Tales from the crypt: Fingerprinting attacks on encrypted channels by way of retainting

Michael Valkering, Asia Slowinska, Herbert Bos

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

Abstract

Paradoxically, encryption makes it hard to detect, fingerprint and stop exploits. We describe Hassle, a honeypot capable of detecting and fingerprinting monomorphic and polymorphic attacks on encrypted channels. It uses dynamic taint analysis in an emulator to detect attacks, and it tags each tainted byte in memory with a pointer to its origin in the corresponding network trace. Upon detecting an attack, we correlate tainted memory blocks with the network trace to generate various types of signature. As correlation with encrypted data is difficult, we retaint data on encrypted connections, making tags point to decrypted data instead.

Original languageEnglish
Title of host publicationProceedings of the 3rd European Conference on Computer Network Defense
Pages1-20
Number of pages20
Volume30 LNEE
DOIs
Publication statusPublished - 1 Dec 2009
Event3rd European Conference on Computer Network Defense, EC2ND 2007 - Heraklion, Crete, Greece
Duration: 4 Oct 20075 Oct 2007

Publication series

NameLecture Notes in Electrical Engineering
Volume30 LNEE
ISSN (Print)1876-1100
ISSN (Electronic)1876-1119

Conference

Conference3rd European Conference on Computer Network Defense, EC2ND 2007
CountryGreece
CityHeraklion, Crete
Period4/10/075/10/07

Fingerprint

Dive into the research topics of 'Tales from the crypt: Fingerprinting attacks on encrypted channels by way of retainting'. Together they form a unique fingerprint.

Cite this