CS 695 Host Forensics: Auditing Using VMs GEORGIOS PORTOKALIDIS.

Slides:



Advertisements
Similar presentations
Delta Confidential 1 5/29 – 6/6, 2001 SAP R/3 V4.6c PP Module Order Change Management(OCM)
Advertisements

1. XP 2 * The Web is a collection of files that reside on computers, called Web servers. * Web servers are connected to each other through the Internet.
1 Senn, Information Technology, 3 rd Edition © 2004 Pearson Prentice Hall James A. Senns Information Technology, 3 rd Edition Chapter 7 Enterprise Databases.
Advanced Piloting Cruise Plot.
Chapter 1 The Study of Body Function Image PowerPoint
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 4 Computing Platforms.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 1 Embedded Computing.
1 Building a Fast, Virtualized Data Plane with Programmable Hardware Bilal Anwer Nick Feamster.
By Rick Clements Software Testing 101 By Rick Clements
1 Copyright © 2005, Oracle. All rights reserved. Introducing the Java and Oracle Platforms.
17 Copyright © 2005, Oracle. All rights reserved. Deploying Applications by Using Java Web Start.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.
So far Binary numbers Logic gates Digital circuits process data using gates – Half and full adder Data storage – Electronic memory – Magnetic memory –
1 Processes and Threads Creation and Termination States Usage Implementations.
Remus: High Availability via Asynchronous Virtual Machine Replication
Chapter 1 Introduction Copyright © Operating Systems, by Dhananjay Dhamdhere Copyright © Introduction Abstract Views of an Operating System.
World Health Organization
© SafeNet Confidential and Proprietary Administering SafeNet StorageSecure Smart Card Module 3: Lesson 5 SafeNet StorageSecure Storage Security Course.
Configuration management
Troubleshooting Startup Problems
Suite Suite 2 TPF Software – Overview Binary Editor Remote Scripts zTREX Add-Ins & Project Integration with Source Control Manager.
Debugging operating systems with time-traveling virtual machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.
ACT User Meeting June Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.
Chapter 1: Introduction to Scaling Networks
ABC Technology Project
Hardware-assisted Virtualization
© 2010 VMware Inc. All rights reserved Application-level mobile virtualization Harvey Tuch, Staff Engineer, Mobile Virtualization Platform January 25 th.
Software Testing and Quality Assurance
Operating Systems Operating Systems - Winter 2011 Dr. Melanie Rieback Design and Implementation.
Operating Systems Operating Systems - Winter 2012 Dr. Melanie Rieback Design and Implementation.
VOORBLAD.
Virtual Switching Without a Hypervisor for a More Secure Cloud Xin Jin Princeton University Joint work with Eric Keller(UPenn) and Jennifer Rexford(Princeton)
© 2012 National Heart Foundation of Australia. Slide 2.
Understanding Generalist Practice, 5e, Kirst-Ashman/Hull
Processes Management.
Executional Architecture
Global Analysis and Distributed Systems Software Architecture Lecture # 5-6.
KAIST Computer Architecture Lab. The Effect of Multi-core on HPC Applications in Virtualized Systems Jaeung Han¹, Jeongseob Ahn¹, Changdae Kim¹, Youngjin.
25 seconds left…...
XP New Perspectives on Browser and Basics Tutorial 1 1 Browser and Basics Tutorial 1.
Copyright 2001 Advanced Strategies, Inc. 1 Data Bridging An Overview Prepared for DIGIT By Advanced Strategies, Inc.
What’s New in WatchGuard Dimension v1.2
Januar MDMDFSSMDMDFSSS
Week 1.
We will resume in: 25 Minutes.
©Brooks/Cole, 2001 Chapter 12 Derived Types-- Enumerated, Structure and Union.
PSSA Preparation.
VPN AND REMOTE ACCESS Mohammad S. Hasan 1 VPN and Remote Access.
Introduction to Ad-hoc & Sensor Networks Security In The Name of God ISC Student Branch in KNTU 4 th Workshop Ad-hoc & Sensor Networks.
Xiao Zhang and Wenliang Du Dept. of Electrical Engineering & Computer Science Syracuse University.
University of Minnesota Optimizing MapReduce Provisioning in the Cloud Michael Cardosa, Aameek Singh†, Himabindu Pucha†, Abhishek Chandra
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
Introduction to ikhlas ikhlas is an affordable and effective Online Accounting Solution that is currently available in Brunei.
Chapter 24 Replication and Mobile Databases Transparencies © Pearson Education Limited 1995, 2005.
Introduction to Information and Communication Technologies
Georgios PortokalidisColumbia University Philip HomeburgVrije Universiteit Kostas AnagnostakisNiometris R&D Herbert BosVrije Universiteit 2010/11/30 1.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Virtualization Technology Prof D M Dhamdhere CSE Department IIT Bombay Moving towards Virtualization… Department of Computer Science and Engineering, IIT.
Presented by: Reem Alshahrani. Outlines What is Virtualization Virtual environment components Advantages Security Challenges in virtualized environments.
Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw.
Operating Systems Security
Information Systems CS-507 Lecture 32. Physical Intrusion The intruder could physically enter an organization to steal information system assets or carry.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Operating System Structure
Auditing Using Virtual Machines
Presentation transcript:

