about
play

About Bringing Memory Forensics and Virtual Machine Introspection - PowerPoint PPT Presentation

Feb 07, 2023 •231 likes •313 views

About Bringing Memory Forensics and Virtual Machine Introspection Title: to Production Environments Student: Benjamin Taubmann PhD stage: Third year, finisher Advisor: Prof. Dr. Hans P. Reiser Affiliation: Assistant Professorship of

  1. About Bringing Memory Forensics and Virtual Machine Introspection Title: to Production Environments Student: Benjamin Taubmann PhD stage: Third year, finisher Advisor: Prof. Dr. Hans P. Reiser Affiliation: Assistant Professorship of Security in Information Systems University of Passau Research Area: System Security, Memory Forensics, Virtual Machine Introspection Projects: DINGfest (BMBF), ARADIA (DFG) Taubmann Digital Forensics on production environments 1 / 6

  2. Motivation “Senator reveals that the FBI paid $900,000 to hack into San Bernardino killer’s iPhone” - CNBC, 2017 What is the problem? § Missing interface for memory access on production systems (cloud, mobile devices) § Performance of current memory forensics and virtual machine introspection tools is too slow for use cases in production environments Why is it a problem? § Forensic investigators and common users cannot do memory based forensics on (their) VMs and mobiles devices § Cloud customers cannot benefit from the advantages of memory forensics and VMI-based security approaches : a higher level of isolation, stealthiness and forensic soundness than traditional in-guest security solutions. Taubmann Digital Forensics on production environments 2 / 6

  3. Research Questions 1. Data Acquisition: How to get access to the memory of production systems such as cloud environments or mobile devices? 2. Infomation Extraction: How to locate and extract high level information efficiently from main memory? 3. Applications: How to deploy and adapt VMI methods to the requirements of real world use cases and modern computing systems ? Taubmann Digital Forensics on production environments 3 / 6

  4. Overall Architecture Malware Intrusion Digital 3 Application Analysis Detection Forensics Trace Application Application ... Semantic Network Functions Knowledge: Packet Data Payload Modify Information Library 2 Structure Values Extraction Layout, Function Trace TCP/IP Address Syscalls Kernel Packet Intercept System State Trace Read Data Network 1 Acquisition Memory Network CPU Write Forensic Framework Analyzed System Taubmann Digital Forensics on production environments 4 / 6

  5. Contributions (bold red) Digital SSH Intrusion Malware 3 Forensics Honeypot Detection System Analysis Volatility/ TlsKex DroidKex Rekall 2 libvmtrace Drakvuf libvmi Frida 1 CloudPhylactor CloudVMI Coldboot Snapshot Static Dynamic Analysis Analysis Taubmann Digital Forensics on production environments 5 / 6

  6. Conclusion The main contributions of the thesis are: 1. A generic architecture for digital forensics on production systems 2. Data acquisition architecture for digital forensics in cloud environments and on mobile devices 3. Efficient TLS session key extraction from main memory of applications 4. Adapting resource intensive VMI-based tracing to the requirements of different use-cases that require minimal overhead such as intrusion detection systems Extended slide set: http://www.uni-passau.de/fileadmin/files/lehrstuhl/reiser/ publications/taubmann_introduction.pdf Taubmann Digital Forensics on production environments 6 / 6

