Back to the Whiteboard: a Principled Approach for the Assessment and Design of Memory Forensic Techniques Fabio Pagani and Davide Balzarotti Usenix Security ’19
Memory Forensics - Introduction Infected Machine Memory Dump Analysis Evidence 1
Memory Forensics - Introduction Infected Machine Memory Dump Analysis Evidence 1
Memory Forensics - Introduction Infected Machine Memory Dump Analysis Evidence 1
Memory Forensics - Introduction Infected Machine Memory Dump Analysis Evidence 1
Memory Forensics - Introduction Infected Machine Memory Dump Analysis Evidence 1
Memory Forensics - Analysis Extract the following information: • List processes, kernel modules • Open fjles, memory mappings, sockets.. • System information: routing table, kernel logs.. ... and much more: Volatility (the most used memory forensic framework) has more than 100 plugins for Windows! 2
Memory Forensics - Analysis Extract the following information: • List processes, kernel modules • Open fjles, memory mappings, sockets.. • System information: routing table, kernel logs.. ... and much more: Volatility (the most used memory forensic framework) has more than 100 plugins for Windows! 2
Memory Forensics - Listing Processes tasks linux_pidhashtable pid_hash … … tasks prev next prev task_struct next tasks prev next task_struct task_struct init_task 3
Memory Forensics - Listing Processes tasks linux_pidhashtable pid_hash … … tasks prev next prev task_struct next tasks prev next task_struct task_struct init_task 3
Memory Forensics - Listing Processes tasks linux_pidhashtable pid_hash … … tasks prev next prev task_struct next tasks prev next task_struct task_struct init_task 3
Memory Forensics - Listing Processes tasks linux_pidhashtable pid_hash … … tasks prev next prev task_struct next tasks prev next linux_pslist task_struct task_struct init_task 3
Memory Forensics - Listing Processes tasks linux_pidhashtable pid_hash … … tasks prev next prev task_struct next tasks prev next linux_pslist task_struct task_struct init_task 3
Motivations Forensic analyses are manually created by humans. • Are there other techniques to list processes? Linux kernel 4.19: ~6000 structures with ~40000 fjelds • How can we compare them? Shortest one? Most stable across difgerent kernels? 4
Motivations Forensic analyses are manually created by humans. • Are there other techniques to list processes? Linux kernel 4.19: ~6000 structures with ~40000 fjelds • How can we compare them? Shortest one? Most stable across difgerent kernels? 4
Motivations Forensic analyses are manually created by humans. • Are there other techniques to list processes? Linux kernel 4.19: ~6000 structures with ~40000 fjelds • How can we compare them? Shortest one? Most stable across difgerent kernels? 4
Contributions 2 init_task task_struct task_struct task_struct task_struct on the graph Study analyses as paths 5 4 5 Build a graph of 1 1 8 2 4 2 1 evaluate analyses Defjne metrics to kernel structures 5
Contributions 2 init_task task_struct task_struct task_struct task_struct on the graph Study analyses as paths 5 4 5 Build a graph of 1 1 8 2 4 2 1 evaluate analyses Defjne metrics to kernel structures 5
Contributions 2 init_task task_struct task_struct task_struct task_struct on the graph Study analyses as paths 5 4 5 Build a graph of 1 1 8 2 4 2 1 evaluate analyses Defjne metrics to kernel structures 5
end while Kernel Graph - Creation Challenge Kernel “abstract data types” 6 worklist ← kernel global variables; while worklist ̸ = ∅ do s ← worklist . pop () ; new _ structs ← Explore ( s ) ; worklist . push ( new _ structs ) ;
end while Kernel Graph - Creation Challenge Kernel “abstract data types” 6 worklist ← kernel global variables; while worklist ̸ = ∅ do s ← worklist . pop () ; new _ structs ← Explore ( s ) ; worklist . push ( new _ structs ) ;
Kernel Graph - ADT Challenge task_struct task_struct task_struct list_head tasks list_head tasks list_head tasks … … 7
Kernel Graph - ADT Challenge … children list_head children list_head children list_head … tasks task_struct list_head tasks list_head tasks list_head task_struct task_struct 7
Kernel Graph - ADT Challenge … siblings list_head siblings list_head children list_head … tasks task_struct list_head tasks list_head tasks list_head task_struct task_struct 7
