Download - Linux Forensics
A Survey on Linux Volatile Memory Forensic TechniquesA Survey on Linux Volatile Memory Forensic Techniques
Suba Surianarayanan
Dr. V. Uma Maheswari
College Of Engineering, Chennai
Anna University
Suba Surianarayanan
Dr. V. Uma Maheswari
College Of Engineering, Chennai
Anna University
INTRODUCTIONINTRODUCTION
Various threats to a Linux machine
Loadable kernel modules
Directly accessible kernel Memory in some versions of Linux - /dev/kmem
Volatile Memory ForensicsVolatile Memory Forensics
Volatile memory – Evidence gathered from RAM
Hidden malware
Live techniques - Based on in-built utilities or toolsDisadvantage: Leave footprint on the memory image
Linux - LKM and direct kernel memory accessin-built utilities like ps (process enumeration) unreliable and untrustworthy
Static techniques - Capture state of system during seizure
Numerous builds and versions – Challenges applicability of techniques
Kernel structure changes between versions
Security vulnerabilities – LKM and Direct access of /dev/kmem
Linux Volatile Memory Forensics - ChallengesLinux Volatile Memory Forensics - Challenges
Research directionsResearch directions
Exploring kernel vulnerabilities
Detection of Malware and rootkits based on Volatile memory analysis
Emulation of Kernel utilities
Reverse engineering data structures from executables, behavioral analysis etc.
Deriving Kernel data structuresDeriving Kernel data structures
Reverse engineering kernel data structures – from executable [10]
Graph based signatures (pointer pattern based) [11]
Utilization of debugging information [5]
Simulation of utilities based on kernel structures [13]
Understanding kernel data structures forms the core of Volatile memory forensics – eg. enables detection of Hidden Processes [9], [15], [16], [17]
Detecting hidden Processes:Kernel structuresDetecting hidden Processes:Kernel structures
task_struct task_struct
files_struct
prevnext
fd_array
files
file
f_path
file
dentry
d_inode
inode
task_struct…
Detecting hidden Processes:Kernel structuresDetecting hidden Processes:Kernel structures
Structure Description
task_struct Current state of Process
mm_struct Pages owned by a process. Memory sections – begin and end addresses
vm_area_struct Access permissions
files_struct Files, pipes, sockets opened by a process
dentry Directory information
inode Includes file MAC times
address_space Radix tree that holds pages of process together
page_struct Index into page file
file Representation of each open file, socket etc.
inet_sock Protocol specific information
Detecting hidden Processes:Kernel structures (Kernel 2.6.32)Detecting hidden Processes:Kernel structures (Kernel 2.6.32)struct task_struct { [0] volatile long int state; [4] void *stack; [8] atomic_t usage; [12] unsigned int flags; [16] unsigned int ptrace; [20] int lock_depth; [24] int prio; [28] int static_prio; [32] int normal_prio; [36] unsigned int rt_priority; [40] const struct sched_class *sched_class; [44] struct sched_entity se; [376] struct sched_rt_entity rt; [412] struct hlist_head preempt_notifiers; [416] unsigned char fpu_counter; [420] unsigned int btrace_seq; [424] unsigned int policy; [428] cpumask_t cpus_allowed; [432] struct sched_info sched_info; [464] struct list_head tasks; //Circular linked list of processes, tasks.next and task.prev … [3248] struct memcg_batch_info memcg_batch;}SIZE: 3264
Detecting hidden Processes:Requirements for Volatile memory analysis analysis
Detecting hidden Processes:Requirements for Volatile memory analysis analysisUncompressed kernel build – vmlinuxKernel debuggerSystem.mapMemory dump file
How to obtain the uncompressed kernel? (Redhat versions)
Download kernel build for same versionKernel-debuginfo
System.mapSystem.map
struct file.f_op = “socket_file_ops”struct file.f_path -> dentry.d_op = “sockfs_dentry_operations”
The static addresses for these two functions could be obtained from System.map
Detecting hidden ProcessesDetecting hidden Processes
Traverse the circularly linked task list and compare with the corresponding mm_struct list
Brute force detection based on task_struct field signatures
Slab and slub allocator - kmem_cache list
Locating Kernel structures from Memory DumpLocating Kernel structures from Memory Dump
Types of data structures(1)Static(2)Dynamic
Locating static data structures Using, System.map file Contains name and address of every static data structure in kernel Created during kernel build process using nm on the compiled vmlinux file
Locating dynamic data structures Derive from static data structures
Malware detection techniquesMalware detection techniques
Based on:
Data access patterns and structural signatures [4],[6],[8]
Binary analysis based on instruction sequence [12]
task structure analysis [14]
Malware detection techniques [4]Malware detection techniques [4]
Inter-structure pointers:
struct socket_alloc{ [0] struct socket socket; [1] struct inode vfs_inode; //0x28}size: 392
