os sommelier memory only operating system fingerprinting
play

OS-SOMMELIER: Memory-Only Operating System Fingerprinting in the - PowerPoint PPT Presentation

Nov 17, 2023 •115 likes •860 views

Motivation State-of-the-Art Detailed Design Evaluation Conclusion OS-SOMMELIER: Memory-Only Operating System Fingerprinting in the Cloud Yufei Gu , Yangchun Fu , Aravind Prakash Dr. Zhiqiang Lin , Dr. Heng Yin

  1. Motivation State-of-the-Art Detailed Design Evaluation Conclusion OS-SOMMELIER: Memory-Only Operating System Fingerprinting in the Cloud Yufei Gu † , Yangchun Fu † , Aravind Prakash ‡ Dr. Zhiqiang Lin † , Dr. Heng Yin ‡ † University of Texas at Dallas ‡ Syracuse University October 16 th , 2012

  2. Motivation State-of-the-Art Detailed Design Evaluation Conclusion Outline Motivation 1 State-of-the-Art 2 Detailed Design 3 Evaluation 4 Conclusion 5

  3. Motivation State-of-the-Art Detailed Design Evaluation Conclusion What is OS Fingerprinting

  4. Motivation State-of-the-Art Detailed Design Evaluation Conclusion What is OS Fingerprinting OS Fingerprinting in the Cloud Given a virtual machine (VM) image (or a running instance), precisely infer its specific OS kernel versions

  5. Motivation State-of-the-Art Detailed Design Evaluation Conclusion Why we need OS Fingerprinting in the Cloud

  6. Motivation State-of-the-Art Detailed Design Evaluation Conclusion Why we need OS Fingerprinting in the Cloud Virtual Machine 1 Introspection [Garfinkel and Rosenblum, NDSS’03]

  7. Motivation State-of-the-Art Detailed Design Evaluation Conclusion Why we need OS Fingerprinting in the Cloud Virtual Machine 1 Introspection [Garfinkel and Rosenblum, NDSS’03] Penetration Testing 2

  8. Motivation State-of-the-Art Detailed Design Evaluation Conclusion Why we need OS Fingerprinting in the Cloud Virtual Machine 1 Introspection [Garfinkel and Rosenblum, NDSS’03] Penetration Testing 2 VM Management (Kernel 3 Update)

  9. Motivation State-of-the-Art Detailed Design Evaluation Conclusion Why we need OS Fingerprinting in the Cloud Virtual Machine 1 Introspection [Garfinkel and Rosenblum, NDSS’03] Penetration Testing 2 VM Management (Kernel 3 Update) Memory Forensics 4

  10. Motivation State-of-the-Art Detailed Design Evaluation Conclusion Virtual Machine Introspection (VMI) [Garfinkel and Rosenblum, NDSS’03] A Trusted OS Linux Win ‐ 7 .. Secure ‐ VM Product ‐ VM Product ‐ VM Introspect Virtualization Layer Hardware Layer

  11. Motivation State-of-the-Art Detailed Design Evaluation Conclusion Virtual Machine Introspection (VMI) [Garfinkel and Rosenblum, NDSS’03] Using a trusted, isolated, dedicated VM to monitor other VMs A Trusted OS Linux Win ‐ 7 .. Secure ‐ VM Product ‐ VM Product ‐ VM Introspect Virtualization Layer Hardware Layer

  12. Motivation State-of-the-Art Detailed Design Evaluation Conclusion Virtual Machine Introspection (VMI) [Garfinkel and Rosenblum, NDSS’03] Using a trusted, isolated, dedicated VM to monitor other VMs A Trusted OS Linux Win ‐ 7 .. Binary Code Reuse based VMI Virtuoso [Dolan-Gavitt et al, Secure ‐ VM Product ‐ VM Product ‐ VM Oakland’11] : using trained Introspect existing legacy code to Virtualization Layer perform VMI VM Space Traveler [Fu and Lin, Hardware Layer Oakland’12] : dynamically instrumenting legacy binary code to perform VMI

