exploiting generational garbage collection
play

Exploiting Generational Garbage Collection Using Data Remnants to - PowerPoint PPT Presentation

Sep 15, 2023 •537 likes •1.33k views

Exploiting Generational Garbage Collection Using Data Remnants to Improve Memory Analysis and Digital Forensics Adam Pridgen 1 1 Rice University, Houston, TX, USA January 18, 2017 Pridgen Exploiting Generational Garbage Collection 1 Outline

  1. Exploiting Generational Garbage Collection Using Data Remnants to Improve Memory Analysis and Digital Forensics Adam Pridgen 1 1 Rice University, Houston, TX, USA January 18, 2017 Pridgen Exploiting Generational Garbage Collection 1

  2. Outline RICE 1 Introduction Motivation Contributions Background 2 Supporting Work STAAF: Scaling Android Application Analysis Radare Java Static Analysis 3 Present but unreachable Introduction Background Problem Approach Results Conclusions 4 Picking up the Trash Introduction Problem Approach Evaluation Conclusions 5 Conclusions 6 References Pridgen Exploiting Generational Garbage Collection 2

  3. Introduction Malware Compromises Happen RICE Pridgen Exploiting Generational Garbage Collection 3

  4. Introduction Flood of Questions RICE Pridgen Exploiting Generational Garbage Collection 4

  5. Introduction Motivation Motivation (1) RICE Figure: Stuxnet riding over an airgap into an ICS network [1]. Pridgen Exploiting Generational Garbage Collection 5

  6. Introduction Motivation Motivation (2) RICE Threats actors looking to penetrate hard-targets Must research and innovate on existing methods Exploit technology blind spots and implicit trust Looking for knowledge-gaps Targetting technologies that are widely deployed Exploring exploitation in all dimensions Pridgen Exploiting Generational Garbage Collection 6

  7. Introduction Motivation Motivation (3) RICE Managed Runtimes Widely used but not well understood Runtimes are complex and evolve over time Backwards compatibility retained Widely deployed runs on multiple platforms Updates may not be feasible Pridgen Exploiting Generational Garbage Collection 7

  8. Introduction Contributions Contributions RICE Developed tools for Java class and archive analysis Established the feasibility of recovering artifacts Created an approach for recovering managed objects Developed a prototype targeting the HotSpot JVM Pridgen Exploiting Generational Garbage Collection 8

  9. Introduction Background Attacker Techniques RICE Figure: Overview of attacker tactics. Pridgen Exploiting Generational Garbage Collection 9

  10. Introduction Background Documented Java Malware and Attacks RICE Malware and Backdoors Criminal : Adwind, JBot, etc. [2, 3, 4] Espionage : PackRat and JavaFog [5, 6] Threat actors employing Java Phishing [7, 4] Waterholing [7, 4] Common Vulnerabilities and Exposure Hotspot JVM : ≈ 34 since 2010 [8] Java and frameworks : ≈ 1510 since 1999 Pridgen Exploiting Generational Garbage Collection 10

  11. Introduction Background Digital Forensics Overview RICE Pridgen Exploiting Generational Garbage Collection 11

  12. Introduction Background Related Work: Managed Runtime Analysis RICE Viega explains the insecurity of managed runtimes [9] Chow et al. solve secure deallocation on Unix [10, 11] CleanOS: Objects encrypted using a shared key [12] Anikeev et al. focuses on Android’s collector [13] Li shows RSA keys are retrievable in Python [14] Pridgen Exploiting Generational Garbage Collection 12

  13. Introduction Background Related Work: Memory Analysis RICE Rekall and Volatility analysis frameworks [15, 16] Identifying datastructures Lin et al. perform automatic RE [17] Lin et al. use graph-based signatures [18] Dolan et al. focus on kernel structures [19] Android memory forensics [20, 21, 22, 23, 24, 25] Data carving Richard developed Scalpel File Carver [26] Beverly et al. focus on network packets [27] Hand et al. extract binaries from memory [28] Pridgen Exploiting Generational Garbage Collection 13

