Evaluating Atomicity, and Integrity of Correct Memory Acquisition - - PowerPoint PPT Presentation

Evaluating Atomicity, and Integrity

• f Correct Memory Acquisition

Methods

Michael Gruhn, Felix Freiling 2016-30-03

Department Computer Science IT Security Infrastructures Friedrich-Alexander-University Erlangen-Nürnberg Erlangen, Germany

EU

EU

Outline Introduction

Motivation

Atomicity, Integrity and Correctness per [Vömel and Freiling 2012]

Atomicity Violation Integrity Violation

Estimating Atomicity and Integrity

Payload Application Atomicity and Integrity Deltas

Results Take-Home and Future Research

2016-30-03 | Michael Gruhn | FAU i1 | ramatom

2/28

EU

Motivation

• Memory Analysis becomes more and more important:
• Memory resident malware
• Disk-less clients
• Persistent Disk Encryption
• To do proper analysis memory must be acquired forensically sound
• Correctness
• captured value at address X must represent the value in memory at address X
• Atomicity
• Integrity

2016-30-03 | Michael Gruhn | FAU i1 | ramatom

3/28

EU

Atomicity Violation per [Vömel and Freiling 2012]

r1 r2 r3 r4

Figure: Space-time diagram of imaging procedure creating non-atomic snapshot.

2016-30-03 | Michael Gruhn | FAU i1 | ramatom

4/28

EU

Integrity Violation per [Vömel and Freiling 2012]

t r1 r2 r3 r4

Figure: Integrity of a snapshot with respect to a specific point in time t.

2016-30-03 | Michael Gruhn | FAU i1 | ramatom

5/28

EU

Outline Introduction

Motivation

Atomicity, Integrity and Correctness per [Vömel and Freiling 2012]

Atomicity Violation Integrity Violation

Estimating Atomicity and Integrity

Payload Application Atomicity and Integrity Deltas

Results Take-Home and Future Research

2016-30-03 | Michael Gruhn | FAU i1 | ramatom

6/28

EU

Estimating Atomicity and Integrity via Payload Application

• Application constantly increments counters placed in memory regions
• Start:

Memory Region Counter 1 2 3 4

2016-30-03 | Michael Gruhn | FAU i1 | ramatom

7/28

EU

Estimating Atomicity and Integrity via Payload Application

• Application constantly increments counters placed in memory regions
• Running:

Memory Region Counter 1 1 2 3 4

2016-30-03 | Michael Gruhn | FAU i1 | ramatom

8/28

EU

Estimating Atomicity and Integrity via Payload Application

• Application constantly increments counters placed in memory regions
• Running:

Memory Region Counter 1 1 2 1 3 4

2016-30-03 | Michael Gruhn | FAU i1 | ramatom

9/28

EU

Estimating Atomicity and Integrity via Payload Application

• Application constantly increments counters placed in memory regions
• Running:

Memory Region Counter 1 1 2 1 3 1 4

2016-30-03 | Michael Gruhn | FAU i1 | ramatom

10/28

EU

Estimating Atomicity and Integrity via Payload Application

• Application constantly increments counters placed in memory regions
• Running:

Memory Region Counter 1 1 2 1 3 1 4 1

2016-30-03 | Michael Gruhn | FAU i1 | ramatom

11/28

EU

Estimating Atomicity and Integrity via Payload Application

• Application constantly increments counters placed in memory regions
• Running:

Memory Region Counter 1 2 2 1 3 1 4 1

2016-30-03 | Michael Gruhn | FAU i1 | ramatom

12/28

EU

Estimating Atomicity and Integrity via Payload Application

• Application constantly increments counters placed in memory regions
• Running:

Memory Region Counter 1 2 2 2 3 1 4 1

2016-30-03 | Michael Gruhn | FAU i1 | ramatom

13/28

EU

Estimating Atomicity and Integrity via Payload Application

• Application constantly increments counters placed in memory regions
• Running:

Memory Region Counter 1 2 2 2 3 2 4 1

2016-30-03 | Michael Gruhn | FAU i1 | ramatom

14/28

EU

Estimating Atomicity and Integrity via Payload Application

• Application constantly increments counters placed in memory regions
• Running:

Memory Region Counter 1 2 2 2 3 2 4 2

2016-30-03 | Michael Gruhn | FAU i1 | ramatom

15/28

EU

Estimating Atomicity and Integrity via Payload Application

• Application constantly increments counters placed in memory regions
• Running:

