case study of embedded exploitation. Proc. 20th Annual Network & Distributed System Security Symposium, 2013, pp. 1–13.
6. Chen D.D., Egeley M., Woo M., Brumley D. Towards automated dynamic analysis for linux-based embedded firmware. Proc. of the Network and Distributed System Security Symposium (NDSS’16), 2016, pp. 1–16. doi: 10.14722/ndss.2016.23415
7. Costin A., Zaddach J., Francillon A., Balzarotti D. A large-scale analysis of the security of embedded firmwares. Proc. 23rd USENIX Security Symposium, 2014, pp. 95–110.
8. Feng Q., Zhou R., Xu C., Cheng Y., Testa B., Yin H. Scalable graph-based bug search for firmware images. Proc. 23rd ACM SIGSAC Conference on Computer and Communications Security, 2016, pp. 480–491. doi: 10.1145/2976749.2978370
9. Matveeva V.S. Statistical features of data encrypted by cryptographic information protection software, and their detection method. Informatsiya i Bezopasnost, 2015, vol. 18, no. 1, pp. 119–122. (in Russian)
10. Wu Y., Zhou Y., Saveriades G., Agaian S., Noonan J.P., Natarajan P. Local Shannon entropy measure with statistical tests for image randomness. Information Sciences, 2013, vol. 222, pp. 323–342. doi: 10.1016/j.ins.2012.07.049
11. Lyda R., Hamrock J. Using entropy analysis to find encrypted and packed malware. IEEE Security and Privacy, 2007, vol. 5, no. 2, pp. 40–45. doi: 10.1109/MSP.2007.48
12. Jeong G., Choo E., Lee J., Bat-Erdene M., Lee H. Generic unpacking using entropy analysis. Proc. 5th International Conference on Malicious and Unwanted Software (MALWARE 2010), 2010, pp. 98–105. doi: 10.1109/MALWARE.2010.5665789
13. Matveeva V.S. The criterion for assessing the file content for its proximity to the random data. IT Security, 2015, vol. 22, no. 1, pp. 106–108. (in Russian)
14. Matveeva V.S. A new approach to differentiate compressed file formats from encrypted files. Information Security Problems. Computer Systems, 2015, no. 4, pp. 131–139. (in Russian)
15. Alekseev I.V., Platonov V.V. Identification of the encrypted executable files based on the entropy analysis for detection value randomness of byte sequences. Information Security Problems. Computer Systems, 2016, no 4, pp. 74–79. (in Russian)