Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Memory forensics using VMI for cloud computing

585 views

Published on

The relocation of systems and services into cloud environments is on the rise. Because of this trend users lose direct control over their machines and depend on the offered services from cloud providers. These services are especially in the field of digital forensics very rudimentary. The possibilities for users to analyze their virtual machines with forensic methods are very limited. In the underlying research of this talk a practical approach has been developed that gives the user additional capabilities in the field of forensic investigations. The solution focuses on a memory forensic service offering. To reach this goal, a management solution for cloud environments has been extended with memory forensic services. Self-developed memory forensic services, which are installed on each cloud node and are managed through the cloud management component, are the basis for this solution. Forensic data is gained via virtual machine introspection techniques. Compared to other approaches it is possible to get trustworthy data without influencing the running system. Additionally, a general overview about the underlying technologies is provided and the pros and cons are discussed. The solution approach is discussed in a generic way and practically implemented in a prototype. In this prototype OpenNebula is used for managing the cloud infrastructure in combination with Xen as virtualization component, LibVMI as Virtual Machine Introspection library and Volatility as forensic tool.
(Source: Black Hat USA 2016, Las Vegas)

Published in: Technology
  • Hello! I do no use writing service very often, only when I really have problems. But this one, I like best of all. The team of writers operates very quickly. It's called ⇒ www.HelpWriting.net ⇐ Hope this helps!
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • You can try to use this service ⇒ www.HelpWriting.net ⇐ I have used it several times in college and was absolutely satisfied with the result.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • You can ask here for a help. They helped me a lot an i`m highly satisfied with quality of work done. I can promise you 100% un-plagiarized text and good experts there. Use with pleasure! ⇒ www.WritePaper.info ⇐
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Memory forensics using VMI for cloud computing