  14. Supporting Work STAAF: Scaling Android Application Analysis Contents RICE 1 Introduction Motivation Contributions Background 2 Supporting Work STAAF: Scaling Android Application Analysis Radare Java Static Analysis 3 Present but unreachable Introduction Background Problem Approach Results Conclusions 4 Picking up the Trash Introduction Problem Approach Evaluation Conclusions 5 Conclusions 6 References Pridgen Exploiting Generational Garbage Collection 14

  15. Supporting Work STAAF: Scaling Android Application Analysis STAAF STAAF: Scaling Android Application Analysis with a Modular Framework Adam Pridgen 1 Ryan W. Smith 1 1 Praetorian, Austin, TX, USA 2 Rice University, Houston, TX, USA Hawaii International Conference on System Sciences, 2012 Smith and Pridgen STAAF 15

  16. Supporting Work STAAF: Scaling Android Application Analysis Problem RICE Engineering scalable program analysis Off-market Android stores were contained malware Android analysis tools fail to scale alone Developed an approach pipelining analysis Smith and Pridgen STAAF 16

  17. Supporting Work STAAF: Scaling Android Application Analysis Results RICE Similar approach used to measure latent secrets Emphasizes scaling analysis horizontally Creates a pipeline for pre- and post- analysis Efficiently localizes analysis results in a database Smith and Pridgen STAAF 17

  18. Supporting Work Radare Java Static Analysis Reversing Java (Malware) with Radare STAAF: Scaling Android Application Analysis with a Modular Framework Adam Pridgen 1 1 Rice University, Houston, TX, USA InfoSec Southwest, 2014 Pridgen Reversing Java (Malware) with Radare 18

  19. Supporting Work Radare Java Static Analysis Problem RICE Malware obfuscation would throw-off analysis Tools were built on Java Tools overlooked corner cases None of the tools allowed low-level manipulation Pridgen Reversing Java (Malware) with Radare 19

  20. Supporting Work Radare Java Static Analysis Java Malware Analysis Overview RICE Eclipse IDE : development environment for debugging IDA Pro : marked-up analysis with no low-level access JD GUI : decompiles code but cannot be corrected Jython : run Java in Python environment Pridgen Reversing Java (Malware) with Radare 20

  21. Supporting Work Radare Java Static Analysis Results: Radare Extensions RICE Low-level JAR and class file manipulation Analysis of class file artifacts Inject byte code for runtime analysis Rewrite symbolic links for hooking Pridgen Reversing Java (Malware) with Radare 21

  22. Present but unreachable Contents RICE 1 Introduction Motivation Contributions Background 2 Supporting Work STAAF: Scaling Android Application Analysis Radare Java Static Analysis 3 Present but unreachable Introduction Background Problem Approach Results Conclusions 4 Picking up the Trash Introduction Problem Approach Evaluation Conclusions 5 Conclusions 6 References Pridgen Reversing Java (Malware) with Radare 22

  23. Present but unreachable Present but unreachable Reducing persistent latent secrets in HotSpot JVM Best Paper , Software Technology Track Simson L. Garfinkel 2 Dan S. Wallach 1 Adam Pridgen 1 1 Rice University, Houston, TX, USA 2 George Mason University, Fairfax, VA, USA Hawaii International Conference on System Sciences, 2017 Pridgen, Garfinkel, and Wallach Present but unreachable 23

  24. Present but unreachable Introduction Introduction RICE Java runtime uses automatic memory management Developers no longer control data lifetimes Sensitive data cannot be explicitly destroyed Multiple copies can be created Pridgen, Garfinkel, and Wallach Present but unreachable 24

  25. Present but unreachable Introduction Research Questions RICE How many secrets are retained? Should we be concerned? Can we fix the problem (without vendor intervention)? Is our solution useful? Pridgen, Garfinkel, and Wallach Present but unreachable 25

  26. Present but unreachable Background Generational GC Heap Overview RICE Tracing GC: Looking for live objects from a set of roots Heap engineered for expected object life-time GC promotes objects from one heap to the next one Eden Space (short lived) → Survivor Space Survivor Space → Tenure Space (long lived) Figure: Typical generational heap layout. Pridgen, Garfinkel, and Wallach Present but unreachable 26