Memory Region Counter 1 3 2 2 3 2 4 2

2016-30-03 | Michael Gruhn | FAU i1 | ramatom

16/28

EU

Estimating Atomicity and Integrity via Payload Application

• Application constantly increments counters placed in memory regions
• Running:

Memory Region Counter 1 3 2 3 3 2 4 2

2016-30-03 | Michael Gruhn | FAU i1 | ramatom

17/28

EU

Estimating Atomicity and Integrity via Payload Application

• Application constantly increments counters placed in memory regions
• Running:

Memory Region Counter 1 3 2 3 3 3 4 2

2016-30-03 | Michael Gruhn | FAU i1 | ramatom

18/28

EU

Estimating Atomicity and Integrity via Payload Application

• Application constantly increments counters placed in memory regions
• Running:

Memory Region Counter 1 3 2 3 3 3 4 3

2016-30-03 | Michael Gruhn | FAU i1 | ramatom

19/28

EU

Estimating Atomicity and Integrity via Payload Application

• Application constantly increments counters placed in memory regions
• Running:

Memory Region Counter 1 3 2 3 3 3 4 3

• Perfect atomic capture has only two consecutive counter values
• Perfect integer when counter values from when capture was started
• Details in the paper

2016-30-03 | Michael Gruhn | FAU i1 | ramatom

20/28

EU

Estimating Atomicity and Integrity via Deltas

t Atomicity ∆ Integrity ∆ r1 r2 r3 r4

Figure: Atomicity and integrity in a maximum load scenario.

2016-30-03 | Michael Gruhn | FAU i1 | ramatom

21/28

EU

Atomicity and Integrity Upper Bounds

(Worst Case) (Worst Case) Atomicity Delta Integrity Delta msramdump 1 43.84 memimager 1 63.28 VirtualBox 1 26.64 QEMU 1 35.24 ProcDump (-r) 39.75 ProcDump 1 36.50 Windows Task Manager 1 728.54 pmdump 37 136.62 WinPMEM 13230 5682.24 FTK Imager 13151 5917.24 win64dd 15039 8077.54 win64dd (/m 1) 15039 8172.28 DumpIt 15711 8500.09 inception 43898 22056.77

2016-30-03 | Michael Gruhn | FAU i1 | ramatom

22/28

EU

Figure: Acquisition plot of pmdump

2016-30-03 | Michael Gruhn | FAU i1 | ramatom

23/28

EU

Figure: Memory acquisition technique comparison (acquisition plot)

2016-30-03 | Michael Gruhn | FAU i1 | ramatom

24/28

EU

Figure: Memory acquisition technique comparison (acquisition density plot)

2016-30-03 | Michael Gruhn | FAU i1 | ramatom

25/28

EU

1 2 3 4 ·104 0.5 1 1.5 2 ·104 Cold-Boot Attacks VirtualBox ProcDump pmdump WinPMEM FTK Imager win64dd DumpIt inception Atomicity Delta Integrity Delta

Figure: Each acquisition position inside an atomicity/integrity-Matrix

2016-30-03 | Michael Gruhn | FAU i1 | ramatom

26/28

EU

Take-Home and Future Research

• DMA exhibited the greatest memory smear
• Is inception/Python the issue?
• Will PCI DMA perform better?
• Does DMA increase concurrency?
• How do state-of-the-art research methods (Body-Snatcher) perform?

2016-30-03 | Michael Gruhn | FAU i1 | ramatom

27(1) /28

EU

Take-Home and Future Research

• DMA exhibited the greatest memory smear
• Is inception/Python the issue?
• Will PCI DMA perform better?
• Does DMA increase concurrency?
• How do state-of-the-art research methods (Body-Snatcher) perform?
• What is the impact of non-atomic memory captures on analysis?
• 2-Take Approach solution?

2016-30-03 | Michael Gruhn | FAU i1 | ramatom

27(2) /28

EU

Take-Home and Future Research

• DMA exhibited the greatest memory smear
• Is inception/Python the issue?
• Will PCI DMA perform better?
• Does DMA increase concurrency?
• How do state-of-the-art research methods (Body-Snatcher) perform?
• What is the impact of non-atomic memory captures on analysis?
• 2-Take Approach solution?

Source Code available at https://www1.cs.fau.de/projects/rammangler Slides and Paper available at https://http://www.dfrws.org/2016eu/program.shtml Warning about "Source Code": It’s what they call "research" code: for(i=0; /*FIXME ... we assume success */; i++)

2016-30-03 | Michael Gruhn | FAU i1 | ramatom

27(3) /28

EU

Questions?

42.

2016-30-03 | Michael Gruhn | FAU i1 | ramatom

28/28