Evaluating Atomicity, and Integrity of Correct Memory Acquisition Methods Michael Gruhn , Felix Freiling 2016-30-03 Department Computer Science IT Security Infrastructures Friedrich-Alexander-University Erlangen-Nürnberg Erlangen, Germany EU
EU Outline Introduction Motivation Atomicity, Integrity and Correctness per [Vömel and Freiling 2012] Atomicity Violation Integrity Violation Estimating Atomicity and Integrity Payload Application Atomicity and Integrity Deltas Results Take-Home and Future Research 2/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom
EU Motivation • Memory Analysis becomes more and more important: • Memory resident malware • Disk-less clients • Persistent Disk Encryption • To do proper analysis memory must be acquired forensically sound • Correctness • captured value at address X must represent the value in memory at address X • Atomicity • Integrity 3/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom
EU Atomicity Violation per [Vömel and Freiling 2012] r 1 r 2 r 3 r 4 Figure: Space-time diagram of imaging procedure creating non-atomic snapshot. 4/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom
EU Integrity Violation per [Vömel and Freiling 2012] r 1 r 2 r 3 r 4 t Figure: Integrity of a snapshot with respect to a specific point in time t . 5/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom
EU Outline Introduction Motivation Atomicity, Integrity and Correctness per [Vömel and Freiling 2012] Atomicity Violation Integrity Violation Estimating Atomicity and Integrity Payload Application Atomicity and Integrity Deltas Results Take-Home and Future Research 6/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom
EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Start: Memory Region Counter 1 0 2 0 3 0 4 0 7/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom
EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 1 2 0 3 0 4 0 8/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom
EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 1 1 2 3 0 4 0 9/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom
EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 1 2 1 3 1 4 0 10/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom
EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 1 2 1 3 1 4 1 11/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom
EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 2 2 1 3 1 4 1 12/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom
EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 2 2 2 3 1 4 1 13/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom
EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 2 2 2 3 2 4 1 14/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom
EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 2 2 2 3 2 4 2 15/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom
EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 3 2 2 3 2 4 2 16/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom
EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 3 2 3 3 2 4 2 17/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom
EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 3 2 3 3 3 4 2 18/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom
EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 3 2 3 3 3 4 3 19/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom
EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 3 2 3 3 3 4 3 • Perfect atomic capture has only two consecutive counter values • Perfect integer when counter values from when capture was started • Details in the paper 20/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom
EU Estimating Atomicity and Integrity via Deltas r 4 r 3 r 2 r 1 Integrity ∆ Atomicity ∆ t Figure: Atomicity and integrity in a maximum load scenario. 21/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom
EU Atomicity and Integrity Upper Bounds (Worst Case) (Worst Case) Atomicity Delta Integrity Delta msramdump 1 43.84 memimager 1 63.28 VirtualBox 1 26.64 QEMU 1 35.24 ProcDump (-r) 0 39.75 ProcDump 1 36.50 Windows Task Manager 1 728.54 pmdump 37 136.62 WinPMEM 13230 5682.24 FTK Imager 13151 5917.24 win64dd 15039 8077.54 win64dd (/m 1) 15039 8172.28 DumpIt 15711 8500.09 inception 43898 22056.77 22/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom
EU Figure: Acquisition plot of pmdump 23/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom
EU Figure: Memory acquisition technique comparison (acquisition plot) 24/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom
EU Figure: Memory acquisition technique comparison (acquisition density plot) 25/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom
EU · 10 4 inception 2 Integrity Delta 1 . 5 DumpIt 1 win64dd FTK Imager WinPMEM 0 . 5 VirtualBox ProcDump 0 Cold-Boot Attacks 0 1 2 3 4 pmdump Atomicity Delta · 10 4 Figure: Each acquisition position inside an atomicity/integrity-Matrix 26/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom
EU Take-Home and Future Research • DMA exhibited the greatest memory smear • Is inception/Python the issue? • Will PCI DMA perform better? • Does DMA increase concurrency? • How do state-of-the-art research methods (Body-Snatcher) perform? 27 (1) /28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom
EU Take-Home and Future Research • DMA exhibited the greatest memory smear • Is inception/Python the issue? • Will PCI DMA perform better? • Does DMA increase concurrency? • How do state-of-the-art research methods (Body-Snatcher) perform? • What is the impact of non-atomic memory captures on analysis? • 2-Take Approach solution? 27 (2) /28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom
EU Take-Home and Future Research • DMA exhibited the greatest memory smear • Is inception/Python the issue? • Will PCI DMA perform better? • Does DMA increase concurrency? • How do state-of-the-art research methods (Body-Snatcher) perform? • What is the impact of non-atomic memory captures on analysis? • 2-Take Approach solution? Source Code available at https://www1.cs.fau.de/projects/rammangler Slides and Paper available at https://http://www.dfrws.org/2016eu/program.shtml Warning about "Source Code": It’s what they call "research" code: for(i=0; /*FIXME ... we assume success */; i++) 27 (3) /28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom
EU Questions? 42. 28/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom
Recommend
More recommend