evaluating atomicity and integrity of correct memory
play

Evaluating Atomicity, and Integrity of Correct Memory Acquisition - PowerPoint PPT Presentation

Jan 24, 2023 •276 likes •592 views

Evaluating Atomicity, and Integrity of Correct Memory Acquisition Methods Michael Gruhn , Felix Freiling 2016-30-03 Department Computer Science IT Security Infrastructures Friedrich-Alexander-University Erlangen-Nrnberg Erlangen, Germany

  1. Evaluating Atomicity, and Integrity of Correct Memory Acquisition Methods Michael Gruhn , Felix Freiling 2016-30-03 Department Computer Science IT Security Infrastructures Friedrich-Alexander-University Erlangen-Nürnberg Erlangen, Germany EU

  2. EU Outline Introduction Motivation Atomicity, Integrity and Correctness per [Vömel and Freiling 2012] Atomicity Violation Integrity Violation Estimating Atomicity and Integrity Payload Application Atomicity and Integrity Deltas Results Take-Home and Future Research 2/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  3. EU Motivation • Memory Analysis becomes more and more important: • Memory resident malware • Disk-less clients • Persistent Disk Encryption • To do proper analysis memory must be acquired forensically sound • Correctness • captured value at address X must represent the value in memory at address X • Atomicity • Integrity 3/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  4. EU Atomicity Violation per [Vömel and Freiling 2012] r 1 r 2 r 3 r 4 Figure: Space-time diagram of imaging procedure creating non-atomic snapshot. 4/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  5. EU Integrity Violation per [Vömel and Freiling 2012] r 1 r 2 r 3 r 4 t Figure: Integrity of a snapshot with respect to a specific point in time t . 5/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  6. EU Outline Introduction Motivation Atomicity, Integrity and Correctness per [Vömel and Freiling 2012] Atomicity Violation Integrity Violation Estimating Atomicity and Integrity Payload Application Atomicity and Integrity Deltas Results Take-Home and Future Research 6/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  7. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Start: Memory Region Counter 1 0 2 0 3 0 4 0 7/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  8. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 1 2 0 3 0 4 0 8/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  9. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 1 1 2 3 0 4 0 9/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  10. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 1 2 1 3 1 4 0 10/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  11. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 1 2 1 3 1 4 1 11/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  12. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 2 2 1 3 1 4 1 12/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  13. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 2 2 2 3 1 4 1 13/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  14. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 2 2 2 3 2 4 1 14/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  15. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 2 2 2 3 2 4 2 15/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  16. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 3 2 2 3 2 4 2 16/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  17. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 3 2 3 3 2 4 2 17/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  18. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 3 2 3 3 3 4 2 18/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  19. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 3 2 3 3 3 4 3 19/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  20. EU Estimating Atomicity and Integrity via Payload Application • Application constantly increments counters placed in memory regions • Running: Memory Region Counter 1 3 2 3 3 3 4 3 • Perfect atomic capture has only two consecutive counter values • Perfect integer when counter values from when capture was started • Details in the paper 20/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  21. EU Estimating Atomicity and Integrity via Deltas r 4 r 3 r 2 r 1 Integrity ∆ Atomicity ∆ t Figure: Atomicity and integrity in a maximum load scenario. 21/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  22. EU Atomicity and Integrity Upper Bounds (Worst Case) (Worst Case) Atomicity Delta Integrity Delta msramdump 1 43.84 memimager 1 63.28 VirtualBox 1 26.64 QEMU 1 35.24 ProcDump (-r) 0 39.75 ProcDump 1 36.50 Windows Task Manager 1 728.54 pmdump 37 136.62 WinPMEM 13230 5682.24 FTK Imager 13151 5917.24 win64dd 15039 8077.54 win64dd (/m 1) 15039 8172.28 DumpIt 15711 8500.09 inception 43898 22056.77 22/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  23. EU Figure: Acquisition plot of pmdump 23/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  24. EU Figure: Memory acquisition technique comparison (acquisition plot) 24/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  25. EU Figure: Memory acquisition technique comparison (acquisition density plot) 25/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  26. EU · 10 4 inception 2 Integrity Delta 1 . 5 DumpIt 1 win64dd FTK Imager WinPMEM 0 . 5 VirtualBox ProcDump 0 Cold-Boot Attacks 0 1 2 3 4 pmdump Atomicity Delta · 10 4 Figure: Each acquisition position inside an atomicity/integrity-Matrix 26/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  27. EU Take-Home and Future Research • DMA exhibited the greatest memory smear • Is inception/Python the issue? • Will PCI DMA perform better? • Does DMA increase concurrency? • How do state-of-the-art research methods (Body-Snatcher) perform? 27 (1) /28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  28. EU Take-Home and Future Research • DMA exhibited the greatest memory smear • Is inception/Python the issue? • Will PCI DMA perform better? • Does DMA increase concurrency? • How do state-of-the-art research methods (Body-Snatcher) perform? • What is the impact of non-atomic memory captures on analysis? • 2-Take Approach solution? 27 (2) /28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  29. EU Take-Home and Future Research • DMA exhibited the greatest memory smear • Is inception/Python the issue? • Will PCI DMA perform better? • Does DMA increase concurrency? • How do state-of-the-art research methods (Body-Snatcher) perform? • What is the impact of non-atomic memory captures on analysis? • 2-Take Approach solution? Source Code available at https://www1.cs.fau.de/projects/rammangler Slides and Paper available at https://http://www.dfrws.org/2016eu/program.shtml Warning about "Source Code": It’s what they call "research" code: for(i=0; /*FIXME ... we assume success */; i++) 27 (3) /28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

