Abstract
Malware needs to execute on a target machine while simultaneously keeping its payload confidential from a malware analyst. Standard encryption can be used to ensure the confidentiality, but it does not address the problem of hiding the key. Any analyst can find the decryption key if it is stored in the malware or derived in plain view.
One approach is to derive the key from a part of the environment which changes when the analyst is present. Such malware derives a key from the environment and encrypts its true functionality under this key.
In this paper, we present a formal framework for environmental authentication. We formalize the interaction between malware and analyst in three settings: (1) blind: in which the analyst does not have access to the target environment, (2) basic: where the analyst can load a single analysis toolkit on an effected target, and (3) resettable: where the analyst can create multiple copies of an infected environment. We show necessary and sufficient conditions for malware security in the blind and basic games and show that even under mild conditions, the analyst can always win in the resettable scenario.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Extractors [NZ96] and fuzzy extractors [DRS04] can be used to derive keys in non-noisy and noisy environments, respectively. See the works of Nisan and Ta-Sha [NTS99] and Dodis et al. [DRS08] respectively for more information. Throughout this work we assume that the key derivation techniques are implemented properly and the only weakness that can be targeted is guessing a valid input to the key derivation process.
- 2.
In reality, we expect certain portions of \(E\) to be more likely to be overwritten by different \(A\). Our results extend to that model.
References
Bauer, C.: ReMASTering Applications by Obfuscating during Compilation. blog post, August 2014
Balzarotti, D., Cova, M., Karlberger, C., Kirda, E., Kruegel, C., Vigna, G.: Efficient detection of split personalities in malware. In: NDSS, Citeseer (2010)
Balzarotti, D., Cova, M., Karlberger, C., Kruegel, C., Kirda, E., Vigna, G.: Efficient detection of split personalities in Malware. In: Proceedings of the Symposium on Network and Distributed System Security (NDSS) (2010)
Barak, B., et al.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_1
Blackthorne, J., Kaiser, B., Yener, B.: A formal framework for environmentally sensitive malware. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 211–229. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45719-2_10
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 62–73. ACM (1993)
Chen, X., Andersen, J., Mao, Z.M., Bailey, M., Nazario, J.: Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In: IEEE International Conference on Dependable Systems and Networks With FTCS and DCC, 2008. DSN 2008, pp. 177–186, June 2008
Cichonski, P., Millar, T., Grance, T., Scarfone, K.: Computer Security Incident Handling Guide: Recommendations of the National Institute of Standards and Technology, 800–61. Revision 2. NIST Special Publication, 800–61:79 (2012)
Collberg, C., Thomborson, C., Low, D.: A Taxonomy of Obfuscating Transformations (1997)
Dodis, Y., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 523–540. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_31
Dodis, Y., Reyzin, L., Smith, A.: Fuzzy extractors-a brief survey of results from 2004 to 2006. In: Security with Noisy Data. Citeseer (2008)
Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: CCS 2008 Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 51–62 (2008)
Ferrie, P.: Attacks on More Virtual Machine Emulators. Technical report, Symantec Advanced Threat Research (2007)
Ferrie, P.: The Ultimate Anti-Debugging Reference, May 2011. http://pferrie.host22.com/papers/antidebug.pdf. Accessed 6 Apr 2015
Futoransky, A., Kargieman, E., Sarraute, C., Waissbein, A.: Foundations and applications for secure triggers. In: ACM Transactions of Information Systems Security, p. 2006 (2006)
Fuller, B., Reyzin, L., Smith, A.: When are fuzzy extractors possible? In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 277–306. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_10
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: FOCS, pp. 40–49. IEEE Computer Society (2013)
Itkis, G., Chandar, V., Fuller, B.W., Campbell, J.P., Cunningham, R.K.: Iris biometric security challenges and possible solutions: for your eyes only? Using the iris as a key. IEEE Signal Process. Mag. 32(5), 42–53 (2015)
