evaluating atomicity and integrity of correct memory
play

Evaluating Atomicity, and Integrity of Correct Memory Acquisition - PowerPoint PPT Presentation

Evaluating Atomicity, and Integrity of Correct Memory Acquisition Methods Michael Gruhn , Felix Freiling 2016-30-03 Department Computer Science IT Security Infrastructures Friedrich-Alexander-University Erlangen-Nrnberg Erlangen, Germany


  1. Evaluating Atomicity, and Integrity of Correct Memory Acquisition Methods Michael Gruhn , Felix Freiling 2016-30-03 Department Computer Science IT Security Infrastructures Friedrich-Alexander-University Erlangen-Nürnberg Erlangen, Germany EU

  2. EU Outline Introduction Motivation Atomicity, Integrity and Correctness per [Vömel and Freiling 2012] Atomicity Violation Integrity Violation Estimating Atomicity and Integrity Payload Application Atomicity and Integrity Deltas Results Take-Home and Future Research 2/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  3. EU Motivation • Memory Analysis becomes more and more important: • Memory resident malware • Disk-less clients • Persistent Disk Encryption • To do proper analysis memory must be acquired forensically sound • Correctness • captured value at address X must represent the value in memory at address X • Atomicity • Integrity 3/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  4. EU Atomicity Violation per [Vömel and Freiling 2012] r 1 r 2 r 3 r 4 Figure: Space-time diagram of imaging procedure creating non-atomic snapshot. 4/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  5. EU Integrity Violation per [Vömel and Freiling 2012] r 1 r 2 r 3 r 4 t Figure: Integrity of a snapshot with respect to a specific point in time t . 5/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  6. EU Outline Introduction Motivation Atomicity, Integrity and Correctness per [Vömel and Freiling 2012] Atomicity Violation Integrity Violation Estimating Atomicity and Integrity Payload Application Atomicity and Integrity Deltas Results Take-Home and Future Research 6/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  7. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Start: Memory Region Counter 1 0 2 0 3 0 4 0 7/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  8. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 1 2 0 3 0 4 0 8/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  9. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 1 1 2 3 0 4 0 9/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  10. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 1 2 1 3 1 4 0 10/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  11. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 1 2 1 3 1 4 1 11/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  12. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 2 2 1 3 1 4 1 12/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  13. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 2 2 2 3 1 4 1 13/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  14. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 2 2 2 3 2 4 1 14/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  15. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 2 2 2 3 2 4 2 15/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  16. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 3 2 2 3 2 4 2 16/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  17. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 3 2 3 3 2 4 2 17/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  18. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 3 2 3 3 3 4 2 18/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  19. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 3 2 3 3 3 4 3 19/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  20. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 3 2 3 3 3 4 3 • Perfect atomic capture has only two consecutive counter values • Perfect integer when counter values from when capture was started • Details in the paper 20/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  21. EU Estimating Atomicity and Integrity via Deltas r 4 r 3 r 2 r 1 Integrity ∆ Atomicity ∆ t Figure: Atomicity and integrity in a maximum load scenario. 21/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  22. EU Atomicity and Integrity Upper Bounds (Worst Case) (Worst Case) Atomicity Delta Integrity Delta msramdump 1 43.84 memimager 1 63.28 VirtualBox 1 26.64 QEMU 1 35.24 ProcDump (-r) 0 39.75 ProcDump 1 36.50 Windows Task Manager 1 728.54 pmdump 37 136.62 WinPMEM 13230 5682.24 FTK Imager 13151 5917.24 win64dd 15039 8077.54 win64dd (/m 1) 15039 8172.28 DumpIt 15711 8500.09 inception 43898 22056.77 22/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  23. EU Figure: Acquisition plot of pmdump 23/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  24. EU Figure: Memory acquisition technique comparison (acquisition plot) 24/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  25. EU Figure: Memory acquisition technique comparison (acquisition density plot) 25/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  26. EU · 10 4 inception 2 Integrity Delta 1 . 5 DumpIt 1 win64dd FTK Imager WinPMEM 0 . 5 VirtualBox ProcDump 0 Cold-Boot Attacks 0 1 2 3 4 pmdump Atomicity Delta · 10 4 Figure: Each acquisition position inside an atomicity/integrity-Matrix 26/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  27. EU Take-Home and Future Research • DMA exhibited the greatest memory smear • Is inception/Python the issue? • Will PCI DMA perform better? • Does DMA increase concurrency? • How do state-of-the-art research methods (Body-Snatcher) perform? 27 (1) /28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  28. EU Take-Home and Future Research • DMA exhibited the greatest memory smear • Is inception/Python the issue? • Will PCI DMA perform better? • Does DMA increase concurrency? • How do state-of-the-art research methods (Body-Snatcher) perform? • What is the impact of non-atomic memory captures on analysis? • 2-Take Approach solution? 27 (2) /28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  29. EU Take-Home and Future Research • DMA exhibited the greatest memory smear • Is inception/Python the issue? • Will PCI DMA perform better? • Does DMA increase concurrency? • How do state-of-the-art research methods (Body-Snatcher) perform? • What is the impact of non-atomic memory captures on analysis? • 2-Take Approach solution? Source Code available at https://www1.cs.fau.de/projects/rammangler Slides and Paper available at https://http://www.dfrws.org/2016eu/program.shtml Warning about "Source Code": It’s what they call "research" code: for(i=0; /*FIXME ... we assume success */; i++) 27 (3) /28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  30. EU Questions? 42. 28/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

Recommend


More recommend