back to the whiteboard a principled approach for the
play

Back to the Whiteboard: a Principled Approach for the Assessment and - PowerPoint PPT Presentation

Oct 01, 2022 •161 likes •648 views

Back to the Whiteboard: a Principled Approach for the Assessment and Design of Memory Forensic Techniques Fabio Pagani and Davide Balzarotti Usenix Security 19 Memory Forensics - Introduction Infected Machine Memory Dump Analysis

  1. Back to the Whiteboard: a Principled Approach for the Assessment and Design of Memory Forensic Techniques Fabio Pagani and Davide Balzarotti Usenix Security ’19

  2. Memory Forensics - Introduction Infected Machine Memory Dump Analysis Evidence 1

  3. Memory Forensics - Introduction Infected Machine Memory Dump Analysis Evidence 1

  4. Memory Forensics - Introduction Infected Machine Memory Dump Analysis Evidence 1

  5. Memory Forensics - Introduction Infected Machine Memory Dump Analysis Evidence 1

  6. Memory Forensics - Introduction Infected Machine Memory Dump Analysis Evidence 1

  7. Memory Forensics - Analysis Extract the following information: • List processes, kernel modules • Open fjles, memory mappings, sockets.. • System information: routing table, kernel logs.. ... and much more: Volatility (the most used memory forensic framework) has more than 100 plugins for Windows! 2

  8. Memory Forensics - Analysis Extract the following information: • List processes, kernel modules • Open fjles, memory mappings, sockets.. • System information: routing table, kernel logs.. ... and much more: Volatility (the most used memory forensic framework) has more than 100 plugins for Windows! 2

  9. Memory Forensics - Listing Processes tasks linux_pidhashtable pid_hash … … tasks prev next prev task_struct next tasks prev next task_struct task_struct init_task 3

  10. Memory Forensics - Listing Processes tasks linux_pidhashtable pid_hash … … tasks prev next prev task_struct next tasks prev next task_struct task_struct init_task 3

  11. Memory Forensics - Listing Processes tasks linux_pidhashtable pid_hash … … tasks prev next prev task_struct next tasks prev next task_struct task_struct init_task 3

  12. Memory Forensics - Listing Processes tasks linux_pidhashtable pid_hash … … tasks prev next prev task_struct next tasks prev next linux_pslist task_struct task_struct init_task 3

  13. Memory Forensics - Listing Processes tasks linux_pidhashtable pid_hash … … tasks prev next prev task_struct next tasks prev next linux_pslist task_struct task_struct init_task 3

  14. Motivations Forensic analyses are manually created by humans. • Are there other techniques to list processes? Linux kernel 4.19: ~6000 structures with ~40000 fjelds • How can we compare them? Shortest one? Most stable across difgerent kernels? 4

  15. Motivations Forensic analyses are manually created by humans. • Are there other techniques to list processes? Linux kernel 4.19: ~6000 structures with ~40000 fjelds • How can we compare them? Shortest one? Most stable across difgerent kernels? 4

  16. Motivations Forensic analyses are manually created by humans. • Are there other techniques to list processes? Linux kernel 4.19: ~6000 structures with ~40000 fjelds • How can we compare them? Shortest one? Most stable across difgerent kernels? 4

  17. Contributions 2 init_task task_struct task_struct task_struct task_struct on the graph Study analyses as paths 5 4 5 Build a graph of 1 1 8 2 4 2 1 evaluate analyses Defjne metrics to kernel structures 5

  18. Contributions 2 init_task task_struct task_struct task_struct task_struct on the graph Study analyses as paths 5 4 5 Build a graph of 1 1 8 2 4 2 1 evaluate analyses Defjne metrics to kernel structures 5

  19. Contributions 2 init_task task_struct task_struct task_struct task_struct on the graph Study analyses as paths 5 4 5 Build a graph of 1 1 8 2 4 2 1 evaluate analyses Defjne metrics to kernel structures 5

  20. end while Kernel Graph - Creation Challenge Kernel “abstract data types” 6 worklist ← kernel global variables; while worklist ̸ = ∅ do s ← worklist . pop () ; new _ structs ← Explore ( s ) ; worklist . push ( new _ structs ) ;

