lo ph
play

LO-PH Low-Observable Physical Host Instrumentation for Malware - PowerPoint PPT Presentation

Mar 25, 2023 •282 likes •532 views

LO-PH Low-Observable Physical Host Instrumentation for Malware Analysis Chad Spensky , Hongyi Hu and Kevin Leach cspensky@cs.ucsb.edu hongyihu@alum.mit.edu kjl2y@virginia.edu lophi@mit.edu The Network and

  1. LO-PH Low-Observable Physical Host Instrumentation for Malware Analysis Chad Spensky ∗ † , Hongyi Hu ∗ § and Kevin Leach ∗ ‡ cspensky@cs.ucsb.edu hongyihu@alum.mit.edu kjl2y@virginia.edu lophi@mit.edu The Network and Distributed System Security Symposium 2016 ∗ MIT Lincoln Laboratory † University of California, Santa Barbara § Dropbox ‡ University of Virginia This work was sponsored by the Assistance Secretary of Defense for Research and Engineering under Air Force Contract #FA8721-05-C-0002. Opinions, interpretations, conclusions and recommendations are those of the authors and are not necessarily endorsed by the United States Government. DISTRIBUTION STATEMENT A. Approved for public release; distribution is unlimited.

  2. Outline LO-PH • Overview of LO-PHI • Instrumentation • Semantic Gap Reconstruction • Automated Binary Analysis • Evaluation (Windows Malware) • Summary • Demo (Time Permitting) LO-PHI / NDSS- 2 CSS 02/24/16

  3. The Problem LO-PH • Binary dynamic analysis is becoming increasingly difficult in security-critical scenarios – Environment-aware malware can detect various artifacts exposed by most existing dynamic analysis frameworks and leverage them to avoid detection, or subvert the analysis all together – The observer effect , i.e. the effects of the measurement itself, can interfere with the analysis, making the results untrustworthy • E.g., software-based instrumentation may result in a different memory layout LO-PHI / NDSS- 3 CSS 02/24/16

  4. The Problem LO-PH • Introspection techniques offer solutions that have fewer artifacts, but must also bridge the semantic gap – i.e., translate low-level data to semantically rich output for analysis LO-PHI / NDSS- 4 CSS 02/24/16

  5. Introspection Options LO-PH • Software – Pros: cheap, easy to implement – Cons: OS dependent, can affect analysis, easily subverted • Virtual machines – Pros: development in software, scalable – Cons: easily detectable artifacts (E.g. Redpill ) • Hardware – Pros: potentially very few artifacts, better ground truth – Cons: difficult to implement, expensive LO-PHI / NDSS- 5 CSS 02/24/16

  6. Goals LO-PH • Primary goal – Low-Observable Physical Host Instrumentation (LO-PHI) aims to obtain ground truth information about a system under test (SUT) while introducing as few artifacts as possible System Under Test LO-PHI Data Collection Sensors Data Processing Semantic Output LO-PHI / NDSS- 6 CSS 02/24/16

  7. Overview LO-PH • Zero software-based artifacts • Simple Python APIs to interact with a system under test – Same code for either physical or virtual machines • A suite of both sensors and actuators • A suite of semantic-gap reconstruction tools • Python-based framework for automated binary analysis – Analysis “scripts” can be submitted and executed on automatically provisioned machines LO-PHI / NDSS- 7 CSS 02/24/16

  8. Virtual Instrumentation LO-PH UNIX Socket LO-PH Memory Introspection Server cpu_physical_memory_map Semantic Analysis block.c UNIX Socket LO-PH Disk Introspection Server LO-PHI / NDSS- 8 CSS 02/24/16

  9. Physical Instrumentation LO-PH Power, Keyboard, Mouse (USB/GPIO) Disk Introspection (SATA) Network Tap (Ethernet) Memory Introspection (PCIe) Semantic Analysis LO-PHI / NDSS- 9 CSS 02/24/16

  10. Semantic Gap LO-PH • Fictional Hollywood example: The Matrix 1. Input Raw Data 2. Parse Data Structures 3. Extract Features • Memory (Volatility) – Reader raw memory to extract attributes of the system – E.g., running processes, kernel modules, descriptor tables • Hard Disk (Sleuthkit) – Translate low-level disk activity into file system activities – E.g., file creation, deletion, read, write LO-PHI / NDSS- 10 CSS 02/24/16