  13. Motivation State-of-the-Art Detailed Design Evaluation Conclusion Basic Approaches for OS Fingerprinting

  14. Motivation State-of-the-Art Detailed Design Evaluation Conclusion Basic Approaches for OS Fingerprinting NETWORK DISK Virtual Machine Monitor Layer

  15. Motivation State-of-the-Art Detailed Design Evaluation Conclusion Basic Approaches for OS Fingerprinting NETWORK DISK Virtual Machine Monitor Layer Basic Approaches Network 1 File System 2 CPU State 3 Memory 4 Their Combinations 5

  16. Motivation State-of-the-Art Detailed Design Evaluation Conclusion Network-based OS Fingerprinting TCP/ICMP Packet Response Packet

  17. Motivation State-of-the-Art Detailed Design Evaluation Conclusion Network-based OS Fingerprinting Existing Techniques Probing TCP implementations [Comer and Lin, USENIX Summer TCP/ICMP Packet ATC’94] Response Packet Nmap [Fyodor] Xprob2 [Yarochkin, DSN’09] Synscan [Taleck, CanSecWest’04] ...

  18. Motivation State-of-the-Art Detailed Design Evaluation Conclusion Network-based OS Fingerprinting Existing Techniques Probing TCP implementations [Comer and Lin, USENIX Summer TCP/ICMP Packet ATC’94] Response Packet Nmap [Fyodor] Xprob2 [Yarochkin, DSN’09] Synscan [Taleck, CanSecWest’04] ... Limitations Imprecise : not accurate enough, cannot pinpoint minor differences Can be disabled : many modern OSes disable most of the network services as a default security policy

  19. Motivation State-of-the-Art Detailed Design Evaluation Conclusion File-System Based OS Fingerprinting File Distinctive System Files Files

  20. Motivation State-of-the-Art Detailed Design Evaluation Conclusion File-System Based OS Fingerprinting Basic Approach Mount the VM file system File Distinctive System image Files Files Walk through the files in the disk Advantages : Simple, Intuitive, Efficient, and Precise

  21. Motivation State-of-the-Art Detailed Design Evaluation Conclusion File-System Based OS Fingerprinting Basic Approach Mount the VM file system File Distinctive System image Files Files Walk through the files in the disk Advantages : Simple, Intuitive, Efficient, and Precise Limitations File System Encryption Cannot suit for memory forensics applications when only having memory dump

  22. Motivation State-of-the-Art Detailed Design Evaluation Conclusion CPU Register based OS Fingerprinting CS DS ES FS SS ldtr itdr gdtr TR DR

  23. Motivation State-of-the-Art Detailed Design Evaluation Conclusion CPU Register based OS Fingerprinting CS DS ES FS SS ldtr itdr gdtr TR DR

  24. Motivation State-of-the-Art Detailed Design Evaluation Conclusion CPU Register based OS Fingerprinting CS DS ES FS SS Existing Technique UFO: Operating system ldtr itdr gdtr TR DR fingerprinting for virtual machines [Quynh, DEFCON ’10] Advantage: efficient (super fast)

  25. Motivation State-of-the-Art Detailed Design Evaluation Conclusion CPU Register based OS Fingerprinting CS DS ES FS SS Existing Technique UFO: Operating system ldtr itdr gdtr TR DR fingerprinting for virtual machines [Quynh, DEFCON ’10] Advantage: efficient (super fast) Limitations Imprecise : not accurate enough. WinXP (SP2) vs WinXP (SP3) Cannot suit for memory forensics applications when only having memory dump

  26. Motivation State-of-the-Art Detailed Design Evaluation Conclusion CPU and Memory Combination based OS Fingerprinting Interrupt Handler IDT

  27. Motivation State-of-the-Art Detailed Design Evaluation Conclusion CPU and Memory Combination based OS Fingerprinting Existing Techniques Interrupt Handler Using IDT pointer to retrieve interrupt handler code, and IDT hash these code to fingerprint guest VM [Christodorescu et al, CCSW’09]

