Reversing Cryptography in Black Box Binaries
Dahmun Goudarzi and Robin David

Learn how to assess the robustness of black box cryptographic blocks in binaries via real-world examples.

Reversing Cryptography in Black Box Binaries // Dahmun Goudarzi, Robin David

In-Person | March 18-21 | 4 Days

BOOK NOW

ABSTRACT

Cryptography is a key component of the development of any product involving sensitive data. Analysing it at binary-level is usually a tedious task. To do so, one should first locate the cryptographic blocks, identify whether they are coming from standard algorithms or custom ones and finally assess their security. Even after complete cartography and understanding of the binary, it remains a challenging task to properly assess if and how the cryptographic blocks are flawed or not. Cryptography is often seen as a field restricted to highly qualified people with strong math background. The goal of this training is to demystify this field by giving attendees a proper knowledge and toolkit to ease the cryptanalysis of primitives in binary files (namely the identification and assessment of the robustness), and how to perform such cryptanalysis with some tools that we created. The various sections and topics will always be provided with hands-on exercises taken from real-world binaries encountered in our assessments. While many topics will be covered to share as much insights as possible, the main goal is to provide the proper material and skill knowledge for any attendees to understand how to tackle cryptography found at binary-level in order to derive an enlighten advice on its soundness and robustness.

Reversing Cryptography in Black Box Binaries // Dahmun Goudarzi, Robin David

In-Person | March 18-21 | 4 Days

BOOK NOW

INTENDED AUDIENCE

Practitioners assessing or encountering cryptographic implementation and protocols during reverse at binary-level.

KEY LEARNING OBJECTIVES

  • Introduction to Cryptography: principles, primitives and algorithms.
  • Understanding how real-world crypto works without needing to know why (no mathematical background required!).
  • Learning how to identify cryptographic primitives and/or protocols in complex binaries and whether their implementation is sound and robust.
  • Learning how to use several tools we developed to automate the product security analysis and testing for conformity check, vulnerability search or attack automation.
BOOK NOW

COURSE DETAILS

MODULE 1: Demystifying Cryptographic Primitives

  • Basic Concepts
    • encryption/decryption
    • authentication
    • signatures
    • cryptographic materials and derivation
    • etc
  • Modelling Adversary
    • Black/Grey/White box
  • Building Blocks
    • Symmetric cryptography: AES and modes, SHA, etc.
    • Public-key cryptography: RSA, ECC, etc.
  • Protocols
    • Diffie-Hellman key exchange, TLS, SSH, etc.
  • Implementation Requirements: conformity, constant time.
  • Practicals:
    • hands-on on basic cryptographic attacks
    • identifying weaknesses with input/output observations

MODULE 2: Identifying Crypto in Binaries

  • Identification 101 (e.g., API symbols, constants, findcrypt)
  • Constructing ad-hoc documentation for identification
    • What are the key points?
    • How are cryptographic materials handled?
    • Are there any constants involved?
  • Introduction to Side-channels analysis: understanding what we can observe during a crypto execution
  • Advanced identification
    • How to use custom YARA rules
    • Pattern matching via tracers
  • Memory exploration to find Crypto Materials
    • Reminder on randomness, entropy, etc.
    • Testing a random number generator soundness with TestU01
    • Where to look in memory?
  • Practicals:
    • Identify algorithms used in a simple binary
    • Decrypt TLS exchanges with tweaked randomness generation
    • Identify lesser used primitives/custom ones with YARA rules
    • Identify the Crypto primitives in a Satellite user terminal
    • Find an AES size via tracing

MODULE 3: Testing Crypto in Black-box

  • Introduction to crypto-condor, a tool automating conformity checks of cryptographic implementations
  • Introduction to code emulation
  • Practicals: assessing a binary conformity using crypto-condor and emulation:
    • Get started with crypto-condor on a malformed messaging app
    • Standard implementation compliance checks (OpenSSL, mbedTLS..)
    • Harnessing and compliance checks of cryptography for embedded devices through emulation

MODULE 4: Advanced Testing

  • Introduction to Differential Fuzzing
  • List of the different tools, what they can do and catch
  • Bestiary of Vulnerabilities
  • How to cryptanalyse them?
  • Practicals: getting started with tools to assess:
    • Conformity of an encountered crypto primitive (even custom made ones)
    • Robustness against side-channel attacks, memory leaks
    • Writing your first harness that can export function to crypto-condo

White-box Cryptography Analysis with Side-Channel Marvels

  • Introduction to White-box Crypto
  • Side-Channel Marvels: list of tools, how to use them to automate attacks
  • Practical: use-case on CHES CTFs
BOOK NOW

Knowledge Prequisites

  • NO Mathematical background required
  • Basic reverse-engineering skills, x86-64 and ARM binaries will be studied
  • Basic skills in Python and C/C++

Hardware Requirements

  • Laptop with x86-64 architecture
  • 10Gb+ disk space
  • 16GB Memory recommended

Software Requirements

  • VirtualBox or VMWare (free version is OK)
Important: The required tooling is only tested on x86-64-based systems. ARM based systems (e.g., Apple Silicon M1, M2 or M3), or systems based on other architectures are not supported.

YOUR INSTRUCTORS: Dahmun Goudarzi and Robin David

Dahmun Goudarzi is a French Cryptographic R&D researcher focused on the automation of the analysis of cryptographic solutions in deployed products. He originally hold a PHD from Ecole Normale Supérieur de Paris and CryptoExperts where he worked on secure implementation of block ciphers against physical attacks. His works have lead to dozen of publications at top-end cryptographic conferences. He is now a full time security researcher at Quarkslab where is leading different research topics and tools developement to automate the analysis of cryptographic component in source and native code.

Robin David is a French Software Security Researcher focused on reverse engineering and software testing (fuzzing and symbolic execution). He originally holds a Phd from the Atomic Energy Comission (CEA) where he attacked obfuscation using formal methods and symbolic execution. He is now full-time security researcher at Quarkslab where he is leading the automated analysis team and various research topics. From time to time we present its work in various security conferences.

BOOK NOW
See also
BOOTSTRAP25

VoidStar Security - Hardware Hacking for Reverse Engineers

This course teaches hardware reverse engineering fundamentals, focusing on low-level protocols like SPI, I2C, JTAG, and SWD in embedded systems. Students develop tools to interface with these protocols. All hardware is provided, and students keep the tools after completing the course.
4 min read
BOOTSTRAP25

Patch Diffing In The Dark: Reverse Engineering Modern CVEs

This course teaches patch diffing to analyze real-world Windows and Android vulnerabilities. Students use open-source tools like Ghidra to reverse engineer recent CVEs, gaining the skills and confidence to discover complex vulnerabilities with tools they already have.
6 min read
Great! Next, complete checkout for full access to Ringzer0
Welcome back! You've successfully signed in
You've successfully subscribed to Ringzer0
Success! Your account is fully activated, you now have access to all content
Success! Your billing info has been updated
Your billing was not updated