  11. Stream-based Disk Forensics LO-PH Bare Metal • Multiple layers of abstraction that we must bridge } Xilinx ML507 FPGA – Analog Signal à Digital bits – Digital bits à SATA Frames – SATA Frames à Sector manipulation SATA Reconstruction Sleuthkit (TSK) – Sector manipulation à File System Manipulation analyzeMFT SATA File System Reconstruction Reconstruction 2. Semantic 1. Data Collection 3. Analysis Reconstruction LO-PHI / NDSS- 11 CSS 02/24/16

  12. SATA Reconstruction LO-PH A Brief Primer on SATA • Serial ATA – bus interface that replaces older IDE/ATA standards • SATA uses frames (FIS) to communicate between host and device FIS – Frame Information Structure LO-PHI / NDSS- 12 CSS 02/24/16

  13. SATA Reconstruction LO-PH A Brief Primer on SATA HOST DEVICE Register - Host to Device (HTD) Direct Memory Access (DMA) - Contains logical Activate block address (LBA/ sector), number of sectors, operation, Data A etc. Data B Data C Register – Device to Host (DtH) Example – DMA Write LO-PHI / NDSS- 13 CSS 02/24/16

  14. SATA Reconstruction LO-PH Native Command Queuing • Native Command Queuing (NCQ) complicates reconstruction • NCQ allows for up to 32 separate, concurrent, asynchronous disk transactions – Many SATA devices implement NCQ • NCQ identifies transactions by 5-bit TAG field (0-31) LO-PHI / NDSS- 14 CSS 02/24/16

  15. SATA Reconstruction LO-PH • Wrote a Python module to handle all of these transactions – Consumes raw SATA frames – Supports all of the existing SATA versions – Outputs stream of logical sector operations • Traditional SATA analyzers are expensive and don’t provide analysis-friendly interfaces LO-PHI / NDSS- 15 CSS 02/24/16

  16. File System Reconstruction LO-PH • Current Solution – Uses PyTSK to keep a unified codebase in Python – Naïve approach requires analyzing the entire image at every interval • Optimization: Uses AnalyzeMFT for NTFS optimization Check previous state Extract file system state using TSK from if known sector : Update structures initial clean image else: report as UNKNOWN t 0 t+1 LO-PHI / NDSS- 16 CSS 02/24/16

  17. Automated Binary Analysis LO-PH File Corpus Master Semantic Gap Analysis Memory FTP Server Filtering (Volatility) Anomaly Disk Database Detection (Sleuthkit) Scheduler Network Output Submission Client Controller(s) Controller(s) Controller(s) Virtual Machine Pool Physical Machine Pool Network Services Scheduler Analysis Script FTP Server Sensors & Sensors & Actuators Actuators LO-PHI / NDSS- 17 CSS 02/24/16

  18. Automated Binary Analysis LO-PH Physical Machines • Machine/hard disk reset 1. Power down machine 2. Re-image disk with selected OS (CloneZilla) DHCP/PXE TFTP DNS LO-PHI Network Services Controller System Under Test LO-PHI / NDSS- 18 CSS 02/24/16

  19. Automated Binary Analysis LO-PH Physical Machines • Download binary onto SUT 3. Wait for OS to appear on the network (ping) 4. Download binary from controller using ftp (key presses) DHCP/PXE FTP LO-PHI Network Services Controller System Under Test LO-PHI / NDSS- 19 CSS 02/24/16

  20. Automated Binary Analysis LO-PH Physical Machines • Execute binary 5. Dump clean state of memory 6. Start capturing network and disk activity 7. Run Binary (Start moving mouse) 8. Dump interim state of memory 7. Identify and click all buttons (Volatility) 8. Dump dirty state of memory Memory Sensor Disk Sensor Actuator Network Tap Controller System Under Test LO-PHI / NDSS- 20 CSS 02/24/16

  21. Evaluation: Semantic Output LO-PH (on WinXPSP3) • Homemade Rootkit – Comparison: Anubis failed to execute the binary, and Cuckoo sandbox failed to detect/execute our ftp server • Labeled Malware (213 well-labeled samples) – Blind analysis identified various behaviors, all of which were confirmed by ground truth • Unlabeled Malware (1091 samples) – Similar findings LO-PHI / NDSS- 21 CSS 02/24/16