  28. Motivation State-of-the-Art Detailed Design Evaluation Conclusion CPU and Memory Combination based OS Fingerprinting Existing Techniques Interrupt Handler Using IDT pointer to retrieve interrupt handler code, and IDT hash these code to fingerprint guest VM [Christodorescu et al, CCSW’09] Limitations Imprecise : not accurate enough, cannot pinpoint minor differences Cannot suit for memory forensics applications when only having memory dump

  29. Motivation State-of-the-Art Detailed Design Evaluation Conclusion Memory-Only Approach for OS Fingerprinting task 0 12 4 8 thread mm signal task 0 0 4 0 task

  30. Motivation State-of-the-Art Detailed Design Evaluation Conclusion Memory-Only Approach for OS Fingerprinting task 0 12 4 8 thread mm signal task Existing Technique SigGraph: Brute Force 0 0 4 0 task Scanning of Kernel Data Structure Instances Using Graph-based Signatures [Lin et al, NDSS’11]

  31. Motivation State-of-the-Art Detailed Design Evaluation Conclusion Memory-Only Approach for OS Fingerprinting task 0 12 4 8 thread mm signal task Existing Technique SigGraph: Brute Force 0 0 4 0 task Scanning of Kernel Data Structure Instances Using Graph-based Signatures [Lin et al, NDSS’11] Limitations Inefficient : a few minutes Requires kernel data structure definitions

  32. Motivation State-of-the-Art Detailed Design Evaluation Conclusion OS-Sommelier: Memory-Only OS Fingerprinting Goal Precise : can pinpoint even minor OS differences Efficient : in a few seconds Robust : hard to evade, security perspective

  33. Motivation State-of-the-Art Detailed Design Evaluation Conclusion OS-Sommelier: Memory-Only OS Fingerprinting Goal Precise : can pinpoint even minor OS differences Efficient : in a few seconds Robust : hard to evade, security perspective Key Idea Compute the hash values of core kernel code in the physical memory for the precise fingerprinting.

  34. Motivation State-of-the-Art Detailed Design Evaluation Conclusion Some Statistics on Core Kernel Page 1400 1200 1000 800 600 400 200 0

  35. Motivation State-of-the-Art Detailed Design Evaluation Conclusion OS-Sommelier: Challenges Challenges How to get a robust and generic way to identify the kernel page table (when only having memory dump)? To traverse memories, We need PGDs to do virtual-to-physical address translation.

Recommend

Operating System Labs Yuanbin Wu cs@ecnu Operating System Labs Review of Memory Management

Operating System Labs Yuanbin Wu cs@ecnu Operating System Labs Review of Memory Management

Operating System Labs Yuanbin Wu cs@ecnu Operating System Labs Review of Memory Management Memory Management Early days Memory Management Multiprogramming and Time Sharing Multiple processes live in memory simutaneously

793 views • 48 slides
Operating System Labs Yuanbin Wu cs@ecnu Operating System Labs Review of Memory Management

Operating System Labs Yuanbin Wu cs@ecnu Operating System Labs Review of Memory Management

Operating System Labs Yuanbin Wu cs@ecnu Operating System Labs Review of Memory Management Memory Management Early days Memory Management Multiprogramming multiple processes could be ready to run at a given time the OS

885 views • 51 slides
This Unit: Virtual Memory App App App The operating system (OS) System software A

This Unit: Virtual Memory App App App The operating system (OS) System software A

This Unit: Virtual Memory App App App The operating system (OS) System software A super-application CIS 371 Hardware support for an OS Mem CPU I/O Virtual memory Computer Organization and Design Page tables and address

239 views • 10 slides
CS 423 Operating System Design: Memory Wrap-Up Professor Adam Bates CS 423: Operating

CS 423 Operating System Design: Memory Wrap-Up Professor Adam Bates CS 423: Operating

CS 423 Operating System Design: Memory Wrap-Up Professor Adam Bates CS 423: Operating Systems Design Goals for Today Learning Objective: Recap memory management unit (this time, with a hot mic) Announcements, etc: MP2 out!

