back to the whiteboard a principled approach for the
play

Back to the Whiteboard: a Principled Approach for the Assessment and - PowerPoint PPT Presentation

Oct 01, 2022 •161 likes •648 views

Back to the Whiteboard: a Principled Approach for the Assessment and Design of Memory Forensic Techniques Fabio Pagani and Davide Balzarotti Usenix Security 19 Memory Forensics - Introduction Infected Machine Memory Dump Analysis

  1. Back to the Whiteboard: a Principled Approach for the Assessment and Design of Memory Forensic Techniques Fabio Pagani and Davide Balzarotti Usenix Security ’19

  2. Memory Forensics - Introduction Infected Machine Memory Dump Analysis Evidence 1

  3. Memory Forensics - Introduction Infected Machine Memory Dump Analysis Evidence 1

  4. Memory Forensics - Introduction Infected Machine Memory Dump Analysis Evidence 1

  5. Memory Forensics - Introduction Infected Machine Memory Dump Analysis Evidence 1

  6. Memory Forensics - Introduction Infected Machine Memory Dump Analysis Evidence 1

  7. Memory Forensics - Analysis Extract the following information: • List processes, kernel modules • Open fjles, memory mappings, sockets.. • System information: routing table, kernel logs.. ... and much more: Volatility (the most used memory forensic framework) has more than 100 plugins for Windows! 2

  8. Memory Forensics - Analysis Extract the following information: • List processes, kernel modules • Open fjles, memory mappings, sockets.. • System information: routing table, kernel logs.. ... and much more: Volatility (the most used memory forensic framework) has more than 100 plugins for Windows! 2

  9. Memory Forensics - Listing Processes tasks linux_pidhashtable pid_hash … … tasks prev next prev task_struct next tasks prev next task_struct task_struct init_task 3

  10. Memory Forensics - Listing Processes tasks linux_pidhashtable pid_hash … … tasks prev next prev task_struct next tasks prev next task_struct task_struct init_task 3

  11. Memory Forensics - Listing Processes tasks linux_pidhashtable pid_hash … … tasks prev next prev task_struct next tasks prev next task_struct task_struct init_task 3

  12. Memory Forensics - Listing Processes tasks linux_pidhashtable pid_hash … … tasks prev next prev task_struct next tasks prev next linux_pslist task_struct task_struct init_task 3

  13. Memory Forensics - Listing Processes tasks linux_pidhashtable pid_hash … … tasks prev next prev task_struct next tasks prev next linux_pslist task_struct task_struct init_task 3

  14. Motivations Forensic analyses are manually created by humans. • Are there other techniques to list processes? Linux kernel 4.19: ~6000 structures with ~40000 fjelds • How can we compare them? Shortest one? Most stable across difgerent kernels? 4

  15. Motivations Forensic analyses are manually created by humans. • Are there other techniques to list processes? Linux kernel 4.19: ~6000 structures with ~40000 fjelds • How can we compare them? Shortest one? Most stable across difgerent kernels? 4

  16. Motivations Forensic analyses are manually created by humans. • Are there other techniques to list processes? Linux kernel 4.19: ~6000 structures with ~40000 fjelds • How can we compare them? Shortest one? Most stable across difgerent kernels? 4

  17. Contributions 2 init_task task_struct task_struct task_struct task_struct on the graph Study analyses as paths 5 4 5 Build a graph of 1 1 8 2 4 2 1 evaluate analyses Defjne metrics to kernel structures 5

  18. Contributions 2 init_task task_struct task_struct task_struct task_struct on the graph Study analyses as paths 5 4 5 Build a graph of 1 1 8 2 4 2 1 evaluate analyses Defjne metrics to kernel structures 5

  19. Contributions 2 init_task task_struct task_struct task_struct task_struct on the graph Study analyses as paths 5 4 5 Build a graph of 1 1 8 2 4 2 1 evaluate analyses Defjne metrics to kernel structures 5

  20. end while Kernel Graph - Creation Challenge Kernel “abstract data types” 6 worklist ← kernel global variables; while worklist ̸ = ∅ do s ← worklist . pop () ; new _ structs ← Explore ( s ) ; worklist . push ( new _ structs ) ;