  22. Evaluation: Evasive Malware LO-PH (on Windows 7) • Paranoid Fish (Evasive malware proof-of-concept) – Failed to detect LO-PHI – Comparison: Anubis and Cuckoo sandbox were both detected due to virtualization artifacts • Labeled Malware (429 coarsely-labeled samples) – LO-PHI detected suspicious activity in almost every sample • Some appeared to be targeting a different OS version LO-PHI / NDSS- 22 CSS 02/24/16

  23. Summary LO-PH • Deployed and tested LO-PHI an extremely low-artifact, hardware and VM-based, dynamic-analysis environment • Developed hardware, and supporting tools, for stream-based disk forensics on SATA-based physical machines 1 • Constructed a framework, and accompanying infrastructure, for automating analysis of binaries on both physical and virtual machines – Open Source (BSD License): http://github.com/mit-ll/LO-PHI • Demonstrated the scalability and fidelity of LO-PHI by analyzing thousands of labeled and unlabeled malware samples 1 http://www.osdfcon.org/presentations/2014/Hu-Spensky-OSDFCon2014.pdf LO-PHI / NDSS- 23 CSS 02/24/16

  24. Demo LO-PH Demonstration of VM-based binary analysis. LO-PHI / NDSS- 24 CSS 02/24/16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Virtual Memory Philipp Koehn 25 April 2018 Philipp Koehn Computer Systems Fundamentals: Virtual

Virtual Memory Philipp Koehn 25 April 2018 Philipp Koehn Computer Systems Fundamentals: Virtual

Virtual Memory Philipp Koehn 25 April 2018 Philipp Koehn Computer Systems Fundamentals: Virtual Memory 25 April 2018 Recall: Process Address Space 1 Kernel memory ffffffff User stack Stack pointer Memory-mapped region for shared

634 views • 39 slides
Chapter 12: Disks CS 416: Operating Systems Design Department of Computer Science Rutgers

Chapter 12: Disks CS 416: Operating Systems Design Department of Computer Science Rutgers

Chapter 12: Disks CS 416: Operating Systems Design Department of Computer Science Rutgers University http://www.cs.rutgers.edu/~vinodg/teaching/416 File System: Abstraction for Secondary Storage CPU Memory Memory Bus (System Bus) Bridge

441 views • 42 slides
F or De c ade s T he IC- DISC Has Be e n Saving Companie s Mone y Why Ar e nt You

F or De c ade s T he IC- DISC Has Be e n Saving Companie s Mone y Why Ar e nt You

F or De c ade s T he IC- DISC Has Be e n Saving Companie s Mone y Why Ar e nt You Using It? Pr e se nte d By: Paul F e r r e ir a, CPA Pr e side nt E xpor t T ax Manage me nt, Inc . What is an IC-DISC? The Interest

370 views • 13 slides
File Systems: Disk Organization File Systems: Disk Organization CS 105 Tour of the Black

File Systems: Disk Organization File Systems: Disk Organization CS 105 Tour of the Black

File Systems: Disk Organization File Systems: Disk Organization CS 105 Tour of the Black Holes of Computing A disk is a sequence of 4096-byte sectors or blocks Can only read or write in

310 views • 6 slides
Disk Formation in Magnetized Dense Cores with Turbulence and Ambipolar Diffusion March 21, 2019

Disk Formation in Magnetized Dense Cores with Turbulence and Ambipolar Diffusion March 21, 2019

Disk Formation in Magnetized Dense Cores with Turbulence and Ambipolar Diffusion March 21, 2019 Ka Ho (Andy) Lam (University of Virginia) Zhi-Yun Li (UVa) Che-Yu Chen (UVa) Kengo Tomida (OsakaU/Princeton) Bo Zhao (MPE) Credit: Bill Saxton

1.17k views • 33 slides
Ceph: A Scalable, High-Performance Distributed File System Sage A. Weil, Scott A. Brandt, Ethan

Ceph: A Scalable, High-Performance Distributed File System Sage A. Weil, Scott A. Brandt, Ethan

Ceph: A Scalable, High-Performance Distributed File System Sage A. Weil, Scott A. Brandt, Ethan L. Milner, Darrel D. E. Long Presenter: Md Rajib Hossen Ceph- A single, Open, and Unified platform Horizontally scalable Interoperability

533 views • 15 slides
Why Is This Important? DB performance depends on time it takes to get the data from storage

