Tales from the Crypt: Fingerprinting Attacks on Encrypted Channels by Way of Retainting [chapter]

Michael Valkering, Asia Slowinska, Herbert Bos
2009 Lecture Notes in Electrical Engineering  
Paradoxically, encryption makes it hard to detect, fingerprint and stop exploits. We describe Hassle, a honeypot capable of detecting and fingerprinting monomorphic and polymorphic attacks on encrypted channels. It uses dynamic taint analysis in an emulator to detect attacks, and it tags each tainted byte in memory with a pointer to its origin in the corresponding network trace. Upon detecting an attack, we correlate tainted memory blocks with the network trace to generate various types of
more » ... ture. As correlation with encrypted data is difficult, we retaint data on encrypted connections, making tags point to decrypted data instead.
doi:10.1007/978-0-387-85555-4_1 fatcat:zclr3m3rojchbnm5t3ez637r4m