evaluating atomicity and integrity of correct memory
play

Evaluating Atomicity, and Integrity of Correct Memory Acquisition - PowerPoint PPT Presentation

Jan 24, 2023 •276 likes •592 views

Evaluating Atomicity, and Integrity of Correct Memory Acquisition Methods Michael Gruhn , Felix Freiling 2016-30-03 Department Computer Science IT Security Infrastructures Friedrich-Alexander-University Erlangen-Nrnberg Erlangen, Germany

  1. Evaluating Atomicity, and Integrity of Correct Memory Acquisition Methods Michael Gruhn , Felix Freiling 2016-30-03 Department Computer Science IT Security Infrastructures Friedrich-Alexander-University Erlangen-Nürnberg Erlangen, Germany EU

  2. EU Outline Introduction Motivation Atomicity, Integrity and Correctness per [Vömel and Freiling 2012] Atomicity Violation Integrity Violation Estimating Atomicity and Integrity Payload Application Atomicity and Integrity Deltas Results Take-Home and Future Research 2/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  3. EU Motivation • Memory Analysis becomes more and more important: • Memory resident malware • Disk-less clients • Persistent Disk Encryption • To do proper analysis memory must be acquired forensically sound • Correctness • captured value at address X must represent the value in memory at address X • Atomicity • Integrity 3/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  4. EU Atomicity Violation per [Vömel and Freiling 2012] r 1 r 2 r 3 r 4 Figure: Space-time diagram of imaging procedure creating non-atomic snapshot. 4/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  5. EU Integrity Violation per [Vömel and Freiling 2012] r 1 r 2 r 3 r 4 t Figure: Integrity of a snapshot with respect to a specific point in time t . 5/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  6. EU Outline Introduction Motivation Atomicity, Integrity and Correctness per [Vömel and Freiling 2012] Atomicity Violation Integrity Violation Estimating Atomicity and Integrity Payload Application Atomicity and Integrity Deltas Results Take-Home and Future Research 6/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  7. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Start: Memory Region Counter 1 0 2 0 3 0 4 0 7/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  8. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 1 2 0 3 0 4 0 8/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  9. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 1 1 2 3 0 4 0 9/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  10. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 1 2 1 3 1 4 0 10/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  11. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 1 2 1 3 1 4 1 11/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  12. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 2 2 1 3 1 4 1 12/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  13. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 2 2 2 3 1 4 1 13/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  14. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 2 2 2 3 2 4 1 14/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  15. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 2 2 2 3 2 4 2 15/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  16. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 3 2 2 3 2 4 2 16/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  17. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 3 2 3 3 2 4 2 17/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  18. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 3 2 3 3 3 4 2 18/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  19. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 3 2 3 3 3 4 3 19/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  20. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 3 2 3 3 3 4 3 • Perfect atomic capture has only two consecutive counter values • Perfect integer when counter values from when capture was started • Details in the paper 20/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  21. EU Estimating Atomicity and Integrity via Deltas r 4 r 3 r 2 r 1 Integrity ∆ Atomicity ∆ t Figure: Atomicity and integrity in a maximum load scenario. 21/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  22. EU Atomicity and Integrity Upper Bounds (Worst Case) (Worst Case) Atomicity Delta Integrity Delta msramdump 1 43.84 memimager 1 63.28 VirtualBox 1 26.64 QEMU 1 35.24 ProcDump (-r) 0 39.75 ProcDump 1 36.50 Windows Task Manager 1 728.54 pmdump 37 136.62 WinPMEM 13230 5682.24 FTK Imager 13151 5917.24 win64dd 15039 8077.54 win64dd (/m 1) 15039 8172.28 DumpIt 15711 8500.09 inception 43898 22056.77 22/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  23. EU Figure: Acquisition plot of pmdump 23/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  24. EU Figure: Memory acquisition technique comparison (acquisition plot) 24/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  25. EU Figure: Memory acquisition technique comparison (acquisition density plot) 25/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  26. EU · 10 4 inception 2 Integrity Delta 1 . 5 DumpIt 1 win64dd FTK Imager WinPMEM 0 . 5 VirtualBox ProcDump 0 Cold-Boot Attacks 0 1 2 3 4 pmdump Atomicity Delta · 10 4 Figure: Each acquisition position inside an atomicity/integrity-Matrix 26/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  27. EU Take-Home and Future Research • DMA exhibited the greatest memory smear • Is inception/Python the issue? • Will PCI DMA perform better? • Does DMA increase concurrency? • How do state-of-the-art research methods (Body-Snatcher) perform? 27 (1) /28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  28. EU Take-Home and Future Research • DMA exhibited the greatest memory smear • Is inception/Python the issue? • Will PCI DMA perform better? • Does DMA increase concurrency? • How do state-of-the-art research methods (Body-Snatcher) perform? • What is the impact of non-atomic memory captures on analysis? • 2-Take Approach solution? 27 (2) /28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  29. EU Take-Home and Future Research • DMA exhibited the greatest memory smear • Is inception/Python the issue? • Will PCI DMA perform better? • Does DMA increase concurrency? • How do state-of-the-art research methods (Body-Snatcher) perform? • What is the impact of non-atomic memory captures on analysis? • 2-Take Approach solution? Source Code available at https://www1.cs.fau.de/projects/rammangler Slides and Paper available at https://http://www.dfrws.org/2016eu/program.shtml Warning about "Source Code": It’s what they call "research" code: for(i=0; /*FIXME ... we assume success */; i++) 27 (3) /28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  30. EU Questions? 42. 28/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

