persistence and volatility a paradox of computing
play

Persistence and volatility a paradox of computing Wietse Venema - PowerPoint PPT Presentation

Mar 04, 2024 •622 likes •880 views

. Persistence and volatility a paradox of computing Wietse Venema IBM T.J. Watson Research Center Hawthorne, NY, USA cover.fig This talk in a nutshell The paradox: Easy to lose information by accident Hard to lose information if you

  1. . Persistence and volatility a paradox of computing Wietse Venema IBM T.J. Watson Research Center Hawthorne, NY, USA cover.fig

  2. This talk in a nutshell The paradox: ● Easy to lose information by accident Hard to lose information if you want to ● Outline of this presentation: ● MACtimes and mostly volatile information Persistence of dead information ● paradox.fig

  3. What are MACtimes ($dev, $inode, $mode, $nlink, $uid, $gid, $rdev, $size, $atime, $mtime, $ctime, $blksize, $blocks) = lstat($filename); lstat() looks up the attributes of a UNIX file ● ● Most information is also available on Windows NTFS Some information is even available on old DOS FAT16 ● mactimes.fig

  4. More about MACtimes mtime last modification Write/truncate file; create/delete directory entry atime last access* Read/execute file; look up directory entry ctime last status change Owner, permission, reference count, write access dtime Linux-only delete time * Well, almost, grumble. Windows NTFS is weird mac.fig

  5. Example: login session (SunOS 4) Time Size MAC Permissions Owner Group File name 19:47:04 49152 .a. -rwsr-xr-x root staff /usr/bin/login 32768 .a. -rwxr-xr-x root staff /usr/etc/in.telnetd 19:47:08 272 .a. -rw-r--r-- root staff /etc/group 108 .a. -r--r--r-- root staff /etc/motd 8234 .a. -rw-r--r-- root staff /etc/ttytab 3636 m.c -rw-rw-rw- root staff /etc/utmp 28056 m.c -rw-r--r-- root staff /var/adm/lastlog 1250496 m.c -rw-r--r-- root staff /var/adm/wtmp 19:47:09 1041 .a. -rw-r--r-- root staff /etc/passwd 19:47:10 147456 .a. -rwxr-xr-x root staff /bin/csh login.fig

  6. Recent example (Lance Spitzner) Sep 25 00:44:49 dionysis rpc.statd[335]: gethostbyname error for ^X<F7><FF><BF>^X<F7><FF><BF>^Y<F7><FF><BF>^Y<F7><FF><BF>^Z<F7><FF> <BF>^[<F7><FF><BF>^[<F7><FF><BF>bffff750 8049710 1b068746567627 [several more lines of RFC non-compliant characters...] Sep 25 00:45:16 dionysis inetd[473]: extra conf for service telnet/ tcp (skipped) Sep 25 00:45:28 dionysis in.telnetd[11554]: connect from 209.83.81.7 statd.fig

  7. MACtimes after rpc.statd exploit Sep 25 2000 01:45:15 20452 m.c -rwxr-xr-x /bin/prick 207600 .a. -rwxr-xr-x /usr/bin/as 63376 .a. -rwxr-xr-x /usr/bin/egcs 63376 .a. -rwxr-xr-x /usr/bin/gcc 63376 .a. -rwxr-xr-x /usr/bin/i386-redhat-linux-gcc 2315 .a. -rw-r--r-- /usr/include/_G_config.h 1297 .a. -rw-r--r-- /usr/include/bits/stdio_lim.h 4680 .a. -rw-r--r-- /usr/include/bits/types.h 9512 .a. -rw-r--r-- /usr/include/features.h 1021 .a. -rw-r--r-- /usr/include/gnu/stubs.h 11673 .a. -rw-r--r-- /usr/include/libio.h 20926 .a. -rw-r--r-- /usr/include/stdio.h 4951 .a. -rw-r--r-- /usr/include/sys/cdefs.h 1440240 .a. -rwxr-xr-x /usr/lib/gcc-lib/[...]/cc1 45488 .a. -rwxr-xr-x /usr/lib/gcc-lib/[...]/collect2 87312 .a. -rwxr-xr-x /usr/lib/gcc-lib/[...]/cpp 5794 .a. -rw-r--r-- /usr/lib/gcc-lib/[...]/include/stdarg.h 9834 .a. -rw-r--r-- /usr/lib/gcc-lib/[...]/include/stddef.h 1926 .a. -rw-r--r-- /usr/lib/gcc-lib/[...]/specs 20452 .a. -rwxr-xr-x <hda8-inode-30199> 537 ma. -rw-r--r-- <hda8-inode-30207> prick.fig