  21. end while Kernel Graph - Creation Challenge Kernel “abstract data types” 6 worklist ← kernel global variables; while worklist ̸ = ∅ do s ← worklist . pop () ; new _ structs ← Explore ( s ) ; worklist . push ( new _ structs ) ;

  22. Kernel Graph - ADT Challenge task_struct task_struct task_struct list_head tasks list_head tasks list_head tasks … … 7

  23. Kernel Graph - ADT Challenge … children list_head children list_head children list_head … tasks task_struct list_head tasks list_head tasks list_head task_struct task_struct 7

  24. Kernel Graph - ADT Challenge … siblings list_head siblings list_head children list_head … tasks task_struct list_head tasks list_head tasks list_head task_struct task_struct 7

  25. Kernel Graph - ADT Challenge Solved with a Clang plugin that analyzes the kernel AST list_add(&p->tasks, &init_task.tasks); list_add(&p->sibling, &p->children); struct task_struct.tasks -> struct task_struct.tasks struct task_struct.children -> struct .task_struct.siblings 8

  26. The Graph • 100k Structures (Nodes) • 840k Pointers (Edges) 9

  27. Metrics - Rationale Metrics should capture difgerent aspects of memory forensics: • Non-atomic memory acquisition (i.e. kernel driver) • Layout of kernel structures changes across difgerent kernel versions and confjgurations • Attackers can modify kernel structures 10

  28. Metrics - Rationale Metrics should capture difgerent aspects of memory forensics: • Non-atomic memory acquisition (i.e. kernel driver) • Layout of kernel structures changes across difgerent kernel versions and confjgurations • Attackers can modify kernel structures 10

  29. Metrics - Rationale Metrics should capture difgerent aspects of memory forensics: • Non-atomic memory acquisition (i.e. kernel driver) • Layout of kernel structures changes across difgerent kernel versions and confjgurations • Attackers can modify kernel structures 10

  30. Metrics - Rationale Metrics should capture difgerent aspects of memory forensics: • Non-atomic memory acquisition (i.e. kernel driver) • Layout of kernel structures changes across difgerent kernel versions and confjgurations • Attackers can modify kernel structures 10

  31. Proposed Metrics • Atomicity • Stability • Consistency • Generality • Reliability 11

  32. Proposed Metrics • Atomicity • Stability • Consistency • Generality • Reliability 11

  33. Metrics Atomicity : distance in memory between two connected structures 0x10 0x40 0x50 0x20 0x60 0x50 0x90 0x70 0x10 12

  34. Metrics Stability : how long an edge remains stable in a running machine • 25 snapshots at [0s, 1s, 5s, ..., 3h] 1s 10s 15s 30s 12

  35. Metrics Consistency : Atomicity + Stability A B 12 ✗ ✓ ✓ ✓

  36. Evaluation of Current Analyses 495 12,000 linux_lsmod 12 700 linux_lsof 821 0 linux_mount 10 linux_ifconfig linux_pidhashtable 469 30 linux_proc_maps 4722 0 linux_pslist 124 30 12 0 Volatility Plugin 12,000 # Nodes Stability (s) Fast Slow linux_arp 13 linux_check_creds 14955 248 2 linux_check_modules 151 700 linux_check_tty 13 30 linux_find_file 13

  37. Evaluation of Current Analyses 10 linux_lsmod 12 700 linux_lsof 821 0 linux_mount 495 linux_pidhashtable 12 469 30 linux_proc_maps 4722 0 linux_pslist 124 30 (contains on average 53% of total nodes) 12,000 linux_ifconfig Volatility Plugin 0 # Nodes Stability (s) Fast Slow linux_arp 13 12,000 linux_check_creds 248 2 linux_check_modules 151 700 linux_check_tty 13 30 linux_find_file 14955 13 96% of the nodes → giant strongly connected component

