CS 695 Host Forensics: Auditing Using VMs GEORGIOS PORTOKALIDIS.
-
Upload
destiney-harbert -
Category
Documents
-
view
216 -
download
0
Transcript of CS 695 Host Forensics: Auditing Using VMs GEORGIOS PORTOKALIDIS.
![Page 1: CS 695 Host Forensics: Auditing Using VMs GEORGIOS PORTOKALIDIS.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5517c1c355034616658b47db/html5/thumbnails/1.jpg)
CS 695 Host Forensics: Auditing Using VMsGEORGIOS PORTOKALIDIS
![Page 2: CS 695 Host Forensics: Auditing Using VMs GEORGIOS PORTOKALIDIS.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5517c1c355034616658b47db/html5/thumbnails/2.jpg)
CS-695 HOST FORENSICS 2
Recap: Volatile Data Data “spoils” easily
◦ In-memory data are ephemeral by nature
Data trustworthiness◦ Compromised systems cannot be trusted
Destructive analysis◦ The Heisenberg Uncertainty Principle of data gathering and system analysis
◦ As you capture data in one part of the computer you are changing data in another
![Page 3: CS 695 Host Forensics: Auditing Using VMs GEORGIOS PORTOKALIDIS.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5517c1c355034616658b47db/html5/thumbnails/3.jpg)
CS-695 HOST FORENSICS 3
Revisiting an Old IncidentInstall sshd
7/19/2001
Discovery
8/20/2001
Startedinvestigation
8/23/2001
Further exploitation
Install sshd
Initial attack
![Page 4: CS 695 Host Forensics: Auditing Using VMs GEORGIOS PORTOKALIDIS.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5517c1c355034616658b47db/html5/thumbnails/4.jpg)
CS-695 HOST FORENSICS 4
Revisiting an Old Incident
We need to go back in time and observe the attacker’s actions as they happen
Discovery
8/20/2001
Startedinvestigation
8/23/2001
A sophisticatedadversary can erasehis tracks
![Page 5: CS 695 Host Forensics: Auditing Using VMs GEORGIOS PORTOKALIDIS.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5517c1c355034616658b47db/html5/thumbnails/5.jpg)
CS-695 HOST FORENSICS 5
Another group of frustrated users would also live to go back in time.
Guess who?
![Page 6: CS 695 Host Forensics: Auditing Using VMs GEORGIOS PORTOKALIDIS.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5517c1c355034616658b47db/html5/thumbnails/6.jpg)
CS-695 HOST FORENSICS 6
A Few Words About OS Debugging
Cyclic debugging◦ Observe error, revisit previous state, re-run◦ Iterate
![Page 7: CS 695 Host Forensics: Auditing Using VMs GEORGIOS PORTOKALIDIS.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5517c1c355034616658b47db/html5/thumbnails/7.jpg)
CS-695 HOST FORENSICS 7
SimilaritiesDEBUGGING
Can re-run the application◦ But execution is non-deterministic
Bug may have been triggered a long time ago
A corrupted OS can interfere with the debugger
FORENSICS
Can re-construct deleted files◦ Cannot recover/reconstruct volatile data
Initial incident could have occurred a long time ago
A compromised OS can report false data
Can you come up with more similarities or differences?
![Page 8: CS 695 Host Forensics: Auditing Using VMs GEORGIOS PORTOKALIDIS.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5517c1c355034616658b47db/html5/thumbnails/8.jpg)
CS-695 HOST FORENSICS 8
Virtual Machines to the Rescue System is observed from “below”
◦ Data may be untrustworthy, but collection does not depend on possibly malicious components (e.g., planted binaries, subverted kernel, etc.)
◦ The analysis does not tamper with data
Not a panacea!◦ Adding more layers does not make a system more secure◦ It’s turtles all the way down
![Page 9: CS 695 Host Forensics: Auditing Using VMs GEORGIOS PORTOKALIDIS.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5517c1c355034616658b47db/html5/thumbnails/9.jpg)
CS-695 HOST FORENSICS 9
VM Overview
Hardware
Guest Guest
VM & HostOperating System
VM in the OS
HostOperating System
Hardware
GuestVM
VM as an application
HostOperating System
Hardware
Applications
No VM
Targets
Inspection code
![Page 10: CS 695 Host Forensics: Auditing Using VMs GEORGIOS PORTOKALIDIS.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5517c1c355034616658b47db/html5/thumbnails/10.jpg)
CS-695 HOST FORENSICS 10
Time Traveling onSmartphones and tablets?
![Page 11: CS 695 Host Forensics: Auditing Using VMs GEORGIOS PORTOKALIDIS.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5517c1c355034616658b47db/html5/thumbnails/11.jpg)
Why? They are used to “Do things we used to do with computers”
CS-695 HOST FORENSICS 11Games
Multimedia
Web & Email
IM
![Page 12: CS 695 Host Forensics: Auditing Using VMs GEORGIOS PORTOKALIDIS.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5517c1c355034616658b47db/html5/thumbnails/12.jpg)
… and More
CS-695 HOST FORENSICS 12
Micropayments(parking, transit) Calls & SMS
Critical information•pins •credit card numbers• passwords
Sensors
![Page 13: CS 695 Host Forensics: Auditing Using VMs GEORGIOS PORTOKALIDIS.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5517c1c355034616658b47db/html5/thumbnails/13.jpg)
Threats Software vulnerabilities
◦ iPhone PDF exploit used to jailbreak the device◦ Android privilege escalation bugs
Malicious applications being downloaded◦ Too many to list …
Physical◦ Can be damaged, stolen, manipulated, etc.