  7. Thanks!

  8. Publications [1] Taubmann, Benjamin, Noëlle Rakotondravony, [5] Taubmann, Benjamin and Bojan Kolosnjaji. and Hans P. Reiser. “CloudPhylactor: “Architecture for Resource-Aware VMI-based Harnessing Mandatory Access Control for Cloud Malware Analysis.” In: SHCIS’17 . 2017. Virtual Machine Introspection in Cloud Data Centers.” In: IEEE TrustCom-16 . 2016. [6] Taubmann, Benjamin, Omar Al Abduljaleel, and Hans P. Reiser. “DroidKex: Fast Extraction of [2] Taubmann, Benjamin, Christoph Frädrich, Ephemeral TLS Keys from the Memory of Dominik Dusold, and Hans P. Reiser. “TLSkex: Android Apps.” In: DFRWS USA . 2018. Harnessing virtual machine introspection for decrypting TLS communication.” In: DFRWS [7] Stewart Sentanoe, Taubmann, Benjamin, and EU . 2016. Hans P. Reiser. “Virtual Machine Introspection [3] Taubmann, Benjamin, Manuel Huber, Based SSH Honeypot.” In: SHCIS’17 . 2017. Lukas Heim, Georg Sigl, and Hans P. Reiser. “A Lightweight Framework for Cold Boot Based [8] Taubmann, Benjamin and Hans P. Reiser. Forensics on Mobile Devices.” In: ARES . 2015. “Secure Architecture for VMI-based Dynamic [4] Andres Fischer, Thomas Kittel, Malware Analysis in the Cloud.” In: DSN fast abstract . 2016. Bojan Kolosnjaji, Tamas K Lengyel, Waseem Mandarawi, Hans P. Reiser, Taubmann, Benjamin, Eva Weishäupl, [9] F. Menges, F. Böhm, M. Vielberth, A. Puchta, Hermann de Meer, Tilo Müller, and B. Taubmann, N. Rakotondravony, T. Latzo. Mykola Protsenko. “CloudIDEA: A Malware “Introducing DINGfest: An architecture for next Defense Architecture for Cloud Data Centers.” generation SIEM systems.” In: GI Sicherheit In: C&TC 2015 . 2015. 2018 (Short Paper) .

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing Sangho Lee Ming-Wei

Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing Sangho Lee Ming-Wei

Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing Sangho Lee Ming-Wei Shih Prasun Gera Taesoo Kim Hyesoon Kim Marcus Peinado 26 th USENIX Security Symposium August 17, 2017 Intel Software Guard Extension (SGX)

437 views • 42 slides
Specification and Enforcement of Information Erasure Policies Sebastian Hunt 1 David Sands 2

Specification and Enforcement of Information Erasure Policies Sebastian Hunt 1 David Sands 2

Motivation A Language-Based Approach Issues Summary Specification and Enforcement of Information Erasure Policies Sebastian Hunt 1 David Sands 2 Filippo Del Tedesco 2 1 City University London 2 Chalmers University of Technology, Sweden The

1.03k views • 29 slides
Deadbolt: Locking Down Android Disk Encryption Adam Skillen, David Barrera, and Paul C. van

Deadbolt: Locking Down Android Disk Encryption Adam Skillen, David Barrera, and Paul C. van

Deadbolt: Locking Down Android Disk Encryption Adam Skillen, David Barrera, and Paul C. van Oorschot askillen@ccsl.carleton.ca Carleton Computer Security Lab Carleton University Ottawa, Canada SPSM 2013, Berlin, Germany November 8, 2013 The

488 views • 28 slides
T3E Resiliency Enhancements Dean Elling Software Engineer SGI 41st Cray User Group Conference

T3E Resiliency Enhancements Dean Elling Software Engineer SGI 41st Cray User Group Conference

T3E Resiliency Enhancements Dean Elling Software Engineer SGI 41st Cray User Group Conference Minneapolis, Minnesota A Brief History PE Resiliency Initial releases of UNICOS/mk system panicked processes hung system would

732 views • 21 slides
Outline Crypto failures, contd CSci 5271 Announcements intermission Introduction to Computer

Outline Crypto failures, contd CSci 5271 Announcements intermission Introduction to Computer

Outline Crypto failures, contd CSci 5271 Announcements intermission Introduction to Computer Security Day 21: Firewalls, NATs, and IDSes Firewalls and NAT boxes Stephen McCamant University of Minnesota, Computer Science & Engineering

1.35k views • 7 slides
Low Power Multicore Architecture Using FDSOI Technology Marcello Coppola STMicroelectronics

Low Power Multicore Architecture Using FDSOI Technology Marcello Coppola STMicroelectronics

7/15/2014 Low Power Multicore Architecture Using FDSOI Technology Marcello Coppola STMicroelectronics Agenda 2 FDSOI STNOC with FDSOI Application example Conclusions 1 7/15/2014 FD-SOI Speed & Energy Efficiency

211 views • 8 slides
Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World

Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World

Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World Crypto & Privacy ibenik , Croatia Outline Why physical attacks matter Implementation attacks and power analysis Leakage Detection