  8. MACtimes after rpc.statd exploit, continued Sep 25 2000 01:45:16 0 m.c -rw-r--r-- /etc/hosts.allow 0 m.c -rw-r--r-- /etc/hosts.deny 3094 mac -rw-r--r-- /etc/inetd.conf 205136 .a. -rwxr-xr-x /usr/bin/ld 176464 .a. -rwxr-xr-x /usr/bin/strip 3448 m.. -rwxr-xr-x /usr/bin/xstat 8512 .a. -rw-r--r-- /usr/lib/crt1.o 1124 .a. -rw-r--r-- /usr/lib/crti.o 874 .a. -rw-r--r-- /usr/lib/crtn.o 1892 .a. -rw-r--r-- /usr/lib/gcc-lib/[...]/crtbegin.o 1424 .a. -rw-r--r-- /usr/lib/gcc-lib/[...]/crtend.o 769892 .a. -rw-r--r-- /usr/lib/gcc-lib/[...]/libgcc.a 314936 .a. -rwxr-xr-x /usr/lib/libbfd-2.9.5.0.22.so 178 .a. -rw-r--r-- /usr/lib/libc.so 69994 .a. -rw-r--r-- /usr/lib/libc_nonshared.a 0 mac -rw------- <hda8-inode-22111> 0 mac -rw------- <hda8-inode-22112> 0 mac -rw-r--r-- <hda8-inode-22113> 20452 ..c -rwxr-xr-x <hda8-inode-30199> 537 ..c -rw-r--r-- <hda8-inode-30207> 12335 mac -rwxr-xr-x <hda8-inode-30209> 3448 m.. -rwxr-xr-x <hda8-inode-30210> xstat.fig

  9. Timeline of an incident 00:44:49 Exploit rpc.statd buffer overflow 00:45:15 Save existing login program as /bin/prick 00:45:16 Install backdoor /bin/login + /usr/bin/xstat 00:45:16 Add (redundant) telnet service entry to inetd.conf 00:45:16 Disable TCP Wrapper access control 00:45:28 Test the backdoor with telnet connection 17:31:47 Install floodnet DOS tool, update login backdoor timeline.fig

  10. Examples of MACtime applications Post-mortem analysis of incident ● (reconstruction of past behavior) Hardening system security ● (determining the footprint of a system) MACtimes can be applied to existing and deleted files ● applications.fig

  11. Limitations of MACtimes Volatile ● Quickly erode as result of normal activity ■ Only unusual behavior leaves persistent trail ■ Easy to forge ● utime($new_atime, $new_mtime, $filename); ■ Or simply apply the change to the raw disk ■ limitations.fig

  12. Interesting Windows features Time stamps change "after the fact" because of the ● way Windows implements daylight savings time Windows NTFS updates the last access time only ● if the time stamp would change by more than an hour Result: Windows shows the time of FIRST access Windows NTFS preserves mtime when copying file ● Result: file appears to be created AFTER modified windows.fig

  13. The UNIX FAQ on recovering deleted files For all intents and purposes, when you delete a file with "rm" it is gone. Once you "rm" a file, the system totally forgets which blocks scattered around the disk were part of your file. Even worse, the blocks from the file you just deleted are going to be the first ones taken and scribbled upon when the system needs more space. faq.fig

  14. "Brute force" survival of deleted data Kids, don’t do this at home :-) Downloaded Linux rootkit V4 ● Compiled, installed and removed rootkit ● Downloaded the Coroner’s toolkit (TCT) ● Compiled and ran the TCT software ● Burst of 460 "deleted" MACtimes at time of "incident" ● 300 of those MACtimes were "modified" Nov. 23, 1998* ● Footprints: TCT 300 files, rootkit about 800 files ● *The apparent time that Linux rootkit V4 was packaged rootkit.fig

  15. "Long-term" survival of deleted data Modern UNIX systems do not scatter a file all over the disk Less fragmentation gives better read/write performance ● Typically, a file is contained within a file system zone ● Grouping related files together improves access time ● Good locality allows deleted file contents to survive ● Good locality allows deleted file MACtimes to survive ● locality.fig

  16. Layout of a typical UNIX/Linux file system Entire disk label partition partition partition UNIX file system zone zone zone zone zone File system zone super inode data inode data block bitmap bitmap blocks blocks layout.fig

