exploiting generational garbage collection
play

Exploiting Generational Garbage Collection Using Data Remnants to - PowerPoint PPT Presentation

Exploiting Generational Garbage Collection Using Data Remnants to Improve Memory Analysis and Digital Forensics Adam Pridgen 1 1 Rice University, Houston, TX, USA January 18, 2017 Pridgen Exploiting Generational Garbage Collection 1 Outline


  1. Exploiting Generational Garbage Collection Using Data Remnants to Improve Memory Analysis and Digital Forensics Adam Pridgen 1 1 Rice University, Houston, TX, USA January 18, 2017 Pridgen Exploiting Generational Garbage Collection 1

  2. Outline RICE 1 Introduction Motivation Contributions Background 2 Supporting Work STAAF: Scaling Android Application Analysis Radare Java Static Analysis 3 Present but unreachable Introduction Background Problem Approach Results Conclusions 4 Picking up the Trash Introduction Problem Approach Evaluation Conclusions 5 Conclusions 6 References Pridgen Exploiting Generational Garbage Collection 2

  3. Introduction Malware Compromises Happen RICE Pridgen Exploiting Generational Garbage Collection 3

  4. Introduction Flood of Questions RICE Pridgen Exploiting Generational Garbage Collection 4

  5. Introduction Motivation Motivation (1) RICE Figure: Stuxnet riding over an airgap into an ICS network [1]. Pridgen Exploiting Generational Garbage Collection 5

  6. Introduction Motivation Motivation (2) RICE Threats actors looking to penetrate hard-targets Must research and innovate on existing methods Exploit technology blind spots and implicit trust Looking for knowledge-gaps Targetting technologies that are widely deployed Exploring exploitation in all dimensions Pridgen Exploiting Generational Garbage Collection 6

  7. Introduction Motivation Motivation (3) RICE Managed Runtimes Widely used but not well understood Runtimes are complex and evolve over time Backwards compatibility retained Widely deployed runs on multiple platforms Updates may not be feasible Pridgen Exploiting Generational Garbage Collection 7

  8. Introduction Contributions Contributions RICE Developed tools for Java class and archive analysis Established the feasibility of recovering artifacts Created an approach for recovering managed objects Developed a prototype targeting the HotSpot JVM Pridgen Exploiting Generational Garbage Collection 8

  9. Introduction Background Attacker Techniques RICE Figure: Overview of attacker tactics. Pridgen Exploiting Generational Garbage Collection 9

  10. Introduction Background Documented Java Malware and Attacks RICE Malware and Backdoors Criminal : Adwind, JBot, etc. [2, 3, 4] Espionage : PackRat and JavaFog [5, 6] Threat actors employing Java Phishing [7, 4] Waterholing [7, 4] Common Vulnerabilities and Exposure Hotspot JVM : ≈ 34 since 2010 [8] Java and frameworks : ≈ 1510 since 1999 Pridgen Exploiting Generational Garbage Collection 10

  11. Introduction Background Digital Forensics Overview RICE Pridgen Exploiting Generational Garbage Collection 11

  12. Introduction Background Related Work: Managed Runtime Analysis RICE Viega explains the insecurity of managed runtimes [9] Chow et al. solve secure deallocation on Unix [10, 11] CleanOS: Objects encrypted using a shared key [12] Anikeev et al. focuses on Android’s collector [13] Li shows RSA keys are retrievable in Python [14] Pridgen Exploiting Generational Garbage Collection 12

  13. Introduction Background Related Work: Memory Analysis RICE Rekall and Volatility analysis frameworks [15, 16] Identifying datastructures Lin et al. perform automatic RE [17] Lin et al. use graph-based signatures [18] Dolan et al. focus on kernel structures [19] Android memory forensics [20, 21, 22, 23, 24, 25] Data carving Richard developed Scalpel File Carver [26] Beverly et al. focus on network packets [27] Hand et al. extract binaries from memory [28] Pridgen Exploiting Generational Garbage Collection 13

  14. Supporting Work STAAF: Scaling Android Application Analysis Contents RICE 1 Introduction Motivation Contributions Background 2 Supporting Work STAAF: Scaling Android Application Analysis Radare Java Static Analysis 3 Present but unreachable Introduction Background Problem Approach Results Conclusions 4 Picking up the Trash Introduction Problem Approach Evaluation Conclusions 5 Conclusions 6 References Pridgen Exploiting Generational Garbage Collection 14

  15. Supporting Work STAAF: Scaling Android Application Analysis STAAF STAAF: Scaling Android Application Analysis with a Modular Framework Adam Pridgen 1 Ryan W. Smith 1 1 Praetorian, Austin, TX, USA 2 Rice University, Houston, TX, USA Hawaii International Conference on System Sciences, 2012 Smith and Pridgen STAAF 15

