{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T21:15:38Z","timestamp":1760044538806,"version":"3.41.2"},"reference-count":52,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2024,6,6]],"date-time":"2024-06-06T00:00:00Z","timestamp":1717632000000},"content-version":"vor","delay-in-days":157,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2024,1,2]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>In 2021, the largest US pipeline system for refined oil products suffered a 6-day shutdown due to a ransomware attack [1]. In 2023, the sensitive systems of the US Marshals Service were attacked by a ransomware [2]. One of the most effective ways to fight ransomware is to extract the secret keys. The challenge of detecting and identifying cryptographic primitives has been around for over a decade. Many tools have been proposed, but the vast majority of them use templates or signatures, and their support for different operating systems and processor architectures is rather limited; neither have there been enough tools capable of extracting the secret keys. In this paper, we present CipherTrace, a generic and automated system to detect and identify the class of cipher algorithms in binary programs, and additionally, locate and extract the secret keys and cryptographic states accessed by the cipher. We focus on product ciphers, and evaluate CipherTrace using four standard cipher algorithms, four different hashing algorithms, and five of the most recent and popular ransomware specimens. Our results show that CipherTrace is capable of fully dissecting Fixed\u00a0S-Box block ciphers (e.g. AES and Serpent) and can extract the secret keys and other cryptographic artefacts, regardless of the operating system, implementation, or input- or key-size, and without using signatures or templates. We show a significant improvement in performance and functionality compared to the closely related works. CipherTrace helps in fighting ransomware, and aids analysts in their malware analysis and reverse engineering efforts.<\/jats:p>","DOI":"10.1093\/cybsec\/tyae008","type":"journal-article","created":{"date-parts":[[2024,6,6]],"date-time":"2024-06-06T09:34:23Z","timestamp":1717666463000},"source":"Crossref","is-referenced-by-count":1,"title":["CipherTrace: automatic detection of ciphers from execution traces to neutralize ransomware"],"prefix":"10.1093","volume":"10","author":[{"ORCID":"https:\/\/orcid.org\/0009-0006-9805-6222","authenticated-orcid":false,"given":"Mostafa AbdelMoez","family":"Hassanin","sequence":"first","affiliation":[{"name":"Department of Computer Science, University of Oxford , 7 Parks Rd, OX1 3QG ,","place":["United Kingdom"]}]},{"given":"Ivan","family":"Martinovic","sequence":"additional","affiliation":[{"name":"Department of Computer Science, University of Oxford , 7 Parks Rd, OX1 3QG ,","place":["United Kingdom"]}]}],"member":"286","published-online":{"date-parts":[[2024,6,6]]},"reference":[{"article-title":"Hackers breached colonial pipeline using compromised password","year":"2021","author":"Turton","key":"2024121909135671900_bib1"},{"article-title":"US Marshals service still recovering from february ransomware attack affecting system used by fugitive hunters","year":"2023","author":"Lyngaas","key":"2024121909135671900_bib2"},{"article-title":"Data Breach Investigations Report","year":"2020","author":"Langlois","key":"2024121909135671900_bib3"},{"article-title":"2021 ransomware statistics, data and trends","year":"2021","author":"PurpleSec","key":"2024121909135671900_bib4"},{"article-title":"The State of Ransomware 2023","year":"2023","author":"Sophos","key":"2024121909135671900_bib5"},{"key":"2024121909135671900_bib6","doi-asserted-by":"crossref","first-page":"144925","DOI":"10.1109\/ACCESS.2019.2945839","article-title":"A survey on detection techniques for cryptographic ransomware","volume":"7","author":"Berrueta","year":"2019","journal-title":"IEEE Access"},{"volume-title":"Cryptography Engineering: Design Principles and Practical Applications","year":"2010","author":"Ferguson","key":"2024121909135671900_bib7"},{"article-title":"FBI held back ransomware decryption key from businesses to run operation targeting hackers","year":"2021","author":"Nakashima","key":"2024121909135671900_bib8"},{"key":"2024121909135671900_bib9","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3329786","article-title":"Dynamic malware analysis in the modern era\u2014a state of the art survey","volume":"52","author":"Or-Meir","year":"2019","journal-title":"ACM Comput Surv"},{"key":"2024121909135671900_bib10","first-page":"1","article-title":"BitBlaze: a new approach to computer security via binary analysis","volume-title":"Proceedings of the Information Systems Security, 4th International Conference, ICISS 2008, Hyderabad, India, December 16-20, 2008. Vol. 5352 of Lecture Notes in Computer