Abstract:
Software analysis has had a devastating effect on software security. In the area of software analysis, data flow analysis can effectively identify the data processing and recognize the bounds of data structures, which helps us better understand the behavior of the program. However, for the programs that use data encryption technology for communication, data flow analysis will encounter great difficulties because it cannot automatically extract decrypted data, and hence cannot effectively track data processing which is pivotal for software analysis. In this work we propose memory dependence measurement, a novel approach for finding and extracting decrypted data on commodity software. While previous work focuses on the recognition of decryption functions and instructions, our method shifts the focus to identifying the memory address of decrypted data. We implement our memory dependence technique in a tool called EncMemCheck. Experiments show that EncMemCheck has more accuracy on real-word encryption algorithm. It is proved that our approach is more practical by testing it on community software UnrealIrcd which adopts encryption technology during communication.