Recommend

ACID and BASE 1 ACID Atomicity: a transaction happens or it does not 2 ACID Atomicity: a

ACID and BASE 1 ACID Atomicity: a transaction happens or it does not 2 ACID Atomicity: a

ACID and BASE 1 ACID Atomicity: a transaction happens or it does not 2 ACID Atomicity: a transaction happens or it does not Consistency: a correct database is still correct afterwards i.e. money balanced, no dangling pointers 3 ACID

712 views • 29 slides
Evaluating classifiers CS440 The 2-by-2 contingency table correct not correct positive tp fp

Evaluating classifiers CS440 The 2-by-2 contingency table correct not correct positive tp fp

10/30/19 Evaluating classifiers CS440 The 2-by-2 contingency table correct not correct positive tp fp prediction negative fn tn prediction 1 10/30/19 Precision and recall Precision : % of predicted items that are correct P = tp/

117 views • 11 slides
On abstraction and compositionality for weak-memory linearisability Brijesh Dongol Radha

On abstraction and compositionality for weak-memory linearisability Brijesh Dongol Radha

On abstraction and compositionality for weak-memory linearisability Brijesh Dongol Radha Jagadeesan James Riely Alasdair Armstrong Atomicity abstraction and weak memory How do we provide reliable atomicity abstractions? Concurrent

1.03k views • 59 slides
Causal Atomicity: Correctness conditions for weak memory Heike Wehrheim Joint work with Simon

Causal Atomicity: Correctness conditions for weak memory Heike Wehrheim Joint work with Simon

Causal Atomicity: Correctness conditions for weak memory Heike Wehrheim Joint work with Simon Doherty, Brijesh Dongol, John Derrick Paderborn University Germany Our interest Proving correctness of algorithms allowing seemingly atomic access

445 views • 19 slides
Design and Implementation Issues for Atomicity Dan Grossman University of Washington Workshop

Design and Implementation Issues for Atomicity Dan Grossman University of Washington Workshop

Design and Implementation Issues for Atomicity Dan Grossman University of Washington Workshop on Declarative Programming Languages for Multicore Architectures 15 January 2006 Atomicity Overview Atomicity: what, why, and why relevant

605 views • 17 slides
SI485i : NLP Set 9 Advanced PCFGs Some slides from Chris Manning Evaluating CKY How do we

SI485i : NLP Set 9 Advanced PCFGs Some slides from Chris Manning Evaluating CKY How do we

SI485i : NLP Set 9 Advanced PCFGs Some slides from Chris Manning Evaluating CKY How do we know if our parser works? Count the number of correct labels in your tree...the label and the span it dominates must both be correct. [ label,

483 views • 25 slides
MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY

MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY

MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY Fundamentally, code injection attacks altered the target programs control flow Recall: Confidentiality, Integrity, Availability Most integrity

937 views • 30 slides
KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR

KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR

KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR INTEGRITY INTEGRITY INTEGRITY INTEGRITY INTEGRITY INTEGRITY Blockchain & Security Ruth Crowell, Chief Executive Asia Pacific Precious Metals

460 views • 10 slides
Atomicity Bailu Ding Oct 18, 2012 Bailu Ding Atomicity Oct 18, 2012 1 / 38 Outline 1

Atomicity Bailu Ding Oct 18, 2012 Bailu Ding Atomicity Oct 18, 2012 1 / 38 Outline 1

Atomicity Bailu Ding Oct 18, 2012 Bailu Ding Atomicity Oct 18, 2012 1 / 38 Outline 1 Introduction 2 State Machine 3 Sinfonia 4 Dangers of Replication Bailu Ding Atomicity Oct 18, 2012 2 / 38 Introduction Introduction Implementing

723 views • 43 slides
1 2 Note approXimate! FXAA does not attempt anything close to the correct solution. Rather

1 2 Note approXimate! FXAA does not attempt anything close to the correct solution. Rather

1 2 Note approXimate! FXAA does not attempt anything close to the correct solution. Rather attempts something fast that looks visually good enough. 3 (1.) MEMORY PROBLEM At huge resolutions with deferred rendering, memory used for render

619 views • 27 slides
Lab 2 discussion Last Time Debugging Its a science use experiments to refine

Lab 2 discussion Last Time Debugging Its a science use experiments to refine

size= 64 correct= 0 size= 73 correct= 0 Shuying Liang size= 107 correct= 1 size= 107 correct= 0 size= 108 correct= 0 size= 108 correct= 1 Please do not handin a .doc file, a .zip file, a .tar file, size= 111 correct= 1 size=

430 views • 7 slides
Building and Evaluating a Distributional Memory for Croatian Jan o , and Snajder ,