  21. end while Kernel Graph - Creation Challenge Kernel “abstract data types” 6 worklist ← kernel global variables; while worklist ̸ = ∅ do s ← worklist . pop () ; new _ structs ← Explore ( s ) ; worklist . push ( new _ structs ) ;

  22. Kernel Graph - ADT Challenge task_struct task_struct task_struct list_head tasks list_head tasks list_head tasks … … 7

  23. Kernel Graph - ADT Challenge … children list_head children list_head children list_head … tasks task_struct list_head tasks list_head tasks list_head task_struct task_struct 7

  24. Kernel Graph - ADT Challenge … siblings list_head siblings list_head children list_head … tasks task_struct list_head tasks list_head tasks list_head task_struct task_struct 7

  25. Kernel Graph - ADT Challenge Solved with a Clang plugin that analyzes the kernel AST list_add(&p->tasks, &init_task.tasks); list_add(&p->sibling, &p->children); struct task_struct.tasks -> struct task_struct.tasks struct task_struct.children -> struct .task_struct.siblings 8

  26. The Graph • 100k Structures (Nodes) • 840k Pointers (Edges) 9

  27. Metrics - Rationale Metrics should capture difgerent aspects of memory forensics: • Non-atomic memory acquisition (i.e. kernel driver) • Layout of kernel structures changes across difgerent kernel versions and confjgurations • Attackers can modify kernel structures 10

  28. Metrics - Rationale Metrics should capture difgerent aspects of memory forensics: • Non-atomic memory acquisition (i.e. kernel driver) • Layout of kernel structures changes across difgerent kernel versions and confjgurations • Attackers can modify kernel structures 10

  29. Metrics - Rationale Metrics should capture difgerent aspects of memory forensics: • Non-atomic memory acquisition (i.e. kernel driver) • Layout of kernel structures changes across difgerent kernel versions and confjgurations • Attackers can modify kernel structures 10

  30. Metrics - Rationale Metrics should capture difgerent aspects of memory forensics: • Non-atomic memory acquisition (i.e. kernel driver) • Layout of kernel structures changes across difgerent kernel versions and confjgurations • Attackers can modify kernel structures 10

  31. Proposed Metrics • Atomicity • Stability • Consistency • Generality • Reliability 11

  32. Proposed Metrics • Atomicity • Stability • Consistency • Generality • Reliability 11

  33. Metrics Atomicity : distance in memory between two connected structures 0x10 0x40 0x50 0x20 0x60 0x50 0x90 0x70 0x10 12

  34. Metrics Stability : how long an edge remains stable in a running machine • 25 snapshots at [0s, 1s, 5s, ..., 3h] 1s 10s 15s 30s 12

  35. Metrics Consistency : Atomicity + Stability A B 12 ✗ ✓ ✓ ✓

  36. Evaluation of Current Analyses 495 12,000 linux_lsmod 12 700 linux_lsof 821 0 linux_mount 10 linux_ifconfig linux_pidhashtable 469 30 linux_proc_maps 4722 0 linux_pslist 124 30 12 0 Volatility Plugin 12,000 # Nodes Stability (s) Fast Slow linux_arp 13 linux_check_creds 14955 248 2 linux_check_modules 151 700 linux_check_tty 13 30 linux_find_file 13

  37. Evaluation of Current Analyses 10 linux_lsmod 12 700 linux_lsof 821 0 linux_mount 495 linux_pidhashtable 12 469 30 linux_proc_maps 4722 0 linux_pslist 124 30 (contains on average 53% of total nodes) 12,000 linux_ifconfig Volatility Plugin 0 # Nodes Stability (s) Fast Slow linux_arp 13 12,000 linux_check_creds 248 2 linux_check_modules 151 700 linux_check_tty 13 30 linux_find_file 14955 13 96% of the nodes → giant strongly connected component

  38. Evaluation of Current Analyses 10 linux_lsmod 12 700 linux_lsof 821 0 linux_mount 495 linux_pidhashtable 12 469 30 linux_proc_maps 4722 0 linux_pslist 124 30 Stability: 3 paths never changed in over 3 hours 12,000 linux_ifconfig Volatility Plugin 0 # Nodes Stability (s) Fast Slow linux_arp 13 12,000 linux_check_creds 248 2 linux_check_modules 151 700 linux_check_tty 13 30 linux_find_file 14955 13 11 paths changed in less than 1 minute