972 views • 52 slides
Factoring RSA Modulus using Prime Reconstruction from Random Known Bits S. Maitra, S. Sarkar and

Factoring RSA Modulus using Prime Reconstruction from Random Known Bits S. Maitra, S. Sarkar and

Factoring RSA Modulus using Prime Reconstruction from Random Known Bits S. Maitra, S. Sarkar and S. Sen Gupta Cryptology Research Group, ASU Indian Statistcal Institute, Kolkata May 3, 2010 Background Slide 2 of 31 RSA Framework Key-Gen

607 views • 58 slides
Micro-architectural Attacks Chester Rebeiro IIT Madras 1 Things we thought gave us security!

Micro-architectural Attacks Chester Rebeiro IIT Madras 1 Things we thought gave us security!

Micro-architectural Attacks Chester Rebeiro IIT Madras 1 Things we thought gave us security! Cryptography Passwords Information Flow Policies Privileged Rings ASLR Virtual Machines and confinement Javascript

891 views • 59 slides
Restriction Access, Population Recovery & Partial Identification Avi Wigderson IAS,

Restriction Access, Population Recovery & Partial Identification Avi Wigderson IAS,

Restriction Access, Population Recovery & Partial Identification Avi Wigderson IAS, Princeton Joint with Zeev Dvir Anup Rao Amir Yehudayoff Restriction Access, A new model of Grey-box access Systems, Models, Observations From

751 views • 29 slides
NP04 Powercut Recovery and Cold Starts Pengfei Dine, Bonnie King, Geoff Savage DUNE DAQ meeting

NP04 Powercut Recovery and Cold Starts Pengfei Dine, Bonnie King, Geoff Savage DUNE DAQ meeting

NP04 Powercut Recovery and Cold Starts Pengfei Dine, Bonnie King, Geoff Savage DUNE DAQ meeting 29 July 2019 Power cut #1 July 23 Power cut with subsequent cooling failure brought down all servers except np04-srv-001 and np04-srv-004 (on

238 views • 6 slides
SimBench A Portable Benchmarking Methodology for Full-System Simulators Harry Wagstaff Bruno

SimBench A Portable Benchmarking Methodology for Full-System Simulators Harry Wagstaff Bruno

SimBench A Portable Benchmarking Methodology for Full-System Simulators Harry Wagstaff Bruno Bodin Tom Spink Bjrn Franke Institute for Computing Systems Architecture University of Edinburgh ISPASS 2017 1 Motivation Instruction Set

1.05k views • 52 slides
Challenges in Leakage-Resilient Symmetric Cryptography Krzysztof Pietrzak ECRYPT II Workshop on

Challenges in Leakage-Resilient Symmetric Cryptography Krzysztof Pietrzak ECRYPT II Workshop on

Challenges in Leakage-Resilient Symmetric Cryptography Krzysztof Pietrzak ECRYPT II Workshop on Physical Attacks, Graz, November 28, 2012 Krzysztof Pietrzak Challenges in Leakage-ResilientSymmetric Cryptography Krzysztof Pietrzak Challenges

994 views • 96 slides
TLV in LunD Introduction to Top Level Verification Presenter Shkelqim Lahi B.Sc.E. in

TLV in LunD Introduction to Top Level Verification Presenter Shkelqim Lahi B.Sc.E. in

TLV in LunD Introduction to Top Level Verification Presenter Shkelqim Lahi B.Sc.E. in Computer Engineering (Engineering College of Copenhagen 2004) M. SC. EE. In System on Chip (LTH 2006) Work experience EMP 2006

629 views • 37 slides
Miscellany! Lecture 20 The Last Lecture! Public-Key Crypto Maths Initially public-key crypto was

Miscellany! Lecture 20 The Last Lecture! Public-Key Crypto Maths Initially public-key crypto was

Miscellany! Lecture 20 The Last Lecture! Public-Key Crypto Maths Initially public-key crypto was based on hardness of problems in modular arithmetic and number theory (RSA/factoring, modular discrete log) Problems from several other areas, since

400 views • 17 slides
bersicht webEngineering LV-Nr.: 1896 Sommersemester 2001 Scharl A., PS WebEngineering 1.