Building and Evaluating a Distributional Memory for Croatian Jan o , and Snajder ,

Building and Evaluating a Distributional Memory for Croatian Jan o , and Snajder , Sebastian Pad c Zeljko Agi University of Zagreb, Faculty of Electrical Engineering and Computing Heidelberg University, Institut f

717 views • 16 slides
Efficient Memory Integrity Verification and Encryption for Secure Processors G. Edward Suh,

Efficient Memory Integrity Verification and Encryption for Secure Processors G. Edward Suh,

Efficient Memory Integrity Verification and Encryption for Secure Processors G. Edward Suh, Dwaine Clarke, Blaise Gassend, Marten van Dijk, Srinivas Devadas Massachusetts Institute of Technology New Security Challenges Current computer

411 views • 26 slides
Evaluating the Impact of Transactional Characteristics on the Performance of Transactional Memory

Evaluating the Impact of Transactional Characteristics on the Performance of Transactional Memory

Introduction Methodology Performance Evaluation Conclusions References Evaluating the Impact of Transactional Characteristics on the Performance of Transactional Memory Applications 1 Fernando Rui, 2 Mrcio Castro, 1 Dalvan Griebler, 1 Luiz

370 views • 16 slides
Causal Atomicity Heike Wehrheim Joint work with Simon Doherty, Brijesh Dongol, John Derrick,

Causal Atomicity Heike Wehrheim Joint work with Simon Doherty, Brijesh Dongol, John Derrick,

Causal Atomicity Heike Wehrheim Joint work with Simon Doherty, Brijesh Dongol, John Derrick, Alastair Armstrong Paderborn University Germany Access to shared state I Software transactional memory (STM) Synchronization of parallel

615 views • 19 slides
0 Correct Programming Compiler Compiler Hardware Language P Syntax PL compile P P PL HW

0 Correct Programming Compiler Compiler Hardware Language P Syntax PL compile P P PL HW

Bridging the Gap between Programming Languages and Hardware Weak Memory Models Anton Podkopaev Ori Lahav Viktor Vafeiadis 0 Correct Programming Compiler Compiler Hardware Language P Syntax PL compile P P PL HW PL HW is Memory Model

980 views • 74 slides
Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory

Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory

The 19th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2016) Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory Marius Muench, Fabio Pagani, Yan Shoshitaishvili,

559 views • 25 slides
Evaluating Grant Applications with Generalized Chain Block Designs in R Dedicated to the Memory

Evaluating Grant Applications with Generalized Chain Block Designs in R Dedicated to the Memory

Evaluating Grant Applications with Generalized Chain Block Designs in R Dedicated to the Memory of John Mandel Giles Crane, Cynthia Collins, and Karin Mille NJ Department of Health and Senior Services 1 Grant Application Review via

572 views • 33 slides
Control-Flow Integrity Principles, Implementations, and Applications

Control-Flow Integrity Principles, Implementations, and Applications

Control-Flow Integrity Principles, Implementations, and Applications 2634 2528 2690 CFI: Goal Provably correct mechanisms

540 views • 26 slides
Memory II. Memory improvement III. Problems with memory 3 systems/stages of Memory: memory

Memory II. Memory improvement III. Problems with memory 3 systems/stages of Memory: memory

Main Focus I. Memory as a process Memory II. Memory improvement III. Problems with memory 3 systems/stages of Memory: memory the process by which I. Sensory Memory information is - acquired, II. Short -Term Memory - stored,

169 views • 5 slides
Motivation Atomicity: Transactions may abort (Rollback). Logging and

Motivation Atomicity: Transactions may abort (Rollback). Logging and

Motivation Atomicity: Transactions may abort (Rollback). Logging and Durability: Recovery What if DBMS stops running? (Causes?) Chapter 18 Desired Behavior after crash! system restarts: If you are going to be in

648 views • 8 slides
Performance of Correct Statement of the Problem and Impact. Associated Issues. Procedure

Performance of Correct Statement of the Problem and Impact. Associated Issues. Procedure

Performance of Correct Procedure at Correct Body Site Patient Safety Solutions CONTENT Performance of Correct Statement of the Problem and Impact. Associated Issues. Procedure at Correct Suggested Actions. Looking Forward.

198 views • 3 slides
1 Memory SoC Persistent Memory-Driven Memory Memory Processor-Centric Memory SoC SoC

1 Memory SoC Persistent Memory-Driven Memory Memory Processor-Centric Memory SoC SoC

1 Memory SoC Persistent Memory-Driven Memory Memory Processor-Centric Memory SoC SoC Computing Computing + Fabric SoC Memory HYPERCONVERGED Exascale EDGE DEVICE SYSTEM Eliminate data movement via shared

400 views • 11 slides
Professional Integrity to Testing & Certification Practitioners Integrity Training for PCSTP

Professional Integrity to Testing & Certification Practitioners Integrity Training for PCSTP

Professional Integrity to Testing & Certification Practitioners Integrity Training for PCSTP Applicants Hong Kong Ethics Development Centre Independent Commission Against Corruption Competence Requirement Integrity Management

574 views • 23 slides

More recommend