  17. The hello world exploit Creating and compiling the exploit Aug 04 16:00:14 85 m.c -rw-r--r-- wietse /home/wietse/hello.c (create source file) Aug 04 16:00:21 1024 m.. drwxr-xr-x wietse /home/wietse 4173 mac -rwxr-xr-x wietse /home/wietse/hello (create executable) 85 .a. -rw-r--r-- wietse /home/wietse/hello.c (read source file) hello-overt.fig

  18. The hello world exploit, covert Creating, compiling, running and deleting the exploit Aug 04 16:00:14 85 m.c -rw-r--r-- wietse /home/wietse/hello.c (create source file) Aug 04 16:00:21 1024 m.. drwxr-xr-x wietse /home/wietse 4173 mac -rwxr-xr-x wietse /home/wietse/hello (create executable) 85 .a. -rw-r--r-- wietse /home/wietse/hello.c (read source file) hello-covert.fig

  19. UNIX file system basics Directory /home/wietse Inode 123 hello.c 123 hello 456 owner/group ID and so on... permissions Data blocks... file/directory/etc. data block #s data data MACtimes data data and so on... data data basic-fs.fig

  20. What happens when a UNIX file is deleted? name (directory entry) preserved, not linked to inode attributes (inode block) ownership preserved MAtime preserved Ctime time of deletion reference count zero file type permissions Linux: preserved size Other UNIX: erased data block locations contents (data blocks) preserved deleted.fig

  21. The hello world exploit, revealed Aug 04 16:13:08 85 m.. -rw-r--r-- wietse <hda6-311549> (create source file) Aug 04 16:13:16 85 .a. -rw-r--r-- wietse <hda6-311549> (read source file) 4173 m.. -rwxr-xr-x wietse <hda6-311550> (create executable) Aug 04 16:13:22 4173 .a. -rwxr-xr-x wietse <hda6-311550> (run executable) Aug 04 16:13:28 1024 m.. drwxr-xr-x wietse /home/wietse 85 ..c -rw-r--r-- wietse <hda6-311549> (delete source file) 4173 ..c -rwxr-xr-x wietse <hda6-311550> (delete executable) hello-revealed.fig

  22. Longevity of deleted file MACtimes Deleted Time since inodes deletion 1283 day 881 week 2112 month 171 2 months 175 3 months hades.fig

  23. Longevity of deleted file MACtimes, cont’d Deleted Time since inodes deletion 20267 1 month 3226 2 months 10423 3 months 172 4 months 1120 5 months 945 6 months 5107 7 months 262 8 months 1057 9 months 51205 10 months fish.fig

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Java Technologies Java Persistence API (JPA) Persistence Layer The Persistence Layer is used by

Java Technologies Java Persistence API (JPA) Persistence Layer The Persistence Layer is used by

Java Technologies Java Persistence API (JPA) Persistence Layer The Persistence Layer is used by an application in order to persist its state, that is to store and retrieve information using some sort of database management system. Presentation

633 views • 60 slides
Databases SWEN-250 Persistence First a detour Persistence is the key to solving most

Databases SWEN-250 Persistence First a detour Persistence is the key to solving most

Databases SWEN-250 Persistence First a detour Persistence is the key to solving most mysteries. Christopher Pike, Black Blood Persistence when you are stuck on a piece of new code is hardly ever a virtue. Try redesigning the

619 views • 25 slides
market volatility Table of Contents Understanding volatility 3 4 Method #1: Avoid volatility

market volatility Table of Contents Understanding volatility 3 4 Method #1: Avoid volatility

Protect and build your wealth in market volatility Table of Contents Understanding volatility 3 4 Method #1: Avoid volatility 6 Method #2: Manage volatility 8 Method #3: Ignore volatility 13 What happened last year? Emerging markets

479 views • 35 slides
University Politics in an Age of Paradox: The Question of Internationalization An Age of Paradox

University Politics in an Age of Paradox: The Question of Internationalization An Age of Paradox

Dr. Michael Woolf: Presentation Transcript University Politics in an Age of Paradox: The Question of Internationalization An Age of Paradox I will start with an assertion that you may well want to challenge. We live in an age of paradox where

445 views • 18 slides
CS371m - Mobile Computing Persistence - Web Based Storage CHECK OUT

CS371m - Mobile Computing Persistence - Web Based Storage CHECK OUT

CS371m - Mobile Computing Persistence - Web Based Storage CHECK OUT https://developer.android.com/trainin g/sync-adapters/index.html The Cloud . 2 Backend No clear definition of backend front end - user interface backend