Science","author":"Song","year":"2008"},{"key":"2024121909135671900_bib11","first-page":"15","article-title":"SoK: using dynamic binary instrumentation for security (and how you may get caught red handed)","volume-title":"Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security, Asia CCS\u201919","author":"D\u2019Elia","year":"2019"},{"key":"2024121909135671900_bib12","first-page":"113","article-title":"A survey on aims and environments of diversification and obfuscation in software security","volume-title":"Proceedings of the 17th International Conference on Computer Systems and Technologies 2016, CompSysTech\u201916","author":"Hosseinzadeh","year":"2016"},{"article-title":"Lutz towards revealing attackers \u2013 intent by automatically decrypting network traffic","year":"2008","author":"Lutz","key":"2024121909135671900_bib13"},{"key":"2024121909135671900_bib14","first-page":"200","article-title":"ReFormat: automatic reverse engineering of encrypted messages","volume-title":"Proceedings of the 14th European Conference on Research in Computer Security, ESORICS\u201909","author":"Wang","year":"2009"},{"key":"2024121909135671900_bib15","doi-asserted-by":"crossref","first-page":"41","DOI":"10.1007\/978-3-642-23644-0_3","article-title":"Automated identification of cryptographic primitives in binary programs","volume-title":"Recent Advances in Intrusion Detection","author":"Gr\u00f6bert","year":"2011"},{"key":"2024121909135671900_bib16","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1109\/TDSC.2012.83","article-title":"CipherXRay: exposing cryptographic operations and transient secrets from monitored binary execution","volume":"11","author":"Li","year":"2014","journal-title":"IEEE Trans Depend Secure Comput"},{"key":"2024121909135671900_bib17","first-page":"169","article-title":"Aligot: cryptographic function identification in obfuscated binary programs","volume-title":"Proceedings of the ACM Conference on Computer and Communications Security","author":"Calvet","year":"2012"},{"article-title":"Automated detection and classification of cryptographic algorithms in binary programs through machine learning","year":"2015","author":"Hosfelt","key":"2024121909135671900_bib18"},{"key":"2024121909135671900_bib19","doi-asserted-by":"crossref","first-page":"921","DOI":"10.1109\/SP.2017.56","article-title":"Cryptographic function detection in obfuscated binaries via bit-precise symbolic loop mapping","volume-title":"Proceedings of the 2017 IEEE Symposium on Security and Privacy (SP)","author":"Xu","year":"2017"},{"key":"2024121909135671900_bib20","doi-asserted-by":"crossref","DOI":"10.3390\/info9090231","article-title":"CryptoKnight: generating and modelling compiled cryptographic primitives","volume":"9","author":"Hill","year":"2018","journal-title":"Information"},{"article-title":"Identification of cryptographic algorithms in binary programs. (Identification d\u2019algorithmes cryptographiques dans du code natif)","year":"2017","author":"Lestringant","key":"2024121909135671900_bib21"},{"key":"2024121909135671900_bib22","doi-asserted-by":"crossref","first-page":"190","DOI":"10.1145\/1064978.1065034","article-title":"Pin: building customized program analysis tools with dynamic instrumentation","volume":"40","author":"Luk","year":"2005","journal-title":"SIGPLAN Not"},{"key":"2024121909135671900_bib23","first-page":"412","article-title":"K-Hunt: pinpointing insecure cryptographic keys from execution traces","volume-title":"Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS \u201818","author":"Li","year":"2018"},{"key":"2024121909135671900_bib24","first-page":"687","article-title":"Steal this movie: automatically bypassing DRM protection in streaming media services","volume-title":"Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13)","author":"Wang","year":"2013"},{"key":"2024121909135671900_bib25","article-title":"Automatic protocol format reverse engineering through context-aware monitored execution","volume-title":"Proceedings of the 15th Symposium on Network And Distributed System Security (NDSS)","author":"Lin","year":"2008"},{"key":"2024121909135671900_bib26","doi-asserted-by":"crossref","DOI":"10.1145\/2843859.2843867","article-title":"Repeatable reverse engineering with PANDA","volume-title":"Proceedings of the 5th Program Protection and Reverse Engineering Workshop, PPREW-5","author":"Dolan-Gavitt","year":"2015"},{"key":"2024121909135671900_bib27","first-page":"248","article-title":"Make it work, make it right, make it fast: building a platform-neutral whole-system dynamic binary analysis platform","volume-title":"Proceedings of the 2014 International Symposium on Software Testing and Analysis, ISSTA 2014","author":"Henderson","year":"2014"},{"key":"2024121909135671900_bib28","first-page":"31","article-title":"DECAF++: elastic whole-system dynamic taint analysis","volume-title":"Proceedings of the 