Why Is This Important? DB performance depends on time it takes to get the data from storage

Why Is This Important? DB performance depends on time it takes to get the data from storage system and time to process Overview of Storage and Indexing Choosing the right index for faster access can speed up queries significantly

476 views • 6 slides
Live Disk Forensics on Bare Metal Hongyi Hu and Chad Spensky {hongyi.hu,chad.spensky}@ll.mit.edu

Live Disk Forensics on Bare Metal Hongyi Hu and Chad Spensky {hongyi.hu,chad.spensky}@ll.mit.edu

Live Disk Forensics on Bare Metal Hongyi Hu and Chad Spensky {hongyi.hu,chad.spensky}@ll.mit.edu Open-Source Digital Forensics Conference 2014 This work is sponsored by the Assistant Secretary of Defense for Research and Engineering under Air

800 views • 50 slides
Scaling Your Cache & Caching at Scale Alex Miller @puredanger Mission Why does caching

Scaling Your Cache & Caching at Scale Alex Miller @puredanger Mission Why does caching

Scaling Your Cache & Caching at Scale Alex Miller @puredanger Mission Why does caching work? Whats hard about caching? How do we make choices as we design a caching architecture? How do we test a cache for performance?

965 views • 59 slides
A disk origin for inner stellar halo structures around the Milky Way Adrian Price-Whelan

A disk origin for inner stellar halo structures around the Milky Way Adrian Price-Whelan

A disk origin for inner stellar halo structures around the Milky Way Adrian Price-Whelan (Princeton University) adrn adrianprw Kathryn Johnston , Allyson Sheffield, Chervin Laporte , Maria Bergemann, Branimir Sesar, Ting Li, Chris Hayes,

680 views • 42 slides
wP wPerf rf: : Generic Off-CP CPU Analysis to Iden Identif ify B Bottlenec leneck W Wait

wP wPerf rf: : Generic Off-CP CPU Analysis to Iden Identif ify B Bottlenec leneck W Wait

wP wPerf rf: : Generic Off-CP CPU Analysis to Iden Identif ify B Bottlenec leneck W Wait aiting ing E Even ents Fang Zhou, Yifan Gan, Sixiang Ma, Yang Wang The Ohio State University Optimizing bottleneck is critical to throughput

590 views • 42 slides
Numerical relativity simulations of thick accretion disks around tilted Kerr black holes

Numerical relativity simulations of thick accretion disks around tilted Kerr black holes

Introduction and astrophysical motivation Initial models and diagnostic tools Results Numerical relativity simulations of thick accretion disks around tilted Kerr black holes Vassilios Mewes Collaborators: Toni Font Pedro Montero Nikolaos

613 views • 44 slides
Disk to Disk Data Transfers at 100Gbps SuperComputing 2011 Azher Mughal Caltech (HEP) CENIC

Disk to Disk Data Transfers at 100Gbps SuperComputing 2011 Azher Mughal Caltech (HEP) CENIC

Disk to Disk Data Transfers at 100Gbps SuperComputing 2011 Azher Mughal Caltech (HEP) CENIC 2012 http://supercomputing.caltech.edu Agenda Motivation behind SC 2011 Demo Collaboration (Caltech, Univ of Victoria, Vendors) Network

363 views • 21 slides
Virtual Memory Process Abstraction, Part 2: Private Address Space Motivation : why not direct

Virtual Memory Process Abstraction, Part 2: Private Address Space Motivation : why not direct

Virtual Memory Process Abstraction, Part 2: Private Address Space Motivation : why not direct physical memory access? Address translation with pages Optimizing translation : translation lookaside buffer Extra benefits : sharing and protection

622 views • 38 slides
Momentum Free Response Problems Slide 2 / 42 1. Block 1 with a mass of 500 g moves at a

Momentum Free Response Problems Slide 2 / 42 1. Block 1 with a mass of 500 g moves at a

Slide 1 / 42 Momentum Free Response Problems Slide 2 / 42 1. Block 1 with a mass of 500 g moves at a constant speed of 5 m/s on a horizontal frictionless track and collides and sticks to a stationary block 2 mass of 1.5 kg. Block 2 is

558 views • 42 slides
Improving Disk I/O Performance on Linux Carl Henrik Lunde, Hvard Espeland, Hkon Kvale

Improving Disk I/O Performance on Linux Carl Henrik Lunde, Hvard Espeland, Hkon Kvale