793 views • 63 slides
CS378 - Mobile Computing Persistence Saving State We have already seen saving app state into

CS378 - Mobile Computing Persistence Saving State We have already seen saving app state into

CS378 - Mobile Computing Persistence Saving State We have already seen saving app state into a Bundle on orientation changes or when an app is killed to reclaim resources but may be recreated later 2 Storing Data Multiple options for

668 views • 29 slides
Volatility is rough Jim Gatheral 1 , Thibault Jaisson 2 and Mathieu Rosenbaum 3 2 1 City

Volatility is rough Jim Gatheral 1 , Thibault Jaisson 2 and Mathieu Rosenbaum 3 2 1 City

Some elements about volatility modeling Building the Rough FSV model The structure of volatility in the RFSV model Application of the RFSV model : Volatility prediction Microstructural foundations for the RFSV model Volatility is rough Jim

920 views • 46 slides
Castlestone Low Volatility Income UCITS Fund Presentation Q2 - 2020 Investing in Low Volatility

Castlestone Low Volatility Income UCITS Fund Presentation Q2 - 2020 Investing in Low Volatility

Castlestone Low Volatility Income UCITS Fund Presentation Q2 - 2020 Investing in Low Volatility Equities Low Volatility stocks can help smooth out the ups and down of an unpredictable market. Low Volatility Funds are generally bought to

117 views • 11 slides
CS371m - Mobile Computing Persistence Storing Data Multiple options for storing data

CS371m - Mobile Computing Persistence Storing Data Multiple options for storing data

CS371m - Mobile Computing Persistence Storing Data Multiple options for storing data associated with apps Shared Preferences Internal Storage device memory External Storage SQLite Database Network Connection 2 Saving

1.23k views • 55 slides
The Barber Paradox: on its Paradoxicality and its Relationship to Russells Paradox Logika:

The Barber Paradox: on its Paradoxicality and its Relationship to Russells Paradox Logika:

The Barber Paradox: on its Paradoxicality and its Relationship to Russells Paradox Logika: systmov rmec rozvoje oboru v R a koncepce logickch propedeutik pro mezioborov studia (reg. . CZ.1.07/2.2.00/28.0216, OPVK) doc. PhDr.

480 views • 22 slides
CS371m - Mobile Computing Persistence - SQLite In case you have not taken 347: Data Management

CS371m - Mobile Computing Persistence - SQLite In case you have not taken 347: Data Management

CS371m - Mobile Computing Persistence - SQLite In case you have not taken 347: Data Management or worked with databases as part of a job, internship, or project: 2 Databases RDBMS relational data base management system Relational

759 views • 61 slides
CS378 - Mobile Computing Persistence - SQLite Databases RDBMS relational data base

CS378 - Mobile Computing Persistence - SQLite Databases RDBMS relational data base

CS378 - Mobile Computing Persistence - SQLite Databases RDBMS relational data base management system Relational databases introduced by E. F. Codd Turing Award Winner Relational Database data stored in tables

556 views • 34 slides
TOOLS TO REDUCE PRICE VOLATILITY IN AGRICULTURE MARKETS HOW WE ARE CURRENTLY DEALING WITH

TOOLS TO REDUCE PRICE VOLATILITY IN AGRICULTURE MARKETS HOW WE ARE CURRENTLY DEALING WITH

TOOLS TO REDUCE PRICE VOLATILITY IN AGRICULTURE MARKETS HOW WE ARE CURRENTLY DEALING WITH VOLATILITY? Felice ADINOLFI OUTLINE Volatility drivers Factors affecting farmers income risk How we are currently dealing with volatility?

119 views • 9 slides
The Promise of Paradox Gods Word is loaded with the language of paradox. Even more, Gods

The Promise of Paradox Gods Word is loaded with the language of paradox. Even more, Gods

The Promise of Paradox Gods Word is loaded with the language of paradox. Even more, Gods Word is laced with lavish promises of grace. We will look at biblical evidence of how the Holy Spirit works for the good of humans. Especially in the

637 views • 62 slides
Asymptotic Freedom: From Paradox to Paradigm Paradox 1: Quarks are Born Free, But Everywhere

Asymptotic Freedom: From Paradox to Paradigm Paradox 1: Quarks are Born Free, But Everywhere

Asymptotic Freedom: From Paradox to Paradigm Paradox 1: Quarks are Born Free, But Everywhere They are in Chains The quark model works ... ... but its rules are very strange. Quarks behave independently when theyre close, but they

