International Association for Cryptologic Research (IACR)
Abstract
The disassembled code of an executable program can be seen as a graph representing the possible sequence of instructions (Control Flow Graph). grap is a YARA-like tool, completely open-source, and able to detect graph patterns, defined by the analyst, within an executable program.
We used grap to detect cryptographic algorithms: we created patterns for AES and ChaCha20 that are based on parts of the assembly code produced by compiling popular implementations (available in LibreSSL and libsodium). Our approach is thus based on the algorithms and their structure and does not rely on constant detection