CS-695 HOST FORENSICS 13
![Page 14: CS 695 Host Forensics: Auditing Using VMs GEORGIOS PORTOKALIDIS.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5517c1c355034616658b47db/html5/thumbnails/14.jpg)
CS-695 HOST FORENSICS 14
![Page 15: CS 695 Host Forensics: Auditing Using VMs GEORGIOS PORTOKALIDIS.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5517c1c355034616658b47db/html5/thumbnails/15.jpg)
Goals Enables multiple analyses with fixed overhead
◦ Including support for heavyweight mechanisms like dynamic taint analysis (DTA)◦ Including forensics and auditing
Enable backup and recovery of device data
Prevent attackers from disabling the checks
Low overhead◦ No VM◦ Minimize volume of generated data
CS-695 HOST FORENSICS 15
![Page 16: CS 695 Host Forensics: Auditing Using VMs GEORGIOS PORTOKALIDIS.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5517c1c355034616658b47db/html5/thumbnails/16.jpg)
Overview Faithfully replicate smartphone execution in remote servers
Apply analyses on replicas
CS-695 HOST FORENSICS 16
….
![Page 17: CS 695 Host Forensics: Auditing Using VMs GEORGIOS PORTOKALIDIS.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5517c1c355034616658b47db/html5/thumbnails/17.jpg)
Design Overview
CS-695 HOST FORENSICS 17
Record Replay
Internet, UMTS
Internet, UMTS
Regulartraffic Mirrored
traffic
![Page 18: CS 695 Host Forensics: Auditing Using VMs GEORGIOS PORTOKALIDIS.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5517c1c355034616658b47db/html5/thumbnails/18.jpg)
CS-695 HOST FORENSICS 18
Synchronization Issues Transmitting data requires power
◦ Opportunistic data transmission to server
Connectivity can be lost◦ Data need to be temporarily stored in a secure fashion on the device
![Page 19: CS 695 Host Forensics: Auditing Using VMs GEORGIOS PORTOKALIDIS.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5517c1c355034616658b47db/html5/thumbnails/19.jpg)
Recording on the Device
CS-695 HOST FORENSICS 19
Record non-deterministic events (syscalls, signals, etc)
Encode & compress
Store securely
Transmit to server
![Page 20: CS 695 Host Forensics: Auditing Using VMs GEORGIOS PORTOKALIDIS.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5517c1c355034616658b47db/html5/thumbnails/20.jpg)
Smartphone emulator
Replaying on the Server
CS-695 HOST FORENSICS 20
Recorded events
Proxy data OS
Replay executionMonitoringAnalysisIntrusion detection
![Page 21: CS 695 Host Forensics: Auditing Using VMs GEORGIOS PORTOKALIDIS.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5517c1c355034616658b47db/html5/thumbnails/21.jpg)
Security Server We can apply any detection technique that does not interfere with the replicated execution◦ System call profiling, file scanning, DTA, etc.
The same as applying the check on the device
Checks can be added transparently
A server can host multiple replicas
CS-695 HOST FORENSICS 21
![Page 22: CS 695 Host Forensics: Auditing Using VMs GEORGIOS PORTOKALIDIS.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5517c1c355034616658b47db/html5/thumbnails/22.jpg)
Device Implementation
CS-695 HOST FORENSICS 22
Record non-deterministic events (syscalls, signals, etc)
Encode & compress
Store securely
Transmit to server
Using ptrace()
Huffman-style, LZ
HMAC + rolling key
OpenSSL
![Page 23: CS 695 Host Forensics: Auditing Using VMs GEORGIOS PORTOKALIDIS.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5517c1c355034616658b47db/html5/thumbnails/23.jpg)
Implementation Issues Scheduling and shared memory
◦ We use deterministic scheduling◦ Alternatives
◦ Kernel space deterministic scheduling◦ Concurrent-read-exclusive-write (CREW) protocol
IOCTLS◦ Used existing descriptions from the QEMU user space emulator◦ Manually added Android related ones
CS-695 HOST FORENSICS 23
![Page 24: CS 695 Host Forensics: Auditing Using VMs GEORGIOS PORTOKALIDIS.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5517c1c355034616658b47db/html5/thumbnails/24.jpg)
Security Server Implementation Replica hosted on Android QEMU emulator
CS-695 HOST FORENSICS 24
QEMU emulator
Android OS
Applications
![Page 25: CS 695 Host Forensics: Auditing Using VMs GEORGIOS PORTOKALIDIS.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5517c1c355034616658b47db/html5/thumbnails/25.jpg)
Data Generation Rate for Various Tasks
25
64B/s121B/s
CS-695 HOST FORENSICS
![Page 26: CS 695 Host Forensics: Auditing Using VMs GEORGIOS PORTOKALIDIS.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5517c1c355034616658b47db/html5/thumbnails/26.jpg)
Performance Idle operation and performing calls
◦ CPU load and battery life are not affected
During intensive usage like browsing◦ CPU load average increased by ≈15%◦ Battery consumption increased by ≈30%
CS-695 HOST FORENSICS 26
![Page 27: CS 695 Host Forensics: Auditing Using VMs GEORGIOS PORTOKALIDIS.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5517c1c355034616658b47db/html5/thumbnails/27.jpg)
Performance and Energy Consumption
CS-695 HOST FORENSICS 27
![Page 28: CS 695 Host Forensics: Auditing Using VMs GEORGIOS PORTOKALIDIS.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5517c1c355034616658b47db/html5/thumbnails/28.jpg)
Scalability
CS-695 HOST FORENSICS 28