back to the whiteboard a principled approach for the
play

Back to the Whiteboard: a Principled Approach for the Assessment and - PowerPoint PPT Presentation

Back to the Whiteboard: a Principled Approach for the Assessment and Design of Memory Forensic Techniques Fabio Pagani and Davide Balzarotti Usenix Security 19 Memory Forensics - Introduction Infected Machine Memory Dump Analysis


  1. Back to the Whiteboard: a Principled Approach for the Assessment and Design of Memory Forensic Techniques Fabio Pagani and Davide Balzarotti Usenix Security ’19

  2. Memory Forensics - Introduction Infected Machine Memory Dump Analysis Evidence 1

  3. Memory Forensics - Introduction Infected Machine Memory Dump Analysis Evidence 1

  4. Memory Forensics - Introduction Infected Machine Memory Dump Analysis Evidence 1

  5. Memory Forensics - Introduction Infected Machine Memory Dump Analysis Evidence 1

  6. Memory Forensics - Introduction Infected Machine Memory Dump Analysis Evidence 1

  7. Memory Forensics - Analysis Extract the following information: • List processes, kernel modules • Open fjles, memory mappings, sockets.. • System information: routing table, kernel logs.. ... and much more: Volatility (the most used memory forensic framework) has more than 100 plugins for Windows! 2

  8. Memory Forensics - Analysis Extract the following information: • List processes, kernel modules • Open fjles, memory mappings, sockets.. • System information: routing table, kernel logs.. ... and much more: Volatility (the most used memory forensic framework) has more than 100 plugins for Windows! 2

  9. Memory Forensics - Listing Processes tasks linux_pidhashtable pid_hash … … tasks prev next prev task_struct next tasks prev next task_struct task_struct init_task 3

  10. Memory Forensics - Listing Processes tasks linux_pidhashtable pid_hash … … tasks prev next prev task_struct next tasks prev next task_struct task_struct init_task 3

  11. Memory Forensics - Listing Processes tasks linux_pidhashtable pid_hash … … tasks prev next prev task_struct next tasks prev next task_struct task_struct init_task 3

  12. Memory Forensics - Listing Processes tasks linux_pidhashtable pid_hash … … tasks prev next prev task_struct next tasks prev next linux_pslist task_struct task_struct init_task 3

  13. Memory Forensics - Listing Processes tasks linux_pidhashtable pid_hash … … tasks prev next prev task_struct next tasks prev next linux_pslist task_struct task_struct init_task 3

  14. Motivations Forensic analyses are manually created by humans. • Are there other techniques to list processes? Linux kernel 4.19: ~6000 structures with ~40000 fjelds • How can we compare them? Shortest one? Most stable across difgerent kernels? 4

  15. Motivations Forensic analyses are manually created by humans. • Are there other techniques to list processes? Linux kernel 4.19: ~6000 structures with ~40000 fjelds • How can we compare them? Shortest one? Most stable across difgerent kernels? 4

  16. Motivations Forensic analyses are manually created by humans. • Are there other techniques to list processes? Linux kernel 4.19: ~6000 structures with ~40000 fjelds • How can we compare them? Shortest one? Most stable across difgerent kernels? 4

  17. Contributions 2 init_task task_struct task_struct task_struct task_struct on the graph Study analyses as paths 5 4 5 Build a graph of 1 1 8 2 4 2 1 evaluate analyses Defjne metrics to kernel structures 5

  18. Contributions 2 init_task task_struct task_struct task_struct task_struct on the graph Study analyses as paths 5 4 5 Build a graph of 1 1 8 2 4 2 1 evaluate analyses Defjne metrics to kernel structures 5

  19. Contributions 2 init_task task_struct task_struct task_struct task_struct on the graph Study analyses as paths 5 4 5 Build a graph of 1 1 8 2 4 2 1 evaluate analyses Defjne metrics to kernel structures 5

  20. end while Kernel Graph - Creation Challenge Kernel “abstract data types” 6 worklist ← kernel global variables; while worklist ̸ = ∅ do s ← worklist . pop () ; new _ structs ← Explore ( s ) ; worklist . push ( new _ structs ) ;

  21. end while Kernel Graph - Creation Challenge Kernel “abstract data types” 6 worklist ← kernel global variables; while worklist ̸ = ∅ do s ← worklist . pop () ; new _ structs ← Explore ( s ) ; worklist . push ( new _ structs ) ;

  22. Kernel Graph - ADT Challenge task_struct task_struct task_struct list_head tasks list_head tasks list_head tasks … … 7

  23. Kernel Graph - ADT Challenge … children list_head children list_head children list_head … tasks task_struct list_head tasks list_head tasks list_head task_struct task_struct 7

  24. Kernel Graph - ADT Challenge … siblings list_head siblings list_head children list_head … tasks task_struct list_head tasks list_head tasks list_head task_struct task_struct 7