  39. Evaluation of Current Analyses 495 0 linux_ifconfig 12 Volatility Plugin linux_lsmod 12 700 linux_lsof 821 0 linux_mount 10 linux_find_file linux_pidhashtable 469 30 linux_proc_maps 4722 0 linux_pslist 124 30 Consistency: 5 inconsistent plugins when fast acquisition 7 inconsistent plugins when slow acquisition 14955 12,000 13 2 # Nodes Stability Consistency (s) Fast Slow linux_arp 13 12,000 248 linux_check_creds 700 linux_check_modules 30 13 151 linux_check_tty ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✗ ✗ ✓ ✓ ✓ ✓ ✗ ✗ ✓ ✗ ✓ ✗ ✗ ✗ ✓ ✓

  40. Finding New Ways to List Processes Much harder than expected! • Hundreds of millions of paths when considering the shortest paths from every root node to every task_struct • Not every path represent an heuristics, because heuristics must be generated by an algorithm To limit the path explosion problem: • Removed every root node that is not connected to every task_struct • Remove edges used by known techniques (i.e. tasks fjeld) • Remove similar edges (parallel edges with same weights) • Merge similar paths into templates (struct type + remove adjacent same type nodes) Resulted in 4000 path templates! 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Geo-indistinguishability: A Principled Approach to Location Privacy Kostas Chatzikokolakis CNRS,

Geo-indistinguishability: A Principled Approach to Location Privacy Kostas Chatzikokolakis CNRS,

Geo-indistinguishability: A Principled Approach to Location Privacy Kostas Chatzikokolakis CNRS, INRIA, LIX Ecole Polytechnique joint work with Miguel Andr es, Nicol as Bordenabe, Catuscia Palamidessi, Marco Stronati PRINCESS QIF Day,

478 views • 45 slides
The Demo / Kemo corpus A principled approach to the study of cross-cultural differences in the

The Demo / Kemo corpus A principled approach to the study of cross-cultural differences in the

The Demo / Kemo corpus A principled approach to the study of cross-cultural differences in the vocal expression and perception of emotion Martijn Goudbeek Mirjam Broersma University of Tilburg MPI for Psycholinguistics LREC, Valetta, 19-21

646 views • 20 slides
A Principled Approach to Ornamentation in ML Thomas Williams , Didier Rmy Inria - Gallium June

A Principled Approach to Ornamentation in ML Thomas Williams , Didier Rmy Inria - Gallium June

A Principled Approach to Ornamentation in ML Thomas Williams , Didier Rmy Inria - Gallium June 15, 2018 1 Motivation In a statically-typed programming language with ADTs. Imagine we wrote an evaluator for a simple language: type expr = let

550 views • 53 slides
A principled approach to REPL interpreters applied to eFLINT L. Thomas van Binsbergen 1 1 Centrum

A principled approach to REPL interpreters applied to eFLINT L. Thomas van Binsbergen 1 1 Centrum

A principled approach to REPL interpreters applied to eFLINT L. Thomas van Binsbergen 1 1 Centrum Wiskunde & Informatica l.t.van.binsbergen@cwi.nl April 2020 Section 1 REPL theory Language implementations often provide an interpreter with a

759 views • 51 slides
A principled approach: Solution 3: Journaling Transactions (write ahead logging) Group together

A principled approach: Solution 3: Journaling Transactions (write ahead logging) Group together

A principled approach: Solution 3: Journaling Transactions (write ahead logging) Group together actions so that they are Turns multiple disk updates into a single disk write Atomic: either all happen or none write ahead a short note to a

481 views • 4 slides
Meet in the Middle - STP March 20, 2019 1 / 17 Last weeks exercise Solution on whiteboard.

Meet in the Middle - STP March 20, 2019 1 / 17 Last weeks exercise Solution on whiteboard.