Malware detection techniques [4]Malware detection techniques [4]
vfs_inode
file
0
40
struct file
socket_alloc
dentry
f_dentry d_inode
Rootkit Detection
Hidden Rootkit – DKOM and Function hooking
Remain undetected through normal modes of detection such as ps
Finding hidden objects such as sockets and processes based on field types and inter-structure pointers in kernel structures [4, 6]
Behavioral analysis – such as data access patterns [8]
Classification of various techniquesClassification of various techniques
Title Analysis type ApplicationDetecting stealthy malware with Inter-Structure and imported Signatures [4]
In-execution Malware detection
Characterizing Kernel Malware Behavior with Kernel Data Access Patterns [8]
In-execution Malware detection
In-Execution Malware Detection using Task Structures of Linux Processes [14]
In-execution Malware detection
Detecting Kernel-level Rootkitsusing Data Structure Invariants [6]
In-execution Rootkit detection
Detecting Kernel-Level Rootkits Through Binary Analysis [12]
Pre execution Rootkit detection
Locating 386 paging structures in memory images [9]
Memory dump analysis
Hidden process detection
Classification of various techniquesClassification of various techniques
Title Analysis type ApplicationFACE: Automated digital evidence discovery and correlation [13]
Memory dump analysis Evidence correlation
The 7 dwarves: debugging information beyond gdb [5]
Post execution Identification of Kernel structure offsets
SigGraph: Brute Force Scanning of Kernel Data Structure Instances UsingGraph-based Signatures [11]
In-execution Identification of Kernel structures
Automatic Reverse Engineering of Data Structures from Binary Execution [10]
In-execution Identification of Kernel structures from memory image
An Analysis of Linux RAM Forensics [16]
Memory dump analysis Identification of forensically relevant data structures (SUSE Linux kernel 2.6)
Linux Memory Forensic: Searching for processes [17]
Memory dump analysis Identification of forensically relevant data structures (kernel version 2.6.20 and 2.4.23)
Conclusion and future trendsConclusion and future trends
Understanding the Kernel memory structures of the target system forms the basis of Volatile memory forensics
task_struct and System.map are the starting points of such analysis on a Linux machine
Frameworks and techniques applicable across kernel versions
Interpretation of collected evidence
User-friendly report format
ReferencesReferences
[1] Wikipedia, http://en.wikipedia.org/wiki/Cyber_forensics[2] ”Crash utility”, http://people.redhat.com/anderson/crash_whitepaper/[3] Case, A., Marziale, L., Richard, G.G., “Dynamic recreation of kernel data structures for live forensics”, Digital Investigations, 2010[4] Liang, B., You, W., Shi, W., Liang, Z., “Detecting stealthy malware with Inter-Structure and imported Signatures”, Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, 2011[5] Arnaldo Carvalho de Melo, "The 7 dwarves: debugging information beyond gdb", Proceedings of the Linux Symposium, 2007[6] Baliga, A., “Detecting Kernel-level Rootkits using Data Structure Invariants, IEEE Transactions on Dependable and Secure Computing”, 2011[7] Ramaswamy, A., “Detecting Kernel rootkits”, Dartmouth College Masters Thesis, 2008[8] Rhee, J., Lin, Z., Xu, D., “Characterizing Kernel Malware Behavior with Kernel Data Access Patterns”, Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, 2011[9] Saur, K., Julian B. Grizzard, “Locating 386 paging structures in memory images”, Digital Investigations, 2010[10] Lin, Z., Zhang, X., Xu, D., “Automatic Reverse Engineering of Data Structures from Binary Execution”, the 17th Network and Distributed System Security Symposium, 2010[11] Lin, Z., “SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures”, 40th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, 2010
ReferencesReferences
[12] Christopher , K., “Detecting Kernel-Level Rootkits Through Binary Analysis”, Computer Security Applications Conference, 2004[13] Case, A., Cristina, A., Marziale, L., Golden G. Richard, Roussev, V., “FACE: Automated digital evidence discovery and correlation”, Digital Investigations, 2008[14] Shahzad, F. et al, “In-Execution Malware Detection using Task Structures of Linux Processes”, IEEE International Conference on Communications, 2011[15] Burdach, M., “Digital Forensics of the physical memory”, 2005[16] Urrea, J.M., “An analysis of Linux RAM forensics”, Naval Postgraduate School Thesis, 2006[17] Gao, Y., Cao, T., “Linux Memory Forensic: Searching for processes”, Computer Security Applications Conference, 2010[18] Movall, P., Nelson, W., Wetzstein, S., “Linux Physical Memory Analysis”, Proceedings of the annual conference on USENIX Annual Technical Conference, 2005[19] Wikipedia, http://en.wikipedia.org/wiki/Computer_forensics[20] DFRWS. Dfrws 2005 forensics challenge, http://www.dfrws.org/2005/challenge/index.shtml; 2005.[21] Volatility framework, https://www.volatilesystems.com/default/volatility
Thank youThank you