Proceedings of EC2ND'07:
Tales from the Crypt: fingerprinting attacks on encrypted channels by way of retainting
Michael Valkering, Asia Slowinska, Herbert Bos, Vrije Universiteit Amsterdam, The Netherlands

Abstract
Paradoxically, encryption makes it hard to detect, fingerprint and stop exploits. We describe Hassle, a honeypot capable of detecting and fingerprinting monomorphic and polymorphic attacks on encrypted channels. It uses dynamic taint analysis in an emulator to detect attacks, and it tags each tainted byte in memory with a pointer to its origin in the corresponding network trace. Upon detecting an attack, we correlate tainted memory blocks with the network trace to generate various types of signature. As correlation with encrypted data is difficult, we retaint data on encrypted connections, making tags point to decrypted data instead.

Download this paper: pdf