Meet in the Middle - STP March 20, 2019 1 / 17 Last weeks exercise Solution on whiteboard. 2 / 17 Recap of MitM attack Whiteboard 3 / 17 Searching for attacks By hand - Last week(s) Using the computer - This week 4 / 17

689 views • 23 slides
WELCOME TO JAVASCRIPT DEVELOPMENT Please write your name on your whiteboard and say hello to

WELCOME TO JAVASCRIPT DEVELOPMENT Please write your name on your whiteboard and say hello to

WELCOME TO JAVASCRIPT DEVELOPMENT Please write your name on your whiteboard and say hello to your new classmates. Wi-fi: GA-Guest pw: yellowpencil YOUR INSTRUCTIONAL TEAM SASHA NICOLE DANTE Student Services Email:

1.37k views • 70 slides
Math Time First Grade Get your whiteboard and expo marker out. Weekly Focus: Graphing and Data

Math Time First Grade Get your whiteboard and expo marker out. Weekly Focus: Graphing and Data

Math Time First Grade Get your whiteboard and expo marker out. Weekly Focus: Graphing and Data GOAL: I can record, compare, and interpret data using graphs. Todays Lesson: Tally Charts Practice: Tally Charts Use your whiteboard! Problem

346 views • 9 slides
P-Companion: A Principled Framework for Diversified Complementary Product Recommendation Ju

P-Companion: A Principled Framework for Diversified Complementary Product Recommendation Ju

CIKM Applied Research Paper P-Companion: A Principled Framework for Diversified Complementary Product Recommendation Ju Junhen eng g Hao , Tong Zhao, Jin Li, Xin Luna Dong, Christos Faloutsos, Yizhou Sun, Wei Wang Oct. 19-23, 2020 | Online

684 views • 24 slides
Biomechanical Approach to the Evaluation and Treatment of the Low Back Charles R. Thompson, MS,

Biomechanical Approach to the Evaluation and Treatment of the Low Back Charles R. Thompson, MS,

Biomechanical Approach to the Evaluation and Treatment of the Low Back Charles R. Thompson, MS, ATC Princeton University EATA January 7, 2007 Boston, MA Purposes and Goals Purposes and Goals Develop a sound biomechanical approach to

1.56k views • 122 slides
Disclosures Nothing to declare --- or --- Clinical Approach to the Evaluation

Disclosures Nothing to declare --- or --- Clinical Approach to the Evaluation

Back Pain John W. Engstrom, MD December 15, 2011 Disclosures Nothing to declare --- or --- Clinical Approach to the Evaluation Significant ownership interests and Management of Low Back Pain Consulting, speaker bureaus,

319 views • 14 slides
An Elementary Approach to Elementary Topos Theory Todd Trimble Western Connecticut State

An Elementary Approach to Elementary Topos Theory Todd Trimble Western Connecticut State

An Elementary Approach to Elementary Topos Theory Todd Trimble Western Connecticut State University Department of Mathematics October 26, 2019 Back Story Tierneys approach: private communication. Back Story Tierneys approach:

1.19k views • 33 slides
Course Evaluations 1. More examples Worked examples on whiteboard? Concrete examples of

Course Evaluations 1. More examples Worked examples on whiteboard? Concrete examples of

Course Evaluations 1. More examples Worked examples on whiteboard? Concrete examples of settings 2. Too fast Too much material for time available More time on math parts, proofs Awkwardly placed midterm Too many details,

525 views • 20 slides
The Principled Developer Gerardo Gonzalez | @fmizzell | The Principle The Principle

The Principled Developer Gerardo Gonzalez | @fmizzell | The Principle The Principle

The Principled Developer Gerardo Gonzalez | @fmizzell | The Principle The Principle | Definitions Principle: A rule or standard, especially of good behavior Software: (...) and symbolic languages that control the

600 views • 32 slides
A Principled Intermediate Language for JavaScript Verification Daiva Naud zi unien e

A Principled Intermediate Language for JavaScript Verification Daiva Naud zi unien e

A Principled Intermediate Language for JavaScript Verification Daiva Naud zi unien e Imperial College London Resource Reasoning Meeting 1/40 The Team Thomas Philippa Gareth Smith Wood Gardner Petar Jos e Fragoso Maksimovi