Jsteube. oclGaussCrack (2016)
Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: de-cloaking internet malware. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy. SP 2012, pp. 443–457. IEEE Computer Society, Washington (2012)
Krawczyk, H.: Cryptographic extraction and key derivation: the HKDF scheme. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631–648. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_34
Kang, M.G., Yin, H., Hanna, S., McCamant, S., Song, D.: Emulating emulation-resistant malware. In: Proceedings of the 1st ACM Workshop on Virtual Machine Security, VMSec 2009, pp. 11–22. ACM, New York (2009)
Lindorfer, M., Kolbitsch, C., Milani Comparetti, P.: Detecting environment-sensitive malware. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 338–357. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23644-0_18
Moon, P.: The Use of Packers, Obfuscators and Encryptors in Modern Malware. Technical report, Information Security Group, Royal Holloway University of London (2015)
Nisan, N., Ta-Shma, A.: Extracting randomness: a survey and new constructions. J. Comput. Syst. Sci. 58(1), 148–173 (1999)
Nisan, N., Zuckerman, D.: Randomness is linear in space. J. Comput. Syst. Sci. 52(1), 43–52 (1996)
Paleari, R., Martignoni, L., Roglia, G.F., Bruschi, D.: A fistful of red-pills: how to automatically generate procedures to detect CPU emulators. In: Proceedings of the 3rd USENIX Conference on Offensive Technologies. WOOT 2009, p. 2. USENIX Association, Berkeley (2009)
Rényi, A.: On measures of entropy and information. In: Proceedings of the fourth Berkeley Symposium on Mathematical Statistics and Probability, vol. 1, pp. 547–561 (1961)
Riordan, J., Schneier, B.: Environmental key generation towards clueless agents. In: Vigna, G. (ed.) Mobile Agents and Security. LNCS, vol. 1419, pp. 15–24. Springer, Heidelberg (1998). https://doi.org/10.1007/3-540-68671-1_2
Kaspersky Lab Global Research and Analysis Team: Gauss: Abnormal Distribution. Technical report, Kaspersky Lab (2012)
Sikorski, M., Honig, A.: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software, 1st edn. No Starch Press, San Francisco (2012)
Song, C., Royal, P., Lee, W.: Impeding automated malware analysis with environment-sensitive malware. In: Hotsec (2012)
Saxena, A., Wyseur, B., Preneel, B.: White-box cryptography: formal notions and (im) possibility results (2008). IACR Cryptology ePrint Archive, 2008, 2008:273
Xu, Z., Zhang, J., Gu, G., Lin, Z.: GoldenEye: efficiently and effectively unveiling malware’s targeted environment. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 22–45. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11379-1_2
Yan, L.K.: Transparent and precise malware analysis using virtualization: from theory to practice (2013). https://surface.syr.edu/cgi/viewcontent.cgi?referer=https://scholar.google.com/&httpsredir=1&article=1336&context=eecs_etd
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Proofs
A Proofs
1.1 A.1 Proof of Theorem 2
Proof
(of Theorem 2). We show a stronger statement, we show a single algorithm \(A \) that works for any \((\beta , \gamma )\)-environmentally authenticating malware. Let \(t = 2^\beta \ln \left( \frac{n}{1-\epsilon }\right) \). Define \(A \) as follows for decision procedure i:
-
1.
Input \(\mathcal {D} _i, S_i, \mathcal {D} _{i-1},S_{i-1},..., \mathcal {D} _1, S_1\).
-
2.
For \(j=1\) to t
-
(a)
Sample \(E _j\leftarrow \mathtt {Sam} _\mathcal {E} \).
-
(b)
If \(D_i(E _{j, S_i})=1\) output \(\mathtt {Guess} _i = E _j\).
-
(a)
-
3.
Output \(\perp \).
This procedure is repeated for each decision procedure. \(A\) wins if all decision procedures output 1. We first note that the probability that some decision procedure is incorrect is bounded by at most \(\delta \). We now bound the probability that \(A\) outputs \(\perp \) for any iteration conditioned on the malware being correct. We first consider a single iteration. By Definition 4 and Assumption 1, \(\mathbb {E}_{E _j\in \mathcal {E}} (\Pr [D_i(E _{j, S_i})= 1])\ge 2^{-\beta }\). That means that
Then across all iterations by union bound and Eq. 1: \(\Pr [A \text { outputs }\perp \text {on any }\mathcal {D} _i] \le ne^{-t/2^\beta }\). That is,
Note that the overall running time of \(A\) is at most \(t_A = n(t_E + t_{oracle}) \cdot t \) as required. The statement of the theorem is achieved by adding the probability \(\delta \) that the malware is incorrect.