bersicht webEngineering LV-Nr.: 1896 Sommersemester 2001 Scharl A., PS WebEngineering 1.

bersicht webEngineering LV-Nr.: 1896 Sommersemester 2001 Scharl A., PS WebEngineering 1. Einheit: Mo, 2001-05-28, 13:00: 2H316 [Abteilung fr Wirtschaftsinformatik] Termine webEngineering Zwischenprsentation: 11. Juni, 13:00

322 views • 16 slides
Introduction to Web Architecture SE2840 Web Application Design Jay Urbain, PhD Credits: See last

Introduction to Web Architecture SE2840 Web Application Design Jay Urbain, PhD Credits: See last

Introduction to Web Architecture SE2840 Web Application Design Jay Urbain, PhD Credits: See last slide for references Contact info Jay Urbain, PhD email: urbain@msoe.edu Office hours: http://jayurbain.com/msoe Course home:

1.08k views • 55 slides
1. Introduction ( (to Agents and Multiagent g g Systems) ems (SMA-UPC) Javier

1. Introduction ( (to Agents and Multiagent g g Systems) ems (SMA-UPC) Javier

1. Introduction ( (to Agents and Multiagent g g Systems) ems (SMA-UPC) Javier Vzquez-Salceda q Multiagent Syste SMA-UPC https://kemlg.upc.edu ems (SMA-UPC) Origins Trends in Computer Science Agents and Multiagent Systems 2

554 views • 33 slides
Design of I ntelligent Agents for Collaborative Testing of Service-Based Systems Xiaoying BAI and

Design of I ntelligent Agents for Collaborative Testing of Service-Based Systems Xiaoying BAI and

Department of Computer Science and Technology , Tsinghua University Design of I ntelligent Agents for Collaborative Testing of Service-Based Systems Xiaoying BAI and Bin CHEN Dept. of CS&T, Tsinghua University, Beijing, China, 100084 Bo

447 views • 31 slides
Introduction Dr. Ahmed Rafea CSCI485 Intelligent Agents 1 Chapter Outline Artificial

Introduction Dr. Ahmed Rafea CSCI485 Intelligent Agents 1 Chapter Outline Artificial

Introduction Dr. Ahmed Rafea CSCI485 Intelligent Agents 1 Chapter Outline Artificial intelligence Internet and the Web Intelligent Agents Events, Conditions and Actions Agents and Human-Computer Interfaces Using Java for

506 views • 19 slides
web-based collaborative systems Masoud Koleini, Hasan Qunoo, Mark Ryan School of Computer Science

web-based collaborative systems Masoud Koleini, Hasan Qunoo, Mark Ryan School of Computer Science

Modelling and verifying access control policies for web-based collaborative systems Masoud Koleini, Hasan Qunoo, Mark Ryan School of Computer Science University of Birmingham 18 th Nov 2009 Introduction There is an ever increasing use of

502 views • 15 slides
Collaborative on line learning of an action model Christophe Rodrigues , Henry Soldano ,

Collaborative on line learning of an action model Christophe Rodrigues , Henry Soldano ,

Collaborative on line learning of an action model Christophe Rodrigues , Henry Soldano , Gauvain Bourgne and Cline Rouveirol LIPN (Universit Paris 13, UMR-CNRS 7030) LIP6 (Universit Pierre et Marie Curie, UMR-CNRS 7606)

353 views • 14 slides
Inaugural Cultural Evolution Society Conference Jena 2017, 13-15 September Designing filtering,

Inaugural Cultural Evolution Society Conference Jena 2017, 13-15 September Designing filtering,

Inaugural Cultural Evolution Society Conference Jena 2017, 13-15 September Designing filtering, collaboration, thinking, and learning tools for the next 200 years Jorn Bettin & Xaver Wiesmann S23M Collaboration for Life Technology

656 views • 36 slides
Dialogue Systems Emerging interdisciplinary area since the early 1990s integration of

Dialogue Systems Emerging interdisciplinary area since the early 1990s integration of

Dialogue Systems Emerging interdisciplinary area since the early 1990s integration of speech technology, natural language processing, AI, Cooperative Response Generation dialogue / communication theory, human factors, in Dialogue

212 views • 6 slides

More recommend