  38. Evaluation of Current Analyses 10 linux_lsmod 12 700 linux_lsof 821 0 linux_mount 495 linux_pidhashtable 12 469 30 linux_proc_maps 4722 0 linux_pslist 124 30 Stability: 3 paths never changed in over 3 hours 12,000 linux_ifconfig Volatility Plugin 0 # Nodes Stability (s) Fast Slow linux_arp 13 12,000 linux_check_creds 248 2 linux_check_modules 151 700 linux_check_tty 13 30 linux_find_file 14955 13 11 paths changed in less than 1 minute

  39. Evaluation of Current Analyses 495 0 linux_ifconfig 12 Volatility Plugin linux_lsmod 12 700 linux_lsof 821 0 linux_mount 10 linux_find_file linux_pidhashtable 469 30 linux_proc_maps 4722 0 linux_pslist 124 30 Consistency: 5 inconsistent plugins when fast acquisition 7 inconsistent plugins when slow acquisition 14955 12,000 13 2 # Nodes Stability Consistency (s) Fast Slow linux_arp 13 12,000 248 linux_check_creds 700 linux_check_modules 30 13 151 linux_check_tty ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✗ ✗ ✓ ✓ ✓ ✓ ✗ ✗ ✓ ✗ ✓ ✗ ✗ ✗ ✓ ✓

  40. Finding New Ways to List Processes Much harder than expected! • Hundreds of millions of paths when considering the shortest paths from every root node to every task_struct • Not every path represent an heuristics, because heuristics must be generated by an algorithm To limit the path explosion problem: • Removed every root node that is not connected to every task_struct • Remove edges used by known techniques (i.e. tasks fjeld) • Remove similar edges (parallel edges with same weights) • Merge similar paths into templates (struct type + remove adjacent same type nodes) Resulted in 4000 path templates! 14

Recommend

Geo-indistinguishability: A Principled Approach to Location Privacy Kostas Chatzikokolakis CNRS,

Geo-indistinguishability: A Principled Approach to Location Privacy Kostas Chatzikokolakis CNRS,

Geo-indistinguishability: A Principled Approach to Location Privacy Kostas Chatzikokolakis CNRS, INRIA, LIX Ecole Polytechnique joint work with Miguel Andr es, Nicol as Bordenabe, Catuscia Palamidessi, Marco Stronati PRINCESS QIF Day,

478 views • 45 slides
The Demo / Kemo corpus A principled approach to the study of cross-cultural differences in the

The Demo / Kemo corpus A principled approach to the study of cross-cultural differences in the

The Demo / Kemo corpus A principled approach to the study of cross-cultural differences in the vocal expression and perception of emotion Martijn Goudbeek Mirjam Broersma University of Tilburg MPI for Psycholinguistics LREC, Valetta, 19-21

646 views • 20 slides
A Principled Approach to Ornamentation in ML Thomas Williams , Didier Rmy Inria - Gallium June

A Principled Approach to Ornamentation in ML Thomas Williams , Didier Rmy Inria - Gallium June

A Principled Approach to Ornamentation in ML Thomas Williams , Didier Rmy Inria - Gallium June 15, 2018 1 Motivation In a statically-typed programming language with ADTs. Imagine we wrote an evaluator for a simple language: type expr = let

550 views • 53 slides
A principled approach to REPL interpreters applied to eFLINT L. Thomas van Binsbergen 1 1 Centrum

A principled approach to REPL interpreters applied to eFLINT L. Thomas van Binsbergen 1 1 Centrum

A principled approach to REPL interpreters applied to eFLINT L. Thomas van Binsbergen 1 1 Centrum Wiskunde & Informatica l.t.van.binsbergen@cwi.nl April 2020 Section 1 REPL theory Language implementations often provide an interpreter with a

759 views • 51 slides
A principled approach: Solution 3: Journaling Transactions (write ahead logging) Group together

A principled approach: Solution 3: Journaling Transactions (write ahead logging) Group together

A principled approach: Solution 3: Journaling Transactions (write ahead logging) Group together actions so that they are Turns multiple disk updates into a single disk write Atomic: either all happen or none write ahead a short note to a

481 views • 4 slides
Meet in the Middle - STP March 20, 2019 1 / 17 Last weeks exercise Solution on whiteboard.