578 views • 26 slides
CS 423 Operating System Design: Virtualizing CPU and Memory Tianyin Xu CS 423: Operating

CS 423 Operating System Design: Virtualizing CPU and Memory Tianyin Xu CS 423: Operating

CS 423 Operating System Design: Virtualizing CPU and Memory Tianyin Xu CS 423: Operating Systems Design The Simplest Idea To run a virtual machine on top of a hypervisor, the basic technique that is used is limited direct execution when

506 views • 22 slides
Operating System Principles: Memory Management CS 111 Operating Systems Peter Reiher Lecture 5

Operating System Principles: Memory Management CS 111 Operating Systems Peter Reiher Lecture 5

Operating System Principles: Memory Management CS 111 Operating Systems Peter Reiher Lecture 5 CS 111 Page 1 Fall 2016 Outline What is memory management about? Memory management strategies: Fixed partition strategies Dynamic

1.06k views • 62 slides
The Operating System Computer Literacy1 Lecture 6 02/10/08 Topics Firmware Operating

The Operating System Computer Literacy1 Lecture 6 02/10/08 Topics Firmware Operating

The Operating System Computer Literacy1 Lecture 6 02/10/08 Topics Firmware Operating System Applications and Plug-ins Examples for Operating Systems Function of Operating System Virtual Memory Bootstrapping GUI

482 views • 12 slides
CS 423 Operating System Design: Historical Memory Management Tianyin Xu (MIC) * Thanks for

CS 423 Operating System Design: Historical Memory Management Tianyin Xu (MIC) * Thanks for

CS 423 Operating System Design: Historical Memory Management Tianyin Xu (MIC) * Thanks for Prof. Adam Bates for the slides. CS 423: Operating Systems Design Storage Hierarchy CPU Registers Size Performance 32-64 bits Cache 4-128 words

994 views • 32 slides
Operating System Principles: Memory Management Swapping, Paging, and Virtual Memory CS 111

Operating System Principles: Memory Management Swapping, Paging, and Virtual Memory CS 111

Operating System Principles: Memory Management Swapping, Paging, and Virtual Memory CS 111 Operating Systems Peter Reiher Lecture 6 CS 111 Page 1 Fall 2016 Outline Swapping Paging Virtual memory Lecture 6 CS 111 Page 2

744 views • 57 slides
Unit 7: Virtual Memory TLBs and memory hierarchy issues

Unit 7: Virtual Memory TLBs and memory hierarchy issues

This Unit: Virtual Memory App App App The operating system (OS) System software A super-application Hardware support for an OS CIS 501: Computer Architecture Mem CPU I/O Virtual memory Page tables and address translation

554 views • 10 slides
CS 423 Operating System Design: Virtual Memory Management Tianyin Xu (MIC) * Thanks for Prof.

CS 423 Operating System Design: Virtual Memory Management Tianyin Xu (MIC) * Thanks for Prof.

CS 423 Operating System Design: Virtual Memory Management Tianyin Xu (MIC) * Thanks for Prof. Adam Bates for the slides. CS 423: Operating Systems Design History: Summary Fixed Overlay Relocation Partitions No multi- Supports

782 views • 46 slides
CS 423 Operating System Design: Historical Memory Management Professor Adam Bates CS 423:

CS 423 Operating System Design: Historical Memory Management Professor Adam Bates CS 423:

CS 423 Operating System Design: Historical Memory Management Professor Adam Bates CS 423: Operating Systems Design Goals for Today Learning Objective: Explore historical strategies for memory management Announcements, etc:

609 views • 32 slides
Dynamic Memory Management Allocating memory: The Interface Buddy System

Dynamic Memory Management Allocating memory: The Interface Buddy System

CPSC 410/611 : Operating Systems Dynamic Memory Management Allocating memory: The Interface Buddy System Slab Allocation Reading: Doeppner, 3.3 Memory Areas Memory areas (regions) are intervals of legal

183 views • 5 slides
Operating systems The operating system controls resources : who gets the CPU; when I/O

Operating systems The operating system controls resources : who gets the CPU; when I/O

Operating systems The operating system controls resources : who gets the CPU; when I/O takes place; how much memory is allocated. how processes communicate. The most important resource is the CPU itself . CPU access