  25. Kernel Graph - ADT Challenge Solved with a Clang plugin that analyzes the kernel AST list_add(&p->tasks, &init_task.tasks); list_add(&p->sibling, &p->children); struct task_struct.tasks -> struct task_struct.tasks struct task_struct.children -> struct .task_struct.siblings 8

  26. The Graph • 100k Structures (Nodes) • 840k Pointers (Edges) 9

  27. Metrics - Rationale Metrics should capture difgerent aspects of memory forensics: • Non-atomic memory acquisition (i.e. kernel driver) • Layout of kernel structures changes across difgerent kernel versions and confjgurations • Attackers can modify kernel structures 10

  28. Metrics - Rationale Metrics should capture difgerent aspects of memory forensics: • Non-atomic memory acquisition (i.e. kernel driver) • Layout of kernel structures changes across difgerent kernel versions and confjgurations • Attackers can modify kernel structures 10

  29. Metrics - Rationale Metrics should capture difgerent aspects of memory forensics: • Non-atomic memory acquisition (i.e. kernel driver) • Layout of kernel structures changes across difgerent kernel versions and confjgurations • Attackers can modify kernel structures 10

  30. Metrics - Rationale Metrics should capture difgerent aspects of memory forensics: • Non-atomic memory acquisition (i.e. kernel driver) • Layout of kernel structures changes across difgerent kernel versions and confjgurations • Attackers can modify kernel structures 10

  31. Proposed Metrics • Atomicity • Stability • Consistency • Generality • Reliability 11

  32. Proposed Metrics • Atomicity • Stability • Consistency • Generality • Reliability 11

  33. Metrics Atomicity : distance in memory between two connected structures 0x10 0x40 0x50 0x20 0x60 0x50 0x90 0x70 0x10 12

  34. Metrics Stability : how long an edge remains stable in a running machine • 25 snapshots at [0s, 1s, 5s, ..., 3h] 1s 10s 15s 30s 12

  35. Metrics Consistency : Atomicity + Stability A B 12 ✗ ✓ ✓ ✓

  36. Evaluation of Current Analyses 495 12,000 linux_lsmod 12 700 linux_lsof 821 0 linux_mount 10 linux_ifconfig linux_pidhashtable 469 30 linux_proc_maps 4722 0 linux_pslist 124 30 12 0 Volatility Plugin 12,000 # Nodes Stability (s) Fast Slow linux_arp 13 linux_check_creds 14955 248 2 linux_check_modules 151 700 linux_check_tty 13 30 linux_find_file 13

  37. Evaluation of Current Analyses 10 linux_lsmod 12 700 linux_lsof 821 0 linux_mount 495 linux_pidhashtable 12 469 30 linux_proc_maps 4722 0 linux_pslist 124 30 (contains on average 53% of total nodes) 12,000 linux_ifconfig Volatility Plugin 0 # Nodes Stability (s) Fast Slow linux_arp 13 12,000 linux_check_creds 248 2 linux_check_modules 151 700 linux_check_tty 13 30 linux_find_file 14955 13 96% of the nodes → giant strongly connected component

  38. Evaluation of Current Analyses 10 linux_lsmod 12 700 linux_lsof 821 0 linux_mount 495 linux_pidhashtable 12 469 30 linux_proc_maps 4722 0 linux_pslist 124 30 Stability: 3 paths never changed in over 3 hours 12,000 linux_ifconfig Volatility Plugin 0 # Nodes Stability (s) Fast Slow linux_arp 13 12,000 linux_check_creds 248 2 linux_check_modules 151 700 linux_check_tty 13 30 linux_find_file 14955 13 11 paths changed in less than 1 minute

  39. Evaluation of Current Analyses 495 0 linux_ifconfig 12 Volatility Plugin linux_lsmod 12 700 linux_lsof 821 0 linux_mount 10 linux_find_file linux_pidhashtable 469 30 linux_proc_maps 4722 0 linux_pslist 124 30 Consistency: 5 inconsistent plugins when fast acquisition 7 inconsistent plugins when slow acquisition 14955 12,000 13 2 # Nodes Stability Consistency (s) Fast Slow linux_arp 13 12,000 248 linux_check_creds 700 linux_check_modules 30 13 151 linux_check_tty ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✗ ✗ ✓ ✓ ✓ ✓ ✗ ✗ ✓ ✗ ✓ ✗ ✗ ✗ ✓ ✓

  40. Finding New Ways to List Processes Much harder than expected! • Hundreds of millions of paths when considering the shortest paths from every root node to every task_struct • Not every path represent an heuristics, because heuristics must be generated by an algorithm To limit the path explosion problem: • Removed every root node that is not connected to every task_struct • Remove edges used by known techniques (i.e. tasks fjeld) • Remove similar edges (parallel edges with same weights) • Merge similar paths into templates (struct type + remove adjacent same type nodes) Resulted in 4000 path templates! 14

Recommend


More recommend