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019)","author":"Davanian","year":"2019"},{"key":"2024121909135671900_bib29","doi-asserted-by":"crossref","first-page":"386","DOI":"10.1145\/2664243.2664252","article-title":"Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system","volume-title":"Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC\u201914","author":"Lengyel","year":"2014"},{"year":"2003","key":"2024121909135671900_bib30","article-title":"KeePass Password Safe"},{"year":"1998","key":"2024121909135671900_bib31","article-title":"The OpenSSL Project"},{"key":"2024121909135671900_bib32","doi-asserted-by":"crossref","first-page":"222","DOI":"10.1007\/3-540-69710-1_15","article-title":"Serpent: a new block cipher proposal","volume-title":"Fast Software Encryption","author":"Biham","year":"1998"},{"volume-title":"The Twofish Encryption Algorithm","year":"2000","author":"Schneier","key":"2024121909135671900_bib33"},{"key":"2024121909135671900_bib34","doi-asserted-by":"crossref","DOI":"10.1201\/b11310","volume-title":"RC4 Stream Cipher and Its Variants","author":"Paul","year":"2011"},{"key":"2024121909135671900_bib35","first-page":"113","article-title":"A simple variant of the Merkle\u2013Damg\u00e5rd scheme with a permutation","volume-title":"J Cryptol","author":"Hirose","year":"2007"},{"key":"2024121909135671900_bib36","first-page":"430","article-title":"Merkle-Damg\u00e5rd revisited: how to construct a hash function","volume-title":"Adv Cryptol","author":"Coron","year":"2005"},{"article-title":"Ransomware Maze","year":"2020","author":"Mundo","key":"2024121909135671900_bib37"},{"article-title":"Maze Ransomware","year":"2020","author":"DSCI","key":"2024121909135671900_bib38"},{"article-title":"Case study: catching a human-operated maze ransomware attack in action","year":"2020","author":"SentinelLABS","key":"2024121909135671900_bib39"},{"article-title":"REvil ransomware-as-a-service: an analysis of a ransomware affiliate operation","year":"2020","author":"Intel471","key":"2024121909135671900_bib40"},{"article-title":"REvil\/Sodinokibi: the crown prince of ransomware","year":"2019","author":"Fakterman","key":"2024121909135671900_bib41"},{"article-title":"RYUK RANSOMWARE","year":"2021","author":"ANSSI","key":"2024121909135671900_bib42"},{"article-title":"A targeted campaign break-down \u2013 Ryuk Ransomware \u2013 check point research","year":"2018","author":"Cohen","key":"2024121909135671900_bib43"},{"article-title":"TAU Threat Discovery: Conti Ransomware","year":"2020","author":"VMWare Security Blog","key":"2024121909135671900_bib44"},{"article-title":"Conti ransomware shows signs of being Ryuk\u2019s successor","year":"2020","author":"BleepingComputer.com","key":"2024121909135671900_bib45"},{"article-title":"All you should know about netwalker ransomware","year":"2020","author":"NAKIVO","key":"2024121909135671900_bib46"},{"article-title":"The new generation of ransomware - an in depth study of ransomware-as-a-service","year":"2020","author":"Keijzer","key":"2024121909135671900_bib47"},{"year":"2020","author":"NHS","key":"2024121909135671900_bib48"},{"key":"2024121909135671900_bib49","doi-asserted-by":"crossref","first-page":"120","DOI":"10.1145\/359340.359342","article-title":"A method for obtaining digital signatures and public-key cryptosystems","volume":"21","author":"Rivest","year":"1978","journal-title":"Commun ACM"},{"key":"2024121909135671900_bib50","doi-asserted-by":"crossref","first-page":"90","DOI":"10.1109\/ICETECH.2016.7569218","article-title":"Study and analysis of eSTREAM cipher Salsa and ChaCha","volume-title":"Proceedings of the 2016 IEEE International Conference on Engineering and Technology (ICETECH)","author":"Yadav","year":"2016"},{"article-title":"Integrate func_stats plugin: collect synthetic information of called functions by mabdelmoez","year":"2020","author":"mabdelmoez","key":"2024121909135671900_bib51"},{"article-title":"mabdelmoez\/ciphertrace: CipherTrace: automatic detection of ciphers from execution traces to neutralize ransomware","year":"2021","author":"mabdelmoez","key":"2024121909135671900_bib52"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/10\/1\/tyae008\/61182374\/tyae008.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/10\/1\/tyae008\/61182374\/tyae008.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,12,19]],"date-time":"2024-12-19T09:14:22Z","timestamp":1734599662000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyae008\/7688556"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024]]},"references-count":52,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2024,1,2]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyae008","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"type":"print","value":"2057-2085"},{"type":"electronic","value":"2057-2093"}],"subject":[],"published-other":{"date-parts":[[2024]]},"published":{"date-parts":[[2024]]},"article-number":"tyae008"}}