CS 695 Host Forensics: Auditing Using VMs GEORGIOS PORTOKALIDIS

Recap: Volatile Data Data spoils easily In-memory data are ephemeral by nature Data trustworthiness Compromised systems cannot be trusted Destructive analysis The Heisenberg Uncertainty Principle of data gathering and system analysis As you capture data in one part of the computer you are changing data in another CS-695 HOST FORENSICS 2

Revisiting an Old Incident Install sshd 7/19/2001 Discovery 8/20/2001 Started investigation 8/23/2001 Further exploitation Install sshd Initial attack CS-695 HOST FORENSICS 3

Revisiting an Old Incident We need to go back in time and observe the attackers actions as they happen Discovery 8/20/2001 Started investigation 8/23/2001 A sophisticated adversary can erase his tracks CS-695 HOST FORENSICS 4

Another group of frustrated users would also live to go back in time. Guess who? CS-695 HOST FORENSICS 5

A Few Words About OS Debugging Cyclic debugging Observe error, revisit previous state, re-run Iterate CS-695 HOST FORENSICS 6

Similarities DEBUGGING Can re-run the application But execution is non-deterministic Bug may have been triggered a long time ago A corrupted OS can interfere with the debugger FORENSICS Can re-construct deleted files Cannot recover/reconstruct volatile data Initial incident could have occurred a long time ago A compromised OS can report false data Can you come up with more similarities or differences? CS-695 HOST FORENSICS 7

Virtual Machines to the Rescue System is observed from below Data may be untrustworthy, but collection does not depend on possibly malicious components (e.g., planted binaries, subverted kernel, etc.) The analysis does not tamper with data Not a panacea! Adding more layers does not make a system more secure Its turtles all the way down CS-695 HOST FORENSICS 8

VM Overview Hardware Guest VM & Host Operating System VM & Host Operating System VM in the OS Host Operating System Hardware Guest VM VM as an application Host Operating System Hardware Applications No VM Targets Inspection code CS-695 HOST FORENSICS 9

Time Traveling on Smartphones and tablets? CS-695 HOST FORENSICS 10

Why? They are used to Do things we used to do with computers CS-695 HOST FORENSICS 11 Games Multimedia Web & IM

… and More CS-695 HOST FORENSICS 12 Micropayments (parking, transit) Calls & SMS Critical information pins credit card numbers passwords Sensors

Threats Software vulnerabilities iPhone PDF exploit used to jailbreak the device Android privilege escalation bugs Malicious applications being downloaded Too many to list … Physical Can be damaged, stolen, manipulated, etc. CS-695 HOST FORENSICS 13

CS-695 HOST FORENSICS 14

Goals Enables multiple analyses with fixed overhead Including support for heavyweight mechanisms like dynamic taint analysis (DTA) Including forensics and auditing Enable backup and recovery of device data Prevent attackers from disabling the checks Low overhead No VM Minimize volume of generated data CS-695 HOST FORENSICS 15

Overview Faithfully replicate smartphone execution in remote servers Apply analyses on replicas CS-695 HOST FORENSICS 16 ….

Design Overview CS-695 HOST FORENSICS 17 Record Replay Internet, UMTS Regular traffic Mirrored traffic

Synchronization Issues Transmitting data requires power Opportunistic data transmission to server Connectivity can be lost Data need to be temporarily stored in a secure fashion on the device CS-695 HOST FORENSICS 18

Recording on the Device CS-695 HOST FORENSICS 19 Record non-deterministic events (syscalls, signals, etc) Encode & compressStore securelyTransmit to server

Smartphone emulator Replaying on the Server CS-695 HOST FORENSICS 20 Recorded events Proxy data OS Replay execution Monitoring Analysis Intrusion detection

Security Server We can apply any detection technique that does not interfere with the replicated execution System call profiling, file scanning, DTA, etc. The same as applying the check on the device Checks can be added transparently A server can host multiple replicas CS-695 HOST FORENSICS 21

Device Implementation CS-695 HOST FORENSICS 22 Record non-deterministic events (syscalls, signals, etc) Encode & compressStore securelyTransmit to server Using ptrace() Huffman-style, LZ HMAC + rolling key OpenSSL

Implementation Issues Scheduling and shared memory We use deterministic scheduling Alternatives Kernel space deterministic scheduling Concurrent-read-exclusive-write (CREW) protocol IOCTLS Used existing descriptions from the QEMU user space emulator Manually added Android related ones CS-695 HOST FORENSICS 23

Security Server Implementation Replica hosted on Android QEMU emulator CS-695 HOST FORENSICS 24 QEMU emulator Android OS Applications

Data Generation Rate for Various Tasks 25 64B/s 121B/s CS-695 HOST FORENSICS

Performance Idle operation and performing calls CPU load and battery life are not affected During intensive usage like browsing CPU load average increased by 15% Battery consumption increased by 30% CS-695 HOST FORENSICS 26

Performance and Energy Consumption CS-695 HOST FORENSICS 27

Scalability CS-695 HOST FORENSICS 28

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.