an#experience#reporton#extrac/ng# … › sites › default › files ›...
TRANSCRIPT
-
An Experience Report on Extrac/ng and Viewing Memory Events Via
Wireshark
Sarah Laing, Michael E. Locasto, John Aycock University of Calgary
USENIX WOOT 2014
-
Challenge: Memory Event Analysis
Cage: a kernel-‐level mechanism for monitoring process memory events and expor/ng them via a network interface
Neat twist: display in Wireshark
Example Uses: find private key in SSH, overwrite data, overwrite instruc/ons, find all buffers in a program, …
8/20/14 2 University of Calgary
-
8/20/14 3 University of Calgary
-
8/20/14 4 University of Calgary
-
8/20/14 5 University of Calgary
-
Challenge: Memory Event Analysis
Cage: a kernel-‐level mechanism for monitoring (+ modifying) process memory events and expor/ng them via a network interface
Neat twist: display in Wireshark
Example Uses: find private key in SSH, overwrite data, overwrite instruc/ons, find all buffers in a program, …
8/20/14 6 University of Calgary
-
Underlying Insight / Why Wireshark? BPF: pre-‐filtering
Wireshark: post-‐filtering
Treat a stream of memory events like a packet trace, and then benefit from the types of filtering languages that exist for such streams.
8/20/14 7 University of Calgary
-
Building a memory trapping system seems conceptually easy, but is non-‐trivial and difficult if you want to do seamlessly; see Figures 5 and 6 in the paper for valida/on across mul/ple architectures, OS distros, and VMs
Only raises our level of respect for prior work on memory intercep/on techniques
8/20/14 8 University of Calgary
-
Cage Implementa/on
Modifica/ons to the Linux 3.9.4 kernel
23 files changed, 1002 insertions(+), 23 deletions(-) !
create mode 100644 linux-3.9.4/arch/x86/mm/cage.c create mode 100644 linux-3.9.4/chmem/Makefile create mode 100644 linux-3.9.4/chmem/chmem.c create mode 100644 linux-3.9.4/include/linux/cage.h!
8/20/14 University of Calgary 9
-
8/20/14 University of Calgary 10
CPU/MMU Page/PTE Bits Page/Debug!Fault Handler
BPF Net DeviceFetch
Page Fault
PTE Entry
Fetch PTE Bits
PTE EntryFilter
Result
Emit Packet
To User
SpaceFix PTE (UnCage)
Restart Instruction
Single Step Trap
Set PTE (ReCage)
Continue Execution
Page Fault Handler
Debug Fault Handler
-
BPF Filters (In-‐kernel, pre-‐event)
Temporal Filter: Watch for a specific address range. Emit a packet every n-‐th event. Rate limi/ng.
Data Overwri/ng Filter: Watch for a specific address and replace the data at that address with a user specified value.
Instruc/on Overwri/ng Filter: Watch for a specific RIP/EIP and replace the instruc/on at that address with a user specified instruc/on.
Buffer Viewing Filter: Watch for the crea/on of a specific buffer and emit all packets that touch that buffer. (SSH example)
Buffer Finding Filter: Find all buffers in a program by watching for sequen/al accesses to memory loca/ons.
8/20/14 University of Calgary 11
-
FETCH/EXECUTE
8/20/14 12 University of Calgary
-
8/20/14 13 University of Calgary
-
8/20/14 14 University of Calgary
-
8/20/14 15 University of Calgary
-
8/20/14 16 University of Calgary
-
8/20/14 17 University of Calgary
-
8/20/14 18 University of Calgary
-
8/20/14 19 University of Calgary
-
EXECUTE/READ
8/20/14 20 University of Calgary
-
8/20/14 21 University of Calgary
-
8/20/14 22 University of Calgary
-
Memory Analysis Based on a Simple Language
Friend asks me: “What do I go ‘WOOT’ about?”
Answer: viewing non-‐network stuff in Wireshark is kind of cool, but our efforts to design, build, and use Cage are “…part of a broader argument [6] that “offensive” does not mean unprincipled or ad hoc.”
8/20/14 23 University of Calgary
-
Takeaway Message
“…it is precisely the variety of crea/ve abuses of exis/ng memory management circuitry that argue for a more sane and powerful hardware support for memory introspec/on on commodity architectures.”
8/20/14 24 University of Calgary
-
Thanks!
The reviewers
Our shepherd, Julien
Research is supported by Canada’s NSERC Discovery Grant program
hnps://github.com/selaing/Cage
8/20/14 25 University of Calgary