1.2 A.2 Proof of Theorem 3
Proof
(of Theorem 3). Let \(A \) be a black box algorithm that only provide inputs to the current decision algorithm. Since the entire decision procedure is revealed once a “true” input is found there is no reason to query a previous decision algorithm. Consider some decision algorithm \(i^*\) that minimizes the probability in Definition 3. We bound the probability that \(A \) can make \(\mathcal {D} _{i^*}\) output 1 as this bounds the probability of all algorithms outputting 1 (it may be that only a single decision algorithm outputs 0 on some inputs). The only information about values \(E \) that cause \(\mathcal {D} _i\) to output 1 are contained in the query responses. Since the adversary wins if they get a single 1 response we can assume that A makes t deterministic queries and if none of those responses is 1 their guess will also be a deterministic value. Denote by \(g_1,..., g_{t+1}\) these values. Then we bound:
1.3 A.3 Proof of Theorem 4
Proof
(of Theorem 4). The adversary \(A\) does not know where in \(E\) that the malware \(M\) exists, \(A\) runs the risk of overwriting the sensors positions \(S_i\). As stated above, we assume that \(M\) is operable after \(A \) has been loaded. The total size of \(M\) ’s reads from \(E\) are of size at most \(n \cdot \alpha \). We define a single \(A \) that works for all \(M \). Let \(A \) overwrite a random set of \(\nu \) locations. However, rather than considering this \(A \) we instead consider some \(A '\) that overwrites each element of \(E _M \) with probability \(2\nu /\ell \). Note that,
using the multiplicative version of the Chernoff bound. Assume that \(A '\) simply outputs \(\perp \) in this setting. Thus, all of \(A '\) success occurs when it overwrites at least \(\nu \) positions and the job of \(A '\) to provide inputs to \(\mathcal {D} _i\) is at least as difficult as \(A \). For the reminder of the proof we consider \(A '\).
We now bound the size of the intersection between the locations read by \(M\) and the locations overwritten by \(\mathtt {Load} (A ', E _{M})\). Denote by \(E _{bad}\) the locations overwritten by \(\mathtt {Load} (A ', E _{M})\) conditioned on the event that \(A '\) overwrites at least \(\nu \) locations.
To bound the success probability of \(A '\), we care about the size of the intersection between the locations read by \(M\) and overwritten by \(E _{bad}\). Since \(E _{bad}\) represents \(\nu \) random locations the intersection between \((\cup _i S_i) \cap E _{bad}\) is distributed as a Binomial distribution, which we denote as X, with parameters \(B(n \alpha ,2\nu /\ell )\). Then one has that,
Let \(c' >0\) be a constant. By a second application of the Chernoff bound one has that:
For an intersection of size \(\kappa \) the correct \(E _M \) can be found using \(2^\kappa \) oracle queries. Note that this is an upper bound, in the setting where a decision algorithm takes a smaller number of corrupted bits, these bits can be recovered in parts. Here we assume that all corrupted bits are necessary for a single decision algorithm. The statement of the theorem follows by using an \(A '\) that exhaustively searches over corrupted bits when the size of the corrupted bits is at most \(c' +2 \) and aborts otherwise.
1.4 A.4 Proof of Theorem 5
Proof
(of Theorem 5). Consider some \(A \) with artifact size at least \(\mu \). Let \(A \) be a black box algorithm that only provide inputs to the current decision algorithm. Since the entire decision procedure is revealed once a “true” input is found there is no reason to query a previous decision algorithm. Denote by \(E_{sub}\) the subset of size at least \(\mu \) that is overwritten by \(\mathtt {Load} (A, E _M)\), Then by Definition 9. There exists some \(i^*\) such that
We bound the probability that \(A \) can make \(\mathcal {D} _{i^*}\) output 1 as this bounds the probability of all algorithms outputting 1 (it may be that only a single decision algorithm outputs 0 some fraction of the time). The only information about values \(E \) that cause \(\mathcal {D} _{i^*}\) to output 1 are contained in the query responses. Since the adversary wins if they get a single 1 response we can assume that A makes \(t = \mathtt {poly} (\lambda )\) deterministic queries and if none of those responses is 1 their guess will also be a deterministic value. Denote by \(g_1,..., g_{t+1}\) these values. Then we bound:
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Blackthorne, J., Kaiser, B., Fuller, B., Yener, B. (2019). Environmental Authentication in Malware. In: Lange, T., Dunkelman, O. (eds) Progress in Cryptology – LATINCRYPT 2017. LATINCRYPT 2017. Lecture Notes in Computer Science(), vol 11368. Springer, Cham. https://doi.org/10.1007/978-3-030-25283-0_20
Download citation
DOI: https://doi.org/10.1007/978-3-030-25283-0_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-25282-3
Online ISBN: 978-3-030-25283-0
eBook Packages: Computer ScienceComputer Science (R0)