976 views • 56 slides
CS 423 Operating System Design: Virtual Memory Management Professor Adam Bates CS 423:

CS 423 Operating System Design: Virtual Memory Management Professor Adam Bates CS 423:

CS 423 Operating System Design: Virtual Memory Management Professor Adam Bates CS 423: Operating Systems Design Goals for Today Learning Objective: Understand properties of virtual memory systems Announcements, etc: MP2 out

521 views • 32 slides
Memory Management Different types of Memory Management Single partition allocation - One process

Memory Management Different types of Memory Management Single partition allocation - One process

Memory Management Different types of Memory Management Single partition allocation - One process in memory Background Logical versus Physical Address Space 1. No operating system Address Binding 2. Operating system + one process

113 views • 9 slides
CS 423 Operating System Design: Virtual Memory Mgmt Professor Adam Bates Spring 2018 CS

CS 423 Operating System Design: Virtual Memory Mgmt Professor Adam Bates Spring 2018 CS

CS 423 Operating System Design: Virtual Memory Mgmt Professor Adam Bates Spring 2018 CS 423: Operating Systems Design Goals for Today Learning Objective: Navigate the history of memory systems in OS Announcements, etc: MP1

738 views • 39 slides
Operating Systems Fall 2014 Memory Management Myungjin Lee myungjin.lee@ed.ac.uk 1 Goals of

Operating Systems Fall 2014 Memory Management Myungjin Lee myungjin.lee@ed.ac.uk 1 Goals of

Operating Systems Fall 2014 Memory Management Myungjin Lee myungjin.lee@ed.ac.uk 1 Goals of memory management Allocate memory resources among competing processes, maximizing memory utilization and system throughput Provide isolation

371 views • 33 slides
Sefos A self-aware factored operating system A Traditional OS App 1 App 2 App 3 System call

Sefos A self-aware factored operating system A Traditional OS App 1 App 2 App 3 System call

Sefos A self-aware factored operating system A Traditional OS App 1 App 2 App 3 System call Operating System Memory File Device Scheduler Manager System Drivers App 2 Cache Cache App 1 I/O Disk App 3 Devices Core Core DRAM

416 views • 9 slides
Computer System Overview Chapter 1 Operating Systems - Making computing power available to users

Computer System Overview Chapter 1 Operating Systems - Making computing power available to users

Computer System Overview Chapter 1 Operating Systems - Making computing power available to users by controlling the hardware Basic Elements Processor Main Memory referred to as real memory or primary memory volatile I/O

551 views • 38 slides
CS 423 Operating System Design: Virtual Memory Mgmt Professor Adam Bates Spring 2018 CS

CS 423 Operating System Design: Virtual Memory Mgmt Professor Adam Bates Spring 2018 CS

CS 423 Operating System Design: Virtual Memory Mgmt Professor Adam Bates Spring 2018 CS 423: Operating Systems Design Goals for Today Learning Objective: Understand properties of virtual memory systems Announcements, etc:

657 views • 33 slides
CS 423 Operating System Design: Virtual Memory Wrap-Up Professor Adam Bates Spring 2018 CS

CS 423 Operating System Design: Virtual Memory Wrap-Up Professor Adam Bates Spring 2018 CS

CS 423 Operating System Design: Virtual Memory Wrap-Up Professor Adam Bates Spring 2018 CS 423: Operating Systems Design Goals for Today Learning Objective: Conclude exploration of virtual memory systems Announcements, etc:

304 views • 18 slides
1 Main memory usually divided into two partitions: Resident operating system, usually

1 Main memory usually divided into two partitions: Resident operating system, usually

Programs must be brought (from disk) into memory for them to be run Main memory and registers are only storage CPU can access directly Register access in one CPU clock (or less) Main memory can take many cycles Cache sits

285 views • 7 slides
Chapter 3: Operating-System Structures System Components Operating System Services

Chapter 3: Operating-System Structures System Components Operating System Services

Chapter 3: Operating-System Structures System Components Operating System Services System Calls System Programs System Structure Virtual Machines System Design and Implementation System Generation Operating System

981 views • 39 slides

More recommend