  16. Supporting Work STAAF: Scaling Android Application Analysis Problem RICE Engineering scalable program analysis Off-market Android stores were contained malware Android analysis tools fail to scale alone Developed an approach pipelining analysis Smith and Pridgen STAAF 16

  17. Supporting Work STAAF: Scaling Android Application Analysis Results RICE Similar approach used to measure latent secrets Emphasizes scaling analysis horizontally Creates a pipeline for pre- and post- analysis Efficiently localizes analysis results in a database Smith and Pridgen STAAF 17

  18. Supporting Work Radare Java Static Analysis Reversing Java (Malware) with Radare STAAF: Scaling Android Application Analysis with a Modular Framework Adam Pridgen 1 1 Rice University, Houston, TX, USA InfoSec Southwest, 2014 Pridgen Reversing Java (Malware) with Radare 18

  19. Supporting Work Radare Java Static Analysis Problem RICE Malware obfuscation would throw-off analysis Tools were built on Java Tools overlooked corner cases None of the tools allowed low-level manipulation Pridgen Reversing Java (Malware) with Radare 19

  20. Supporting Work Radare Java Static Analysis Java Malware Analysis Overview RICE Eclipse IDE : development environment for debugging IDA Pro : marked-up analysis with no low-level access JD GUI : decompiles code but cannot be corrected Jython : run Java in Python environment Pridgen Reversing Java (Malware) with Radare 20

  21. Supporting Work Radare Java Static Analysis Results: Radare Extensions RICE Low-level JAR and class file manipulation Analysis of class file artifacts Inject byte code for runtime analysis Rewrite symbolic links for hooking Pridgen Reversing Java (Malware) with Radare 21

  22. Present but unreachable Contents RICE 1 Introduction Motivation Contributions Background 2 Supporting Work STAAF: Scaling Android Application Analysis Radare Java Static Analysis 3 Present but unreachable Introduction Background Problem Approach Results Conclusions 4 Picking up the Trash Introduction Problem Approach Evaluation Conclusions 5 Conclusions 6 References Pridgen Reversing Java (Malware) with Radare 22

  23. Present but unreachable Present but unreachable Reducing persistent latent secrets in HotSpot JVM Best Paper , Software Technology Track Simson L. Garfinkel 2 Dan S. Wallach 1 Adam Pridgen 1 1 Rice University, Houston, TX, USA 2 George Mason University, Fairfax, VA, USA Hawaii International Conference on System Sciences, 2017 Pridgen, Garfinkel, and Wallach Present but unreachable 23

  24. Present but unreachable Introduction Introduction RICE Java runtime uses automatic memory management Developers no longer control data lifetimes Sensitive data cannot be explicitly destroyed Multiple copies can be created Pridgen, Garfinkel, and Wallach Present but unreachable 24

  25. Present but unreachable Introduction Research Questions RICE How many secrets are retained? Should we be concerned? Can we fix the problem (without vendor intervention)? Is our solution useful? Pridgen, Garfinkel, and Wallach Present but unreachable 25

  26. Present but unreachable Background Generational GC Heap Overview RICE Tracing GC: Looking for live objects from a set of roots Heap engineered for expected object life-time GC promotes objects from one heap to the next one Eden Space (short lived) → Survivor Space Survivor Space → Tenure Space (long lived) Figure: Typical generational heap layout. Pridgen, Garfinkel, and Wallach Present but unreachable 26

  27. Present but unreachable Background Other Factors Affecting Measurement RICE GC algorithms and various collection conditions Internal JVM memory management system Interactions between JVM internals and program data Java Native Interface (not evaluated) Pridgen, Garfinkel, and Wallach Present but unreachable 27

  28. Present but unreachable Problem Unmanaged Data Lifetime Overview RICE Figure: Example data lifetime in unmanaged memory. Pridgen, Garfinkel, and Wallach Present but unreachable 28

  29. Present but unreachable Problem Managed Data Lifetime Overview RICE Figure: Example data lifetime in managed memory. Pridgen, Garfinkel, and Wallach Present but unreachable 29

  30. Present but unreachable Problem Why is data being retained? RICE Figure: String[2] on the heap. Pridgen, Garfinkel, and Wallach Present but unreachable 30

  31. Present but unreachable Problem Why is data being retained? (2) RICE Figure: String[0] is reassigned but the old value remains. Pridgen, Garfinkel, and Wallach Present but unreachable 31

  32. Present but unreachable Approach Measuring Latent Secrets: Methodology RICE Quantify data retention using TLS Keys Vary memory pressure Use well-known software examples Vary heap size 512MiB-16GiB Modify HotSpot JVM to perform sanitization Re-evaluate data retention Measure the performance impacts Pridgen, Garfinkel, and Wallach Present but unreachable 32

Recommend


More recommend