  30. EU Questions? 42. 28/28 2016-30-03 | Michael Gruhn | FAU i1 | ramatom

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ACID and BASE 1 ACID Atomicity: a transaction happens or it does not 2 ACID Atomicity: a

ACID and BASE 1 ACID Atomicity: a transaction happens or it does not 2 ACID Atomicity: a

ACID and BASE 1 ACID Atomicity: a transaction happens or it does not 2 ACID Atomicity: a transaction happens or it does not Consistency: a correct database is still correct afterwards i.e. money balanced, no dangling pointers 3 ACID

712 views • 29 slides
Evaluating classifiers CS440 The 2-by-2 contingency table correct not correct positive tp fp

Evaluating classifiers CS440 The 2-by-2 contingency table correct not correct positive tp fp

10/30/19 Evaluating classifiers CS440 The 2-by-2 contingency table correct not correct positive tp fp prediction negative fn tn prediction 1 10/30/19 Precision and recall Precision : % of predicted items that are correct P = tp/

117 views • 11 slides
On abstraction and compositionality for weak-memory linearisability Brijesh Dongol Radha

On abstraction and compositionality for weak-memory linearisability Brijesh Dongol Radha

On abstraction and compositionality for weak-memory linearisability Brijesh Dongol Radha Jagadeesan James Riely Alasdair Armstrong Atomicity abstraction and weak memory How do we provide reliable atomicity abstractions? Concurrent

1.03k views • 59 slides
Causal Atomicity: Correctness conditions for weak memory Heike Wehrheim Joint work with Simon

Causal Atomicity: Correctness conditions for weak memory Heike Wehrheim Joint work with Simon

Causal Atomicity: Correctness conditions for weak memory Heike Wehrheim Joint work with Simon Doherty, Brijesh Dongol, John Derrick Paderborn University Germany Our interest Proving correctness of algorithms allowing seemingly atomic access

445 views • 19 slides
Design and Implementation Issues for Atomicity Dan Grossman University of Washington Workshop

Design and Implementation Issues for Atomicity Dan Grossman University of Washington Workshop

Design and Implementation Issues for Atomicity Dan Grossman University of Washington Workshop on Declarative Programming Languages for Multicore Architectures 15 January 2006 Atomicity Overview Atomicity: what, why, and why relevant

605 views • 17 slides
SI485i : NLP Set 9 Advanced PCFGs Some slides from Chris Manning Evaluating CKY How do we

SI485i : NLP Set 9 Advanced PCFGs Some slides from Chris Manning Evaluating CKY How do we