Meet in the Middle - STP March 20, 2019 1 / 17 Last weeks exercise Solution on whiteboard.

Meet in the Middle - STP March 20, 2019 1 / 17 Last weeks exercise Solution on whiteboard. 2 / 17 Recap of MitM attack Whiteboard 3 / 17 Searching for attacks By hand - Last week(s) Using the computer - This week 4 / 17

689 views • 23 slides
WELCOME TO JAVASCRIPT DEVELOPMENT Please write your name on your whiteboard and say hello to

WELCOME TO JAVASCRIPT DEVELOPMENT Please write your name on your whiteboard and say hello to

WELCOME TO JAVASCRIPT DEVELOPMENT Please write your name on your whiteboard and say hello to your new classmates. Wi-fi: GA-Guest pw: yellowpencil YOUR INSTRUCTIONAL TEAM SASHA NICOLE DANTE Student Services Email:

1.37k views • 70 slides
Math Time First Grade Get your whiteboard and expo marker out. Weekly Focus: Graphing and Data

Math Time First Grade Get your whiteboard and expo marker out. Weekly Focus: Graphing and Data

Math Time First Grade Get your whiteboard and expo marker out. Weekly Focus: Graphing and Data GOAL: I can record, compare, and interpret data using graphs. Todays Lesson: Tally Charts Practice: Tally Charts Use your whiteboard! Problem

346 views • 9 slides
P-Companion: A Principled Framework for Diversified Complementary Product Recommendation Ju

P-Companion: A Principled Framework for Diversified Complementary Product Recommendation Ju

CIKM Applied Research Paper P-Companion: A Principled Framework for Diversified Complementary Product Recommendation Ju Junhen eng g Hao , Tong Zhao, Jin Li, Xin Luna Dong, Christos Faloutsos, Yizhou Sun, Wei Wang Oct. 19-23, 2020 | Online

684 views • 24 slides
Biomechanical Approach to the Evaluation and Treatment of the Low Back Charles R. Thompson, MS,

Biomechanical Approach to the Evaluation and Treatment of the Low Back Charles R. Thompson, MS,

Biomechanical Approach to the Evaluation and Treatment of the Low Back Charles R. Thompson, MS, ATC Princeton University EATA January 7, 2007 Boston, MA Purposes and Goals Purposes and Goals Develop a sound biomechanical approach to

1.56k views • 122 slides
Disclosures Nothing to declare --- or --- Clinical Approach to the Evaluation

Disclosures Nothing to declare --- or --- Clinical Approach to the Evaluation

Back Pain John W. Engstrom, MD December 15, 2011 Disclosures Nothing to declare --- or --- Clinical Approach to the Evaluation Significant ownership interests and Management of Low Back Pain Consulting, speaker bureaus,

319 views • 14 slides
An Elementary Approach to Elementary Topos Theory Todd Trimble Western Connecticut State

An Elementary Approach to Elementary Topos Theory Todd Trimble Western Connecticut State

An Elementary Approach to Elementary Topos Theory Todd Trimble Western Connecticut State University Department of Mathematics October 26, 2019 Back Story Tierneys approach: private communication. Back Story Tierneys approach:

1.19k views • 33 slides
Course Evaluations 1. More examples Worked examples on whiteboard? Concrete examples of

Course Evaluations 1. More examples Worked examples on whiteboard? Concrete examples of

Course Evaluations 1. More examples Worked examples on whiteboard? Concrete examples of settings 2. Too fast Too much material for time available More time on math parts, proofs Awkwardly placed midterm Too many details,

525 views • 20 slides
The Principled Developer Gerardo Gonzalez | @fmizzell | The Principle The Principle

The Principled Developer Gerardo Gonzalez | @fmizzell | The Principle The Principle

The Principled Developer Gerardo Gonzalez | @fmizzell | The Principle The Principle | Definitions Principle: A rule or standard, especially of good behavior Software: (...) and symbolic languages that control the

600 views • 32 slides
A Principled Intermediate Language for JavaScript Verification Daiva Naud zi unien e