734 views • 27 slides
The Jersey Accommodation and Activity Centre (JAAC) Paradox Ltd A brief History Paradox Ltd

The Jersey Accommodation and Activity Centre (JAAC) Paradox Ltd A brief History Paradox Ltd

) The Jersey Accommodation and Activity Centre (JAAC) Paradox Ltd A brief History Paradox Ltd was set up in 2007 by Petula Skinner and John Fox as an agency to organise bespoke holidays in Jersey. It was soon evident that the next stage would

794 views • 7 slides
L LANEMIA FALCIFORME: NUOVI APPROCCI TE TERAP RAPEUTICI TICI Lucia De Franceschi Dept.

L LANEMIA FALCIFORME: NUOVI APPROCCI TE TERAP RAPEUTICI TICI Lucia De Franceschi Dept.

L LANEMIA FALCIFORME: NUOVI APPROCCI TE TERAP RAPEUTICI TICI Lucia De Franceschi Dept. di Medicina, AOUI Verona e Universita di Verona- Verona Treviso 17 Novembre 2017 Hemoglobinopathies are Emerging Problem of Public Health based

876 views • 26 slides
Download book &quot;Designing Science Presentations: A Visual Guide to Figures, Papers, Slides,

Download book &quot;Designing Science Presentations: A Visual Guide to Figures, Papers, Slides,

Download book &quot;Designing Science Presentations: A Visual Guide to Figures, Papers, Slides, Posters, and More&quot; by Matt Carter. Effulgent clinometers photochemically methodizes during the twice ware unacquaintance. Hyperbaric verboseness

302 views • 3 slides
Title slide Accessibility Deep Title slide Dive Workshop Rules of Engagement If you need

Title slide Accessibility Deep Title slide Dive Workshop Rules of Engagement If you need

Title slide Accessibility Deep Title slide Dive Workshop Rules of Engagement If you need to get up - just do it! Silence your phones. Title slide Leave the room if you need to take a call. Let us know if we need to adjust:

1.62k views • 147 slides
Two More Causes of Following cataract surgery Diplopia Convergence abnormalities

Two More Causes of Following cataract surgery Diplopia Convergence abnormalities

12/2/2016 Other Causes Discussed Two More Causes of Following cataract surgery Diplopia Convergence abnormalities Divergence abnormalities Creig S Hoyt MD MA San Francisco Excluded- CN palsies, thyroid orbitopathy Following

227 views • 7 slides
My PKU U journe rney Intr troductio duction Karen Willetts from Dublin, Ireland

My PKU U journe rney Intr troductio duction Karen Willetts from Dublin, Ireland

My PKU U journe rney Intr troductio duction Karen Willetts from Dublin, Ireland Married to Jon, 2 kids who both have PKU Ciara aged 9 and Luke aged 5 My PKU U journe rney Finding nding out about PKU - Ciara is our first

538 views • 5 slides
A Historical Perspective on Dative Subjects in Indo-Aryan Miriam Butt and Ashwini Deo University

A Historical Perspective on Dative Subjects in Indo-Aryan Miriam Butt and Ashwini Deo University

Introduction Reconstructed Constructions The Data Analysis Conclusion References A Historical Perspective on Dative Subjects in Indo-Aryan Miriam Butt and Ashwini Deo University of Konstanz, Yale University LFG 2013 Debrecen, July 2013 1

731 views • 47 slides
Online Timed Pattern Matching using Derivatives Dogan Ulus , Thomas Ferr` ere , Eugene

Online Timed Pattern Matching using Derivatives Dogan Ulus , Thomas Ferr` ere , Eugene

Online Timed Pattern Matching using Derivatives Dogan Ulus , Thomas Ferr` ere , Eugene Asarin , and Oded Maler Verimag , Universit e Grenoble-Alpes &amp; CNRS, France IRIF , Universit e Paris Diderot, France

761 views • 42 slides
Hepatitis C Good Practice Roadshow Friday 27 th September 2019 West London ODN #hepCwestlondon

Hepatitis C Good Practice Roadshow Friday 27 th September 2019 West London ODN #hepCwestlondon

Hepatitis C Good Practice Roadshow Friday 27 th September 2019 West London ODN #hepCwestlondon Introduction and setting the scene Emma Burke Programme Manger, Alcohol, Drugs and Tobacco, Public Health England London Hepatitis C Good

1.76k views • 165 slides

More recommend