  1. 1. Memory Forensics using Virtual Machine Introspection for Cloud Computing Tobias Zillner, BSc MSc MSc
  2. 2. About Me Tobias Zillner, BSc MSc MSc • Vienna, Austria • Founder of Zillner IT-Security • Independent Security Consultant & Researcher • Consulting, Audit, Advisory, Training • Security Research • Internet of Things, Smart Homes • Wireless Security • www.zillner.tech SDR Enthusiast
  3. 3. What is it about? And why do we need it?
  4. 4. Outline Introduction & Background Virtual Machine Introspection (VMI) Use cases Prototype Summary
  5. 5. Motivation Relocation of systems and services into cloud environments is on the rise Users loose direct access / control over their systems Forensic methods are limited in the cloud Enable the user to perform their own forensic investigations Forensic as a Service
  6. 6. Memory forensics & Virtual machine Introspection
  7. 7. Forensic Process Collection Examination Analysis Reporting Media Data Information Evidence
  8. 8. Hardware virtualization One / Multiple guest OS on virtualized hardware Managed by Virtual Machine Monitor (VMM) – Hypervisor Provides interfaces and controls interactions with hardware • CPU, memory, network, storage,… Hypervisor on own OS – Host OS
  9. 9. Native vs. hosted virtualization Hardware Hypervisor Guest OS Application Application Application Guest OSApplication Application Application Hardware Hypervisor Guest OS Application Application Application Guest OS Application Application Application Host OS Application Application Native virtualization Hosted virtualization
  10. 10. Virtual machine Introspection “Virtual Introspection (VI) is the process by which the state of a virtual machine (VM) is observed from either the Virtual Machine Monitor (VMM), or from some virtual machine other than the one being examined. “ 1 1 : Brian Hay and Kara Nance. Forensics examination of volatile system data using virtual introspection. SIGOPS Oper. Syst. Rev., 42(3):74 82, April 2008
  11. 11. Semantic gap Difference between the presentation of data from volatile memory by the OS and the raw data format Requires VMI to perform the same translation of the the raw memory data as the OS At least some knowledge about the guest OS is necessary
  12. 12. http://libvmi.com/docs/gcode-intro.html How does it work?
  13. 13. Advantages No altering of the target system Very hard to detect the monitoring Live analysis of memory content Data size for analysis (storage much larger than memory) Detection of advanced memory only malware More reliable data • No data corruption through malware
  14. 14. Countermeasures Detection • Timing analysis - unusual patterns in the frequency at which it is scheduled for execution • Page fault analysis - the target VM may be able to detect unusual patterns in the distribution of page faults Direct Kernel Structure Manipulation (DKSM) • VMI assumes that OS implement certain kernel- and data structures • DKSM modifies this structures and prevents monitoring • Sytanx based: targeted deletion/addition/manipulation of data structures • Sematic: semantics of the data structures are changed • Combined: mix of syntax and semantics manipulation
  15. 15. Fields of application Rootkit detection • Manipulation of memory access • Interception of system calls Cryptographic key extraction • On the fly encrypted container • Network forensics IDS / IPS Examples
  16. 16. Prototype
  17. 17. Solution approach Combining existing tools for a novel approach Open Source Minimal overhead Transparent for the user
  18. 18. Architecture Cloud Solution • Open Nebula Cloud Management Server Cloud Node Host OS – Ubuntu Guest VM Memory Forensic Services VMI Library – LibVMI Forensic Tool – Volatility Hypervisor - Xen
  19. 19. Cloud Management Server Cloud Node VM1 VM2 Cloud Control Services Dom U Dom 0Dom U Hypervisor
  20. 20. Cloud Management Server Cloud Node VM1 VM2 VMI Library Forensic Tool Memory Forensic Service Cloud Control Services Memory Forensic Service Dom U Dom 0Dom U Hypervisor
  21. 21. Open nebula extensions www.opennebula.org
  22. 22. Memory forensic services Self developed management and control services Client – Server model Platform independent PKI for secure communication Command whitelisting
  23. 23. Forensic Process Collection Examination Analysis Reporting Media Data Information Evidence
  24. 24. Forensic Process Collection Examination Analysis Reporting Media Data Information Evidence • OS on Cloud Node • Data provided by LibVMI • Collected by Volatility
  25. 25. Forensic Process Collection Examination Analysis Reporting Media Data Information Evidence • OS on Cloud Node • Collected data checked by Volatility • Data extraction for forensic purpose
  26. 26. Forensic Process Collection Examination Analysis Reporting Media Data Information Evidence • Partially OS on Cloud Node • Collected data checked by Volatility • Partially on user system • Analysis with additional tools by user
  27. 27. Forensic Process Collection Examination Analysis Reporting Media Data Information Evidence • Completely on user system
  28. 28. Advantages User gets easy access to the data No changes on the target VM necessary Memory analysis not on the possibly compromised system No stop/pausing of the analyzed machine required Operation of the VM does not get influenced Analysis can be done either local or over the network • Reduction of local load / network load Usage of existing authentication and authorization system
  29. 29. Disadvantages Configuration necessary Knowledge about the guest OS required Installation overhead for cloud provider Additional attack surface Security is crucial for the added services User segregation is very important
  30. 30. LibVMI config example
  31. 31. Volatility / Libvmi usage
  32. 32. Use case Modifying of data structures, which display the processes currently running on the system System call interception Interrupt hooking Modifying the kernel memory image Intercepting calls handled by the VFS Virtual memory subversion Kernel level root kit detection
  33. 33. Use case Enduser VM in Iaas cloud
  34. 34. Demo
  35. 35. Summary
  36. 36. Summary Investigations in cloud environments get more and more common Hypervisor forensics VMI is a very interesting solution approach Fully Open Source based working prototype Enables fast responses to security incidents Lot of room for enhancements Different use cases for VMI in clouds possible
  37. 37. Black hat sound bytes Hypervisor forensics / VMI are very powerful and interesting technologies FaaS gives power to the end user Memory analysis is a huge benefit for forensic investigations
  38. 38. Q & A Please fill out the Black Hat Feedback Form
  39. 39. Contact Tobias Zillner tobias@zillner.tech www.zillner.tech +43 664 8829 8290

×