Improving Disk I/O Performance on Linux Carl Henrik Lunde, Hvard Espeland, Hkon Kvale Stensland, Andreas Petlund, Pl Halvorsen Completely Fair Queuing Default scheduler on Linux Ensures complete fairness among I/O-requests in the same

757 views • 29 slides
!"#$%&'&(#$)*$%+,#$-./'#0/$ 1+,,$1),)/2.$ 34')5#($667$899:$

!"#$%&'&(#$)*$%+,#$-./'#0/$ 1+,,$1),)/2.$ 34')5#($667$899:$

!"#$%&'&(#$)*$%+,#$-./'#0/$ 1+,,$1),)/2.$ 34')5#($667$899:$ !"#$;<5/&(=>$69?$@AB$.#C(D$E+/2$ 8FG$"($/4CH$I0#$ $$@J))($/#K&#HIC,$C44#//D$ 6$CJ/$L$G$M1$ $$@NOPQ$4),=$=C'CD$ R'S/$C$'CJ#T$ 100 MB/s

261 views • 5 slides
Franklin: User Experiences Helen He, William Kramer, Jonathan Carter, Nicholas Cardo Cray User

Franklin: User Experiences Helen He, William Kramer, Jonathan Carter, Nicholas Cardo Cray User

Franklin: User Experiences Helen He, William Kramer, Jonathan Carter, Nicholas Cardo Cray User Group Meeting May 5-8, 2008 Outline Introduction Franklin Early User Program CVN vs. CLE Franklin Into Production Selected

500 views • 36 slides
GEOM Tutorial Poul-Henning Kamp phk@FreeBSD.org Outline Background and analysis. The

GEOM Tutorial Poul-Henning Kamp phk@FreeBSD.org Outline Background and analysis. The

GEOM Tutorial Poul-Henning Kamp phk@FreeBSD.org Outline Background and analysis. The local architectural scenery GEOM fundamentals. (tea break) Slicers (not a word about libdisk!) Tales of the unexpected. Q/A etc.

1.51k views • 114 slides
A new inclination instability in a disk of stars around a massive black hole Ann-Marie Madigan,

A new inclination instability in a disk of stars around a massive black hole Ann-Marie Madigan,

A new inclination instability in a disk of stars around a massive black hole Ann-Marie Madigan, UC Berkeley ~50% of stars in nuclear star clusters form in-situ (Antonini, 2015) Credit: Richard Alexander Disk stability Galactic center:

235 views • 10 slides
ZFS Internal Structure Ulrich Grf Senior SE Sun Microsystems ZFS Filesystem of a New

ZFS Internal Structure Ulrich Grf Senior SE Sun Microsystems ZFS Filesystem of a New

ZFS Internal Structure Ulrich Grf Senior SE Sun Microsystems ZFS Filesystem of a New Generation Integrated Volume Manager Transactions for every change on the Disk Checksums for everything Self Healing Simplified Administration Also

326 views • 32 slides
Debris Disks and the Evolution of Planetary Systems Christine Chen September 1, 2009 Why

Debris Disks and the Evolution of Planetary Systems Christine Chen September 1, 2009 Why

Debris Disks and the Evolution of Planetary Systems Christine Chen September 1, 2009 Why Study Circumstellar Disks? How common is the architecture of our solar system (terrestrial planets, asteroid belt, Jovian planets, and Kuiper

545 views • 29 slides
Dislocation density tensor Samuel Forest Mines ParisTech / CNRS Centre des Mat eriaux/UMR

Dislocation density tensor Samuel Forest Mines ParisTech / CNRS Centre des Mat eriaux/UMR

Dislocation density tensor Samuel Forest Mines ParisTech / CNRS Centre des Mat eriaux/UMR 7633 BP 87, 91003 Evry, France Samuel.Forest@mines-paristech.fr Plan Statistical theory of dislocations 1 The dislocation density tensor Scalar

803 views • 35 slides
Strengthening Mechanisms The ability of a metal to plastically deform depends on the ability of

Strengthening Mechanisms The ability of a metal to plastically deform depends on the ability of

Kasetsart University 213211: Strengthening Strengthening Mechanisms The ability of a metal to plastically deform depends on the ability of dislocations to move. Restricting or hindering dislocation motions renders a material harder and

247 views • 9 slides

More recommend