  27. Present but unreachable Background Other Factors Affecting Measurement RICE GC algorithms and various collection conditions Internal JVM memory management system Interactions between JVM internals and program data Java Native Interface (not evaluated) Pridgen, Garfinkel, and Wallach Present but unreachable 27

  28. Present but unreachable Problem Unmanaged Data Lifetime Overview RICE Figure: Example data lifetime in unmanaged memory. Pridgen, Garfinkel, and Wallach Present but unreachable 28

  29. Present but unreachable Problem Managed Data Lifetime Overview RICE Figure: Example data lifetime in managed memory. Pridgen, Garfinkel, and Wallach Present but unreachable 29

  30. Present but unreachable Problem Why is data being retained? RICE Figure: String[2] on the heap. Pridgen, Garfinkel, and Wallach Present but unreachable 30

  31. Present but unreachable Problem Why is data being retained? (2) RICE Figure: String[0] is reassigned but the old value remains. Pridgen, Garfinkel, and Wallach Present but unreachable 31

  32. Present but unreachable Approach Measuring Latent Secrets: Methodology RICE Quantify data retention using TLS Keys Vary memory pressure Use well-known software examples Vary heap size 512MiB-16GiB Modify HotSpot JVM to perform sanitization Re-evaluate data retention Measure the performance impacts Pridgen, Garfinkel, and Wallach Present but unreachable 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Generational Generational Garbage Collection Garbage Collection Mirko Jerrentrup,

Generational Generational Garbage Collection Garbage Collection Mirko Jerrentrup,

Generational Generational Garbage Collection Garbage Collection Mirko Jerrentrup, Jerrentrup@interactive-software.de Overview Overview motivation at a glance issues problems and limitations conclusion Motivation

635 views • 42 slides
Segregation by age Why generational garbage collection Simple tracing collectors suffer from a

Segregation by age Why generational garbage collection Simple tracing collectors suffer from a

Segregation by age Why generational garbage collection Simple tracing collectors suffer from a # of drawbacks All active data must be marked or copy Delays caused by GC can be obtrusive Deferred RC can be used to smooth out cost of

408 views • 16 slides
How do we organize generations or record age? Goals of generational collection Aims of

How do we organize generations or record age? Goals of generational collection Aims of

How do we organize generations or record age? Goals of generational collection Aims of generational GC: Reduce cost of dealing with long lived objects Reduce garbage collection pause time Interactive program test Depends on

604 views • 14 slides
Uniprocessor Garbage Collection Techniques Presented by: Shiri Dori Shai Erera Outline

Uniprocessor Garbage Collection Techniques Presented by: Shiri Dori Shai Erera Outline

Uniprocessor Garbage Collection Techniques Presented by: Shiri Dori Shai Erera Outline What is Garbage Collection Basic Garbage Collection Techniques Advanced Techniques Incremental Garbage Collection Generational Garbage

660 views • 61 slides
FOX Garbage Collection FOX / GC Example 1 ex1: garbage at end let x = (1, 2) , y = let tmp =

FOX Garbage Collection FOX / GC Example 1 ex1: garbage at end let x = (1, 2) , y = let tmp =

FOX Garbage Collection FOX / GC Example 1 ex1: garbage at end let x = (1, 2) , y = let tmp = (10, 20) in tmp[0] + tmp[1] , p0 = x[0] + y , p1 = x[1] + y in (p0, p1) ebp 0x00 0x04 0x08 0x0c 0x10 0x14 0x18 0x1c 0x20 0x24 esi

1.36k views • 122 slides
Garbage Collection Last time Compiling Object-Oriented Languages Today

Garbage Collection Last time Compiling Object-Oriented Languages Today

Garbage Collection Last time Compiling Object-Oriented Languages Today Motivation behind garbage collection Garbage collection basics Garbage collection performance Specific example of using GC in C++

400 views • 15 slides
Garbage Collection Akim Demaille, Etienne Renault, Roland Levillain June 4, 2019 TYLA Garbage

