Memory forensics using VMI for cloud computing
1 like813 views
The document discusses memory forensics using virtual machine introspection (VMI) in cloud computing, highlighting its importance due to the limited forensic capabilities in cloud environments. VMI enables users to conduct their own forensic investigations while maintaining minimal impact on the target systems and enhancing the detection of advanced malware. The prototype solution presented utilizes open-source tools to facilitate efficient forensic processes in both local and networked scenarios.
Memory forensics using VMI for cloud computing
- 1. Memory Forensics using Virtual Machine Introspection for Cloud Computing Tobias Zillner, BSc MSc MSc
- 2. About Me Tobias Zillner, BSc MSc MSc • Vienna, Austria • Founder of Zillner IT-Security • Independent Security Consultant & Researcher • Consulting, Audit, Advisory, Training • Security Research • Internet of Things, Smart Homes • Wireless Security • www.zillner.tech SDR Enthusiast
- 3. What is it about? And why do we need it?
- 4. Outline Introduction & Background Virtual Machine Introspection (VMI) Use cases Prototype Summary
- 5. Motivation Relocation of systems and services into cloud environments is on the rise Users loose direct access / control over their systems Forensic methods are limited in the cloud Enable the user to perform their own forensic investigations Forensic as a Service
- 6. Memory forensics & Virtual machine Introspection
- 7. Forensic Process Collection Examination Analysis Reporting Media Data Information Evidence
- 8. Hardware virtualization One / Multiple guest OS on virtualized hardware Managed by Virtual Machine Monitor (VMM) – Hypervisor Provides interfaces and controls interactions with hardware • CPU, memory, network, storage,… Hypervisor on own OS – Host OS
- 9. Native vs. hosted virtualization Hardware Hypervisor Guest OS Application Application Application Guest OSApplication Application Application Hardware Hypervisor Guest OS Application Application Application Guest OS Application Application Application Host OS Application Application Native virtualization Hosted virtualization
- 10. Virtual machine Introspection “Virtual Introspection (VI) is the process by which the state of a virtual machine (VM) is observed from either the Virtual Machine Monitor (VMM), or from some virtual machine other than the one being examined. “ 1 1 : Brian Hay and Kara Nance. Forensics examination of volatile system data using virtual introspection. SIGOPS Oper. Syst. Rev., 42(3):74 82, April 2008
- 11. Semantic gap Difference between the presentation of data from volatile memory by the OS and the raw data format Requires VMI to perform the same translation of the the raw memory data as the OS At least some knowledge about the guest OS is necessary
- 13. Advantages No altering of the target system Very hard to detect the monitoring Live analysis of memory content Data size for analysis (storage much larger than memory) Detection of advanced memory only malware More reliable data • No data corruption through malware
- 14. Countermeasures Detection • Timing analysis - unusual patterns in the frequency at which it is scheduled for execution • Page fault analysis - the target VM may be able to detect unusual patterns in the distribution of page faults Direct Kernel Structure Manipulation (DKSM) • VMI assumes that OS implement certain kernel- and data structures • DKSM modifies this structures and prevents monitoring • Sytanx based: targeted deletion/addition/manipulation of data structures • Sematic: semantics of the data structures are changed • Combined: mix of syntax and semantics manipulation
- 15. Fields of application Rootkit detection • Manipulation of memory access • Interception of system calls Cryptographic key extraction • On the fly encrypted container • Network forensics IDS / IPS Examples
- 16. Prototype
- 17. Solution approach Combining existing tools for a novel approach Open Source Minimal overhead Transparent for the user
- 18. Architecture Cloud Solution • Open Nebula Cloud Management Server Cloud Node Host OS – Ubuntu Guest VM Memory Forensic Services VMI Library – LibVMI Forensic Tool – Volatility Hypervisor - Xen
- 20. Cloud Management Server Cloud Node VM1 VM2 VMI Library Forensic Tool Memory Forensic Service Cloud Control Services Memory Forensic Service Dom U Dom 0Dom U Hypervisor
- 22. Memory forensic services Self developed management and control services Client – Server model Platform independent PKI for secure communication Command whitelisting
- 23. Forensic Process Collection Examination Analysis Reporting Media Data Information Evidence
- 24. Forensic Process Collection Examination Analysis Reporting Media Data Information Evidence • OS on Cloud Node • Data provided by LibVMI • Collected by Volatility
- 25. Forensic Process Collection Examination Analysis Reporting Media Data Information Evidence • OS on Cloud Node • Collected data checked by Volatility • Data extraction for forensic purpose
- 26. Forensic Process Collection Examination Analysis Reporting Media Data Information Evidence • Partially OS on Cloud Node • Collected data checked by Volatility • Partially on user system • Analysis with additional tools by user
- 27. Forensic Process Collection Examination Analysis Reporting Media Data Information Evidence • Completely on user system
- 28. Advantages User gets easy access to the data No changes on the target VM necessary Memory analysis not on the possibly compromised system No stop/pausing of the analyzed machine required Operation of the VM does not get influenced Analysis can be done either local or over the network • Reduction of local load / network load Usage of existing authentication and authorization system
- 29. Disadvantages Configuration necessary Knowledge about the guest OS required Installation overhead for cloud provider Additional attack surface Security is crucial for the added services User segregation is very important
- 31. Volatility / Libvmi usage
- 32. Use case Modifying of data structures, which display the processes currently running on the system System call interception Interrupt hooking Modifying the kernel memory image Intercepting calls handled by the VFS Virtual memory subversion Kernel level root kit detection
- 33. Use case Enduser VM in Iaas cloud
- 34. Demo
- 35. Summary
- 36. Summary Investigations in cloud environments get more and more common Hypervisor forensics VMI is a very interesting solution approach Fully Open Source based working prototype Enables fast responses to security incidents Lot of room for enhancements Different use cases for VMI in clouds possible
- 37. Black hat sound bytes Hypervisor forensics / VMI are very powerful and interesting technologies FaaS gives power to the end user Memory analysis is a huge benefit for forensic investigations
- 38. Q & A Please fill out the Black Hat Feedback Form