A Principled Intermediate Language for JavaScript Verification Daiva Naud zi unien e

A Principled Intermediate Language for JavaScript Verification Daiva Naud zi unien e Imperial College London Resource Reasoning Meeting 1/40 The Team Thomas Philippa Gareth Smith Wood Gardner Petar Jos e Fragoso Maksimovi

645 views • 40 slides
Turn your whiteboard on To work fast and collaboratively Dry-erase whiteboards are utilized more

Turn your whiteboard on To work fast and collaboratively Dry-erase whiteboards are utilized more

Turn your whiteboard on To work fast and collaboratively Dry-erase whiteboards are utilized more than ever for their immediacy, convenience and productivity benefits To share with everyone 1 in 4 workers video conference every day but they

453 views • 13 slides
The Digital Services Tax: A Principled Proposal for the Future of International Taxation Wei Cui

The Digital Services Tax: A Principled Proposal for the Future of International Taxation Wei Cui

The Digital Services Tax: A Principled Proposal for the Future of International Taxation Wei Cui University of British Columbia, Allard School of Law National Tax Association Spring Symposium May 17, 2019 Main Claims Digital services tax

567 views • 29 slides
Principled Learning Method for Wasserstein Distributionally Robust Optimization with Local

Principled Learning Method for Wasserstein Distributionally Robust Optimization with Local

Principled Learning Method for Wasserstein Distributionally Robust Optimization with Local Perturbations Yongchan Kwon 1 Wonyoung Kim 2 Joong-Ho Won 2 Myunghee Cho Paik 2 1 Department of Biomedical Data Science, Stanford University 2 Department of

937 views • 18 slides
LIGA and Syllabification Approach for Language Identification and Back Transliteration : Shared

LIGA and Syllabification Approach for Language Identification and Back Transliteration : Shared

LIGA and Syllabification Approach for Language Identification and Back Transliteration : Shared Task Report by DA-IICT Shraddha Patel Vaibhavi Desai Problem Statement Subtask 1 : Query Word Labeling Suppose that q: w1 w2 w3 wn, is a query

411 views • 15 slides
and principled contributors within local and global communities. Inquirer Open-Minded

and principled contributors within local and global communities. Inquirer Open-Minded

Fosters student inquiry to develop skilled, knowledgeable, compassionate, and principled contributors within local and global communities. Inquirer Open-Minded Knowledgeable Caring Thinker Risk-Taker Communicator

532 views • 18 slides
A Principled Look at the Utility of Feedback in Congestion Control Mohit P. Tahiliani, Vishal

A Principled Look at the Utility of Feedback in Congestion Control Mohit P. Tahiliani, Vishal

A Principled Look at the Utility of Feedback in Congestion Control Mohit P. Tahiliani, Vishal Misra and K. K. Ramakrishnan National Institute of Technology Karnataka, India, Columbia University NY, University of California, Riverside, CA

391 views • 24 slides
Transitioning Back to School A Phased Approach Phases to Open School This framework provides

Transitioning Back to School A Phased Approach Phases to Open School This framework provides

Transitioning Back to School A Phased Approach Phases to Open School This framework provides guidance on the level of in person instruction that can be accommodated based on circumstances associated with the health pandemic. Movement is fluid

501 views • 18 slides
Designing and launching the next-generation database system: from whiteboard to production Guido

Designing and launching the next-generation database system: from whiteboard to production Guido

April 25, 2018 Designing and launching the next-generation database system: from whiteboard to production Guido Iaquinti $whoami Guido Iaquinti Operations Engineer in Dublin Member of the storage team No previous DBA experience

3.28k views • 99 slides
Back Pain John W. Engstrom, MD December 15, 2011 Disclosures Nothing to declare Clinical

Back Pain John W. Engstrom, MD December 15, 2011 Disclosures Nothing to declare Clinical

Back Pain John W. Engstrom, MD December 15, 2011 Disclosures Nothing to declare Clinical Approach to the Evaluation Harrisons Chapter 14 on Back Pain: UCSF and Management of Low Back Pain home page; library link; medical access

437 views • 14 slides

More recommend