Garbage Collection Akim Demaille, Etienne Renault, Roland Levillain June 4, 2019 TYLA Garbage

Garbage Collection Akim Demaille, Etienne Renault, Roland Levillain June 4, 2019 TYLA Garbage Collection June 4, 2019 1 / 35 Table of contents Motivations and Definitions 1 Reference Counting Garbage Collection 2 Mark and Sweep Garbage

1.21k views • 95 slides
Garbage Collection Jan Midtgaard Michael I. Schwartzbach Aarhus University The Garbage

Garbage Collection Jan Midtgaard Michael I. Schwartzbach Aarhus University The Garbage

Compilation 2010 Garbage Collection Jan Midtgaard Michael I. Schwartzbach Aarhus University The Garbage Collector A garbage collector is part of the runtime system It reclaims heap-allocated records (objects) that are no longer in use

959 views • 56 slides
Garbage Collection for a calculus with indices Luis Francisco Ziliani Departamento de

Garbage Collection for a calculus with indices Luis Francisco Ziliani Departamento de

Motivation Different approachs for implementing -calculus Adding garbage collection to Summary Garbage Collection for a calculus with indices Luis Francisco Ziliani Departamento de Computacin Facultad de Ciencias Exactas y Naturales

1.12k views • 84 slides
Improving Flow Analyses via CFA Abstract Garbage Collection and Counting Matthew Might Olin

Improving Flow Analyses via CFA Abstract Garbage Collection and Counting Matthew Might Olin

Improving Flow Analyses via CFA Abstract Garbage Collection and Counting Matthew Might Olin Shivers Georgia Institute of Technology Northeastern University ICFP 2006 1 The Big Idea The Process 1. Add garbage collection to a

1.09k views • 83 slides
GARBAGE BAGE CO COLLECTIO LLECTION: N: @EvaAndreasson, @Cloudera AGENDA Garbage

GARBAGE BAGE CO COLLECTIO LLECTION: N: @EvaAndreasson, @Cloudera AGENDA Garbage

GARBAGE BAGE CO COLLECTIO LLECTION: N: @EvaAndreasson, @Cloudera AGENDA Garbage Collection (101) The Good The Bad The Ugly The Challenge! 2 GARBAGE COLLECTION "When you have to shoot, shoot - don't talk!" 3

372 views • 34 slides
Incremental Garbage Collection Part II Roland Schatz Incremental Garbage Collection p.1/22

Incremental Garbage Collection Part II Roland Schatz Incremental Garbage Collection p.1/22

Incremental Garbage Collection Part II Roland Schatz Incremental Garbage Collection p.1/22 Baker Disadvantages not concurrent Incremental Garbage Collection p.2/22 Baker Disadvantages not concurrent not even threadsafe

1.49k views • 93 slides
Myths and Realities: The Performance Impact of Garbage Collection Presented by: Tapasya Patki

Myths and Realities: The Performance Impact of Garbage Collection Presented by: Tapasya Patki

Myths and Realities: The Performance Impact of Garbage Collection Presented by: Tapasya Patki February 17, 2011 Authors Motivation: Cost-Benefit Analysis Motivation: To GC or not to GC Explicit Memory Management or Garbage Collection? Can GC

465 views • 23 slides
Distributed Garbage Collection for General Graphs Basic Approaches to Garbage Collection

Distributed Garbage Collection for General Graphs Basic Approaches to Garbage Collection

Distributed Garbage Collection for General Graphs Basic Approaches to Garbage Collection The Brownbridge Collector SWP Collector

1.16k views • 88 slides
Practical Fully Relocating Garbage Collection in LLVM Philip Reames, Sanjoy Das Azul Systems

Practical Fully Relocating Garbage Collection in LLVM Philip Reames, Sanjoy Das Azul Systems

Practical Fully Relocating Garbage Collection in LLVM Philip Reames, Sanjoy Das Azul Systems Oct 28, 2014 This is a talk about how LLVM can better support garbage collection. It is not about how write an LLVM based compiler for a garbage