SI485i : NLP Set 9 Advanced PCFGs Some slides from Chris Manning Evaluating CKY How do we know if our parser works? Count the number of correct labels in your tree...the label and the span it dominates must both be correct. [ label,

483 views • 25 slides
MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY

MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY

MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY Fundamentally, code injection attacks altered the target programs control flow Recall: Confidentiality, Integrity, Availability Most integrity

937 views • 30 slides
KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR

KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR

KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR INTEGRITY INTEGRITY INTEGRITY INTEGRITY INTEGRITY INTEGRITY Blockchain & Security Ruth Crowell, Chief Executive Asia Pacific Precious Metals

460 views • 10 slides
Atomicity Bailu Ding Oct 18, 2012 Bailu Ding Atomicity Oct 18, 2012 1 / 38 Outline 1

Atomicity Bailu Ding Oct 18, 2012 Bailu Ding Atomicity Oct 18, 2012 1 / 38 Outline 1

Atomicity Bailu Ding Oct 18, 2012 Bailu Ding Atomicity Oct 18, 2012 1 / 38 Outline 1 Introduction 2 State Machine 3 Sinfonia 4 Dangers of Replication Bailu Ding Atomicity Oct 18, 2012 2 / 38 Introduction Introduction Implementing

723 views • 43 slides
1 2 Note approXimate! FXAA does not attempt anything close to the correct solution. Rather

1 2 Note approXimate! FXAA does not attempt anything close to the correct solution. Rather

1 2 Note approXimate! FXAA does not attempt anything close to the correct solution. Rather attempts something fast that looks visually good enough. 3 (1.) MEMORY PROBLEM At huge resolutions with deferred rendering, memory used for render

619 views • 27 slides
Lab 2 discussion Last Time Debugging Its a science use experiments to refine

Lab 2 discussion Last Time Debugging Its a science use experiments to refine

size= 64 correct= 0 size= 73 correct= 0 Shuying Liang size= 107 correct= 1 size= 107 correct= 0 size= 108 correct= 0 size= 108 correct= 1 Please do not handin a .doc file, a .zip file, a .tar file, size= 111 correct= 1 size=

430 views • 7 slides
Building and Evaluating a Distributional Memory for Croatian Jan o , and Snajder ,

Building and Evaluating a Distributional Memory for Croatian Jan o , and Snajder ,

Building and Evaluating a Distributional Memory for Croatian Jan o , and Snajder , Sebastian Pad c Zeljko Agi University of Zagreb, Faculty of Electrical Engineering and Computing Heidelberg University, Institut f

717 views • 16 slides
Efficient Memory Integrity Verification and Encryption for Secure Processors G. Edward Suh,

Efficient Memory Integrity Verification and Encryption for Secure Processors G. Edward Suh,

Efficient Memory Integrity Verification and Encryption for Secure Processors G. Edward Suh, Dwaine Clarke, Blaise Gassend, Marten van Dijk, Srinivas Devadas Massachusetts Institute of Technology New Security Challenges Current computer

411 views • 26 slides
Evaluating the Impact of Transactional Characteristics on the Performance of Transactional Memory

Evaluating the Impact of Transactional Characteristics on the Performance of Transactional Memory

Introduction Methodology Performance Evaluation Conclusions References Evaluating the Impact of Transactional Characteristics on the Performance of Transactional Memory Applications 1 Fernando Rui, 2 Mrcio Castro, 1 Dalvan Griebler, 1 Luiz

370 views • 16 slides
Causal Atomicity Heike Wehrheim Joint work with Simon Doherty, Brijesh Dongol, John Derrick,

Causal Atomicity Heike Wehrheim Joint work with Simon Doherty, Brijesh Dongol, John Derrick,

Causal Atomicity Heike Wehrheim Joint work with Simon Doherty, Brijesh Dongol, John Derrick, Alastair Armstrong Paderborn University Germany Access to shared state I Software transactional memory (STM) Synchronization of parallel

615 views • 19 slides
0 Correct Programming Compiler Compiler Hardware Language P Syntax PL compile P P PL HW