645 views • 40 slides
Turn your whiteboard on To work fast and collaboratively Dry-erase whiteboards are utilized more

Turn your whiteboard on To work fast and collaboratively Dry-erase whiteboards are utilized more

Turn your whiteboard on To work fast and collaboratively Dry-erase whiteboards are utilized more than ever for their immediacy, convenience and productivity benefits To share with everyone 1 in 4 workers video conference every day but they

453 views • 13 slides
for scalable information extraction Pablo Barrio , Columbia University Gonalo Simes, INESC-ID

for scalable information extraction Pablo Barrio , Columbia University Gonalo Simes, INESC-ID

Learning to rank adaptively for scalable information extraction Pablo Barrio , Columbia University Gonalo Simes, INESC-ID and IST, University of Lisbon Helena Galhardas, INESC-ID and IST, University of Lisbon Luis Gravano, Columbia

682 views • 30 slides
Kobe University, NICT, and University of Siegen at TRECVID 2016 AVS Task Yasuyuki Matsumoto,

Kobe University, NICT, and University of Siegen at TRECVID 2016 AVS Task Yasuyuki Matsumoto,

Kobe University, NICT, and University of Siegen at TRECVID 2016 AVS Task Yasuyuki Matsumoto, Kuniaki Uehara (Kobe University) Takashi Shinozaki (NICT) Kimiaki Shirahama, Marcin Grzegozek (University of Siegen) Our Contribution A method of using

1.07k views • 35 slides
TCPDB.DAT case Archive file signatures Attack surface Attack vectors Defense Conclusions P A

TCPDB.DAT case Archive file signatures Attack surface Attack vectors Defense Conclusions P A

Introduction Motivation SAP compression algorithms Archive file programs SAP archive file formats CAR SAR v2.00 SAR v2.01 Relative/absolute paths TCPDB.DAT case Archive file signatures Attack surface Attack vectors

913 views • 49 slides
Multimodal KBs: Extraction & Completion Sameer Singh University of California, Irvine Gray

Multimodal KBs: Extraction & Completion Sameer Singh University of California, Irvine Gray

Multimodal KBs: Extraction & Completion Sameer Singh University of California, Irvine Gray Vinyl Barstool This sleek dual purpose stool easily adjusts from counter to bar height. The backless design is casual and contemporary which allow

499 views • 34 slides
Malicious PDF Detection is important! 129 Adobe Reader CVE's in 2015 Up from 44 in 2014

Malicious PDF Detection is important! 129 Adobe Reader CVE's in 2015 Up from 44 in 2014

Extract Me If You Can: Abusing PDF Parsers in Malware Detectors Curtis Carmony, Mu Zhang, Xunchao Hu, Abhishek Vasisht Bhaskar, and Heng Yin Department of EECS, Syracuse University College of Engineering L.C.Smith and Computer Science Malicious

628 views • 48 slides
Extracting Metadata from Stata Datasets Suzanna Vidmar and Luke Stevens Clinical Epidemiology and

Extracting Metadata from Stata Datasets Suzanna Vidmar and Luke Stevens Clinical Epidemiology and

Extracting Metadata from Stata Datasets Suzanna Vidmar and Luke Stevens Clinical Epidemiology and Biosta;s;cs Unit Murdoch Childrens Research Ins;tute Da Data sharing and s a sharing and storag age e To enable data sharing, the data

704 views • 51 slides
How to extract useful randomness from unreliable sources Divesh Aggarwal Maciej Obremski Joo

How to extract useful randomness from unreliable sources Divesh Aggarwal Maciej Obremski Joo

How to extract useful randomness from unreliable sources Divesh Aggarwal Maciej Obremski Joo Ribeiro Luisa Siniscalchi Ivan Visconti University of Salerno CQT & National University of Singapore Imperial College London University of

782 views • 24 slides
Learning to Extract Folktale Keywords Dolf Trieschnigg, Dong

Learning to Extract Folktale Keywords Dolf Trieschnigg, Dong

Folktales As Classifiable Texts Learning to Extract Folktale Keywords Dolf Trieschnigg, Dong Nguyen and Marit Theune Once upon a time There was

421 views • 23 slides

More recommend