Kernel Graph - ADT Challenge Solved with a Clang plugin that analyzes the kernel AST list_add(&p->tasks, &init_task.tasks); list_add(&p->sibling, &p->children); struct task_struct.tasks -> struct task_struct.tasks struct task_struct.children -> struct .task_struct.siblings 8
The Graph • 100k Structures (Nodes) • 840k Pointers (Edges) 9
Metrics - Rationale Metrics should capture difgerent aspects of memory forensics: • Non-atomic memory acquisition (i.e. kernel driver) • Layout of kernel structures changes across difgerent kernel versions and confjgurations • Attackers can modify kernel structures 10
Metrics - Rationale Metrics should capture difgerent aspects of memory forensics: • Non-atomic memory acquisition (i.e. kernel driver) • Layout of kernel structures changes across difgerent kernel versions and confjgurations • Attackers can modify kernel structures 10
Metrics - Rationale Metrics should capture difgerent aspects of memory forensics: • Non-atomic memory acquisition (i.e. kernel driver) • Layout of kernel structures changes across difgerent kernel versions and confjgurations • Attackers can modify kernel structures 10
Metrics - Rationale Metrics should capture difgerent aspects of memory forensics: • Non-atomic memory acquisition (i.e. kernel driver) • Layout of kernel structures changes across difgerent kernel versions and confjgurations • Attackers can modify kernel structures 10
Proposed Metrics • Atomicity • Stability • Consistency • Generality • Reliability 11
Proposed Metrics • Atomicity • Stability • Consistency • Generality • Reliability 11
Metrics Atomicity : distance in memory between two connected structures 0x10 0x40 0x50 0x20 0x60 0x50 0x90 0x70 0x10 12
Metrics Stability : how long an edge remains stable in a running machine • 25 snapshots at [0s, 1s, 5s, ..., 3h] 1s 10s 15s 30s 12
Metrics Consistency : Atomicity + Stability A B 12 ✗ ✓ ✓ ✓
Evaluation of Current Analyses 495 12,000 linux_lsmod 12 700 linux_lsof 821 0 linux_mount 10 linux_ifconfig linux_pidhashtable 469 30 linux_proc_maps 4722 0 linux_pslist 124 30 12 0 Volatility Plugin 12,000 # Nodes Stability (s) Fast Slow linux_arp 13 linux_check_creds 14955 248 2 linux_check_modules 151 700 linux_check_tty 13 30 linux_find_file 13
Evaluation of Current Analyses 10 linux_lsmod 12 700 linux_lsof 821 0 linux_mount 495 linux_pidhashtable 12 469 30 linux_proc_maps 4722 0 linux_pslist 124 30 (contains on average 53% of total nodes) 12,000 linux_ifconfig Volatility Plugin 0 # Nodes Stability (s) Fast Slow linux_arp 13 12,000 linux_check_creds 248 2 linux_check_modules 151 700 linux_check_tty 13 30 linux_find_file 14955 13 96% of the nodes → giant strongly connected component
Evaluation of Current Analyses 10 linux_lsmod 12 700 linux_lsof 821 0 linux_mount 495 linux_pidhashtable 12 469 30 linux_proc_maps 4722 0 linux_pslist 124 30 Stability: 3 paths never changed in over 3 hours 12,000 linux_ifconfig Volatility Plugin 0 # Nodes Stability (s) Fast Slow linux_arp 13 12,000 linux_check_creds 248 2 linux_check_modules 151 700 linux_check_tty 13 30 linux_find_file 14955 13 11 paths changed in less than 1 minute
Evaluation of Current Analyses 495 0 linux_ifconfig 12 Volatility Plugin linux_lsmod 12 700 linux_lsof 821 0 linux_mount 10 linux_find_file linux_pidhashtable 469 30 linux_proc_maps 4722 0 linux_pslist 124 30 Consistency: 5 inconsistent plugins when fast acquisition 7 inconsistent plugins when slow acquisition 14955 12,000 13 2 # Nodes Stability Consistency (s) Fast Slow linux_arp 13 12,000 248 linux_check_creds 700 linux_check_modules 30 13 151 linux_check_tty ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✗ ✗ ✓ ✓ ✓ ✓ ✗ ✗ ✓ ✗ ✓ ✗ ✗ ✗ ✓ ✓
Finding New Ways to List Processes Much harder than expected! • Hundreds of millions of paths when considering the shortest paths from every root node to every task_struct • Not every path represent an heuristics, because heuristics must be generated by an algorithm To limit the path explosion problem: • Removed every root node that is not connected to every task_struct • Remove edges used by known techniques (i.e. tasks fjeld) • Remove similar edges (parallel edges with same weights) • Merge similar paths into templates (struct type + remove adjacent same type nodes) Resulted in 4000 path templates! 14
Recommend
More recommend