Skip to content
/ CrypTody Public

Cryptographic Misuse Detection in IoT Firmware or Binary using Ghidra.

License

Apache-2.0 license
2 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Ji4n1ng/CrypTody

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
CrypTody
CrypTody
 
 
benchmark
benchmark
 
 
example
example
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

CrypTody

CrypTody is a tool for analyzing cryptographic misuses in IoT firmware (multi-architecture ELF binaries).

For detail information, please check our paper "CrypTody: Cryptographic Misuse Analysis of IoT Firmware via Data-flow Reasoning" on RAID 2024.

Features

Cryptographic Misuse Detection

Datalog-based Reasoning

Reasoning about cryptographic misuses in a Datalog-like language:

.decl keyShouldNotBeConst(node: nodetype, const: nodetype)
keyShouldNotBeConst(node, const) :-
    isSymKey(node),
    isNonZeroConst(const),
    DFG.depend(node, const).

Data Flow Analysis

CrypTody provides a basic def-use analysis for a specific Pcode variable.

  • Cross-Architecture Analysis: The analysis is performed on the Pcode level (Ghidra's intermediate representation), which is architecture-independent.
  • Inter-Procedural Tracking: The analysis is inter-procedural, which means it can track the data flow across different functions.

An example of the data flow graph for a specific Pcode variable:

This analysis is not accurate, which is normal for static binary analysis, but can be used to identify potential data flow paths.

Control Flow Graph

CFG (Pcode level) for a specific function:

Helps to understand pcode representation of a function and debug the analysis.

Call Graph

Call graph of the binary:

The CG is usually massive for a large binary.

Project Structure

  • ./CrypTody/ Core Implementation
    • src: data-flow analysis based on Ghidra
    • datalog: reasoning about cryptographic misuses based on Souffle
  • ./CT-cli/ Python Cli-Tool for Large-scale Analysis
    • (coming soon)
  • ./benchmark/ The benchmark used in the paper
  • ./example/ Minimal example to demonstrate the usage of CrypTody
    • rc (renamed to rc-const-passwd): a binary with potential cryptographic misuses found in a real-world IoT firmware

Setup

Recommend to use IntelliJ IDEA

Dependencies

  • Java 17
  • Ghidra: supported version 11.0.3.
    • Build ghidra.jar and copy it to ./CrypTody/libs/.
  • Souffle
  • (Optional) To support visualization of the data flow graph, install Graphviz and nidi3/graphviz-java.

Usage

 -d,--debug           (OPTIONAL) [debug] output record files or not
 -g,--ghidra <arg>    [REQUIRED] ghidra project directory
 -i,--input <arg>     [REQUIRED] input a binary file
 -o,--output <arg>    [REQUIRED] the output directory.
 -p,--project <arg>   [REQUIRED] ghidra project name
 -r,--rule            (OPTIONAL) output datalog rules or not
 -s,--save            (OPTIONAL) [pre-analysis] only save ghidra project
                      without tracking
 -v,--visualization   (OPTIONAL) [debug] output visualization files or not

souffle query.dl

Citation

If you use CrypTody in your research, please cite our paper:

@inproceedings{10.1145/3678890.3678914,
author = {Wang, Jianing and Guo, Shanqing and Diao, Wenrui and Liu, Yue and Duan, Haixin and Liu, Yichen and Liang, Zhenkai},
title = {CrypTody: Cryptographic Misuse Analysis of IoT Firmware via Data-flow Reasoning},
year = {2024},
isbn = {9798400709593},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi-org.libproxy1.nus.edu.sg/10.1145/3678890.3678914},
doi = {10.1145/3678890.3678914},
abstract = {Cryptographic techniques form the foundation of the security and privacy of computing solutions. However, if cryptographic APIs are not invoked correctly, they can result in significant security problems. In this paper, we abstract the intricate crypto misuse detection problem as a data-flow reasoning task. Towards this end, we propose CrypTody, a novel logic-inference-based framework for detecting crypto misuses via reasoning about data flows on multi-architecture IoT firmware images. It carries out cross-architecture analysis, with detection strategies to reduce false positives and false negatives, such as cross-flow misuse inference. To evaluate the effectiveness of CrypTody, we conducted a large-scale experiment on 1,431 firmware images from 16 vendors. Our evaluation shows that 46\% of the firmware images have high-risk misuses and 95\% have at least one cryptographic misuse. In total, we find 6,624 potential crypto misuses, with 760 being cross-flow misuses that are not detected by existing solutions. We have responsibly disclosed portions of our findings to the relevant vendors. From the feedback, we note that CrypTody has a low false-positive rate for the confirmed misuses. Some typical cases have been assigned CVEs and fixed by the vendors.},
booktitle = {Proceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses},
pages = {579–593},
numpages = {15},
keywords = {Cryptographic misuse, Data-flow analysis, IoT firmware},
location = {Padua, Italy},
series = {RAID '24}
}

About

Cryptographic Misuse Detection in IoT Firmware or Binary using Ghidra.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

2 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages