DETERMINATION OF PACKED AND ENCRYPTED DATA IN EMBEDDED SOFTWARE

 

Iuganson A.N. Determination of packed and encrypted data in embedded software. Scientific and Technical Journal of Information Technologies, Mechanics and Optics, 2020, vol. 20, no. 5, pp. 708–713 (in Russian). doi: 10.17586/2226-1494-2020-20-5-708-713

Subject of Research. Embedded software research for security faults can be handicapped by various anti-debugging techniques (encryption) and code wrappers (compression). The paper presents an overview of existing tools for definition of anti-debugging techniques. The disadvantages of existing solutions lie in the use of signature-based methods for analysis of executable files, that limits the scope of their application to the number of the known signatures. The existing statistical tests based on the entropy analysis of files give an ambiguous result. To determine the data conversion technique, a method is proposed for detection of packed and encrypted data in an executable firmware file. Method. The embedded software is represented as a finite sequence of bytes, where each byte can take one of 256 possible values. The proposed method combines the approaches based on the use of Pearson’s chi-squared test to check the hypothesis of a uniform distribution of bytes in a file, as well as the use of the Monte Carlo method to approximate the number π in order to calculate the characteristics of the distribution of bytes in a file. The higher approximation accuracy of the number π and the closer the distribution of bytes in the file to a uniform one is, the more likely is the application of encryption algorithms for data transformation. Main Results. It is shown that the proposed criteria are more sensitive to deviations of a uniformly distributed random variable than the entropy analysis. Applying of these approaches to an experimental sample of files with various sizes, which were compressed/encrypted with a variety of algorithms, have shown correlations, that with a high degree of confidence give the possibility to state which algorithm (compression or encryption) the embedded software was subjected to. Practical Relevance. An approach is presented for determination of packed and encrypted data obtained as a result of the use of various anti-debugging techniques. The proposed method is applicable both in the analysis of malicious software and in the search and identification of security defects in embedded software.

1. Langner R. Stuxnet: Dissecting a cyberwarfare weapon. IEEE Security & Privacy, 2011, vol. 9, no. 3, pp. 49–51. doi: 10.1109/MSP.2011.67

2. Falliere N., Murchu L. O., Chien E. W32. stuxnet dossier. White paper, Symantec Corp., Security Response, 2011, vol. 5, no. 6, pp. 29.

3. Antonakakis M., April T., Bailey M., Bernhard M., Bursztein E., Cochran J., Durumeric Z., Halderman J.A., Invernizzi L., Kallitsis M., Kumar D., Lever C., Ma Z., Mason J., Menscher D., Seaman C., Sullivan N., Thomas K., Zhou Y. Understanding the mirai botnet. Proc. 26th USENIX Security Symposium, 2017, pp. 1093–1110.

4. Kolias C., Kambourakis G., Stavrou A., Voas J. DDoS in the IoT: Mirai and other botnets. Computer, 2017, vol. 50, no. 7, pp. 80–84. doi: 10.1109/MC.2017.201

5. Cui A. Costello M., Stolfo S.J. When firmware modifications attack: A case study of embedded exploitation. Proc. 20th Annual Network & Distributed System Security Symposium, 2013, pp. 1–13.

6. Chen D.D., Egeley M., Woo M., Brumley D. Towards automated dynamic analysis for linux-based embedded firmware. Proc. of the Network and Distributed System Security Symposium (NDSS’16), 2016, pp. 1–16. doi: 10.14722/ndss.2016.23415

7. Costin A., Zaddach J., Francillon A., Balzarotti D. A large-scale analysis of the security of embedded firmwares. Proc. 23rd USENIX Security Symposium, 2014, pp. 95–110.

8. Feng Q., Zhou R., Xu C., Cheng Y., Testa B., Yin H. Scalable graph-based bug search for firmware images. Proc. 23rd ACM SIGSAC Conference on Computer and Communications Security, 2016, pp. 480–491. doi: 10.1145/2976749.2978370

9. Matveeva V.S. Statistical features of data encrypted by cryptographic information protection software, and their detection method. Informatsiya i Bezopasnost, 2015, vol. 18, no. 1, pp. 119–122. (in Russian)

10. Wu Y., Zhou Y., Saveriades G., Agaian S., Noonan J.P., Natarajan P. Local Shannon entropy measure with statistical tests for image randomness. Information Sciences, 2013, vol. 222, pp. 323–342. doi: 10.1016/j.ins.2012.07.049

11. Lyda R., Hamrock J. Using entropy analysis to find encrypted and packed malware. IEEE Security and Privacy, 2007, vol. 5, no. 2, pp. 40–45. doi: 10.1109/MSP.2007.48

12. Jeong G., Choo E., Lee J., Bat-Erdene M., Lee H. Generic unpacking using entropy analysis. Proc. 5th International Conference on Malicious and Unwanted Software (MALWARE 2010), 2010, pp. 98–105. doi: 10.1109/MALWARE.2010.5665789

13. Matveeva V.S. The criterion for assessing the file content for its proximity to the random data. IT Security, 2015, vol. 22, no. 1, pp. 106–108. (in Russian)

14. Matveeva V.S. A new approach to differentiate compressed file formats from encrypted files. Information Security Problems. Computer Systems, 2015, no. 4, pp. 131–139. (in Russian)

15. Alekseev I.V., Platonov V.V. Identification of the encrypted executable files based on the entropy analysis for detection value randomness of byte sequences. Information Security Problems. Computer Systems, 2016, no 4, pp. 74–79. (in Russian)

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License