980 views • 79 slides
Bounding Pause Times in a Regional Garbage Collector Felix S Klock II Thesis Advisor: Will

Bounding Pause Times in a Regional Garbage Collector Felix S Klock II Thesis Advisor: Will

Bounding Pause Times in a Regional Garbage Collector Felix S Klock II Thesis Advisor: Will Clinger 1 1 What is Garbage Collection? Automated reclamation of unreachable storage (Tracing) Garbage collection Mutator : Main application apart

1.13k views • 99 slides
RODEXIT . . . . . . . . . . effective rodent proofing Product Presentation for Door

RODEXIT . . . . . . . . . . effective rodent proofing Product Presentation for Door

29-01-2019 RODEXIT . . . . . . . . . . effective rodent proofing Product Presentation for Door Producers and Door Service Professionals (DSPs) 1 1 Agenda Introduction The RodeXit rodent proofing strip Rodent proofing

814 views • 21 slides
VGrADS Education, Outreach and Training Activities: Unlocking the Doors of Opportunity Keith

VGrADS Education, Outreach and Training Activities: Unlocking the Doors of Opportunity Keith

VGrADS Education, Outreach and Training Activities: Unlocking the Doors of Opportunity Keith Cooper (keith@rice.edu) With thanks to Theresa Chatman (tlc@rice.edu) Michael Sirois (msirois@rice.edu) Richard Tapia (rat@rice.edu) Center for

283 views • 10 slides
I. Desert: an arid region. Where the potential evaporation rate exceeds the potential

I. Desert: an arid region. Where the potential evaporation rate exceeds the potential

I. Desert: an arid region. Where the potential evaporation rate exceeds the potential precipitation rate by at least 2X. Arizona desert: precipitation rate = 6 - 10 inches/year evaporation rate = 100+ inches/year II. Rain Patterns in AZ A .

442 views • 43 slides
Administrative Notes March 15, 2018 Do you want to present your project to the class? If so,

Administrative Notes March 15, 2018 Do you want to present your project to the class? If so,

Administrative Notes March 15, 2018 Do you want to present your project to the class? If so, sign up using the following link (also listed on the website)! https://ubc.ca1.qualtrics.com/jfe/form/SV_d6aeH7 wmATnJNIh Midterm 2

750 views • 44 slides
A Tour of the Breakfast Cereal Aisle Physically and historically Quote from an unnamed German

A Tour of the Breakfast Cereal Aisle Physically and historically Quote from an unnamed German

A Tour of the Breakfast Cereal Aisle Physically and historically Quote from an unnamed German Cereal here is total garbage. It is either like eating sugar or eating air. Where is my muesli? Quote from an unnamed German Cereal here is

763 views • 51 slides
Yale University Department of Computer Science Scaling Software-Defined Network Controllers on

Yale University Department of Computer Science Scaling Software-Defined Network Controllers on

Yale University Department of Computer Science Scaling Software-Defined Network Controllers on Multicore Servers Andreas Voellmy 1 Bryan Ford 1 Paul Hudak 1 Y. Richard Yang 1 YALEU/DCS/TR-1468 July 2012 This work was supported in part by gifts

619 views • 22 slides
A quantifier-based approach to NPI-licensing typology: Empirical and computational investigations

A quantifier-based approach to NPI-licensing typology: Empirical and computational investigations

Introduction Quantifier-based approach Computational background -NPIs -NPIs Discussion A quantifier-based approach to NPI-licensing typology: Empirical and computational investigations Dissertation defense Mai Ha Vu October 4, 2019

1.33k views • 109 slides
Automata and program analysis Thomas Colcombet FCT Bordeaux 13 September 2017 based on

Automata and program analysis Thomas Colcombet FCT Bordeaux 13 September 2017 based on

Automata and program analysis Thomas Colcombet FCT Bordeaux 13 September 2017 based on joint work with Laure Daviaud et Florian Zuleger Weighted automata and tropical automata Weighted automata [Schtzenberger 61] Weighted automata

1.67k views • 129 slides

More recommend