0 Correct Programming Compiler Compiler Hardware Language P Syntax PL compile P P PL HW

Bridging the Gap between Programming Languages and Hardware Weak Memory Models Anton Podkopaev Ori Lahav Viktor Vafeiadis 0 Correct Programming Compiler Compiler Hardware Language P Syntax PL compile P P PL HW PL HW is Memory Model

980 views • 74 slides
Decision Tree Algorithm Decision Tree Algorithm Week 4 1 Team Homework Assignment #5 Team

Decision Tree Algorithm Decision Tree Algorithm Week 4 1 Team Homework Assignment #5 Team

Decision Tree Algorithm Decision Tree Algorithm Week 4 1 Team Homework Assignment #5 Team Homework Assignment #5 Read pp. 105 117 of the text book. R d 105 117 f h b k Do Examples 3.1, 3.2, 3.3 and Exercise 3.4 (a). Prepare

385 views • 21 slides
AMERICAS ARMY: Globally Responsive, Regionally Engaged Presented By: Program Executive Office

AMERICAS ARMY: Globally Responsive, Regionally Engaged Presented By: Program Executive Office

PUBLIC INFORMATION UNCLASS/FOUO AMERICAS ARMY: Globally Responsive, Regionally Engaged Presented By: Program Executive Office Enterprise Information Systems GFIM Capability Management Office / HQDA G-3/5/7 Distribution Statement A:

672 views • 41 slides
Investment Program Overview November 2016 CONFIDENTIAL Investment Strategy Investment Strategy

Investment Program Overview November 2016 CONFIDENTIAL Investment Strategy Investment Strategy

Investment Program Overview November 2016 CONFIDENTIAL Investment Strategy Investment Strategy The Roseview Affordable Housing Fund (the Fund) is seeking to acquire non-controlling interests in the General Partners (GPs) of

193 views • 5 slides
Generative Linguistics Linguistics is a branch of cognitive psychology. It is the study of

Generative Linguistics Linguistics is a branch of cognitive psychology. It is the study of

Generative Linguistics Linguistics is a branch of cognitive psychology. It is the study of a psychological systema mental organ called the language faculty. This is the system that allows us to produce and understand

720 views • 40 slides
Nov. 6, 2017 1 NPS TRANSACTION SUMMARY Pharmaceutical Technologies, Inc., dba National

Nov. 6, 2017 1 NPS TRANSACTION SUMMARY Pharmaceutical Technologies, Inc., dba National

Diplomats Acquisition of Pharmaceutical Technologies, Inc., dba National Pharmaceutical Services (NPS) Nov. 6, 2017 1 NPS TRANSACTION SUMMARY Pharmaceutical Technologies, Inc., dba National Pharmaceutical Services (NPS) Full-service

165 views • 3 slides
Enhancing an OAI- PMH Service Using Linked Data The case of the Sheet Music Consortium Stephen

Enhancing an OAI- PMH Service Using Linked Data The case of the Sheet Music Consortium Stephen

Enhancing an OAI- PMH Service Using Linked Data The case of the Sheet Music Consortium Stephen Davison, University of California, Los Angeles 1 Los Angeles: Southern California Music Co., 1910 2 New York: Howley, Haviland, Dresser, 1903

475 views • 29 slides
NASA Helps Finding Damaged Buildings using Satellite Radar Data NASAs JPL Produced Damage

NASA Helps Finding Damaged Buildings using Satellite Radar Data NASAs JPL Produced Damage

NASA Helps Finding Damaged Buildings using Satellite Radar Data NASAs JPL Produced Damage Proxy Map (DPM) derived from Synthetic Aperture Radar (SAR) data acquired from Italian Space Agencys (ASIs) COSMO- SkyMed satellites.

160 views • 3 slides
Improving the President of CINI accessibility of IoT Paolo.Prinetto@polito.it platforms: Mob.

Improving the President of CINI accessibility of IoT Paolo.Prinetto@polito.it platforms: Mob.

Giuseppe AIR FARULLA Paolo PRINETTO CINI AsTech National Lab Giuseppe.Airofarulla@polito.it Mob. +39 388 2574991 Paolo Prinetto Improving the President of CINI accessibility of IoT Paolo.Prinetto@polito.it platforms: Mob. +39 335 227529

581 views • 30 slides

More recommend