리눅스시스템의메모리포렌식

09/20/2018

Linux Memory Forensic Analysis

cpuu@icloud.com

2018 제3분기 사이버 침해사고 정보공유세미나

• 메모리 포렌식 개요

• 리눅스메모리포렌식연구동향

•메모리 덤프 추출 및 프로파일 생성

• 발전방향 및 결론

목차

Backgroud: Introduction to Memory Forensics

Goals:

메모리포렌식전반에대한배경지식전달

Traditional Storage Forensics

대검찰청 “디지털증거의수집 ·분석및관리규정”

1. 컴퓨터용디스크,그밖에이와비슷한정보저장매체

2. 디지털증거를수집,분석,보관,관리

3. 정보저장매체등에저장된전자정보를동일하게비트열복제

4. 법률적으로유효한증거로사용될수있도록복사한파일

경찰청 “디지털증거수집및처리등에관한규칙”

1. 컴퓨터용디스크,그밖에이와비슷한정보저장매체

2. 하드카피및이미징복제,삭제된형태로존재하는정보원형복원

디스크내부의자료를복원하는것이초점

대검찰청예규 제876호, [시행 2017.3.1]

경찰청훈령 제766호, [시행 2015.6.1.]

Order of Volatility

휘발성우선순위(RFC 3227)

1. RAM 내부의메모리

2. 네트워크정보

3. 실행중인프로세스정보

4. 하드디스크

5. 플로피 / 기타저장장치

휘발성(Volatile) 아티팩트분석

디스크포렌식만으로는추출할수없는단서

휘발성정보의수집이가능한상황이라면? 매우유용할것.

단, 빠르고신속하며안정적인추출방안필요!

RFC 3227 –증거수집과보관에관한지침(Guidelines for evidence collection and archiving)

Memory Forensics ?

메모리포렌식

1. 하드디스크를사용하지않는 Fileless Malware 등

2. 메모리(RAM)에는중요아티팩트들이존재

3. 컴퓨터의물리메모리덤프를추출

4. 덤프를분석하는도구필요

디스크포렌식과의차별성

Storage forensics tools are focused primarily on “dead” anlysis.

Researchers have created many powerful memory forenscis techniques.Andrew Case, ”Memory forensics : The path forward”(2017)

Physical Memory Structure

폰노이만식컴퓨터구조

일반적인 CPU, 메모리,프로그램구조를갖는범용구조

이중주기억장치(RAM)에존재하는데이터는휘발성(Volatile)을가짐

관련연구

Mariusz Burdach, “Physical Memory Forenscis” Black Hat US 2006

포렌식관점에서의메모리분석

메모리내부의증거를통해유죄입증가능성제시

안티포렌식기법에대응할수있는방안

Amari Kristine, “Techniques and tools for data from volatile memory”

SANS Forensics 연구소에서출간한White Paper(2009)

메모리로부터암호화키등을복원할수있음을입증

Haruyama, “One-byte modification for breaking memory forensics” 2012

최근에는메모리분석을불가능하게하기위한안티포렌식연구도진행중

메모리 포렌식 절차

메모리추출 &분석

2004년경최초기반기술개발됨

Image from Haruyama, Takahiro, and Hiroshi Suzuki. "One-byte modification for breaking memory forensic analysis." Black Hat Europe (2012).

Target Machine

Investigator’s Machine

Memory Image File

1. Acquire RAM dataas an image file

2. Parse and analyze the image offline

메모리 추출 도구

Raw Image 추출

HBGary FastDump Pro

Guidance WinEn

MoonSols Windd

Crash Dump Image Acquisition

MoonSols Windd

Memory Image Conversion

MoonSols Windows Memory Toolkit

RawCrash Dump

Hibernation

CPU Register Included

Not Included

Memory Image File

Image from Haruyama, Takahiro, and Hiroshi Suzuki. "One-byte modification for breaking memory forensic analysis." Black Hat Europe (2012).

(오픈소스) 메모리 분석 SW

strings and grep (stressful)

메모리전용도구가개발되기전에는단순한패턴매칭위주고전적분석

Volatility

DFRWS 2005 컨퍼런스이후본격적으로도구발전

Volatility가 De facto standard 로가장널리이용되고있음.

Rekall

구글이개발한오픈소스메모리포렌식프레임워크.

편리한 GUI 및운영체제프로파일을자동으로감지하는기능유용.

Ligh, Michael Hale, et al. ”The art of memory forensics”. John Wiley & Sons, 2014.

Google, Rekall Memory Forensic Framework, 2016. https://github.com/google/rekall

How about Linux system? Is it possible?

Goals:

리눅스시스템특유의환경적제약조건

Linux Memory Acquisition

Historical Methods /dev/mem

/dev/kmem

ptrace

Modern Acquisition fmem

/proc/kcore

Linux Memory Extractor (LiME)

Virtualization Machine KVM, Oracle VirtualBox, VMware Workstation -> debug mode -> *.vmem

Ligh, Michael Hale, et al. ”The art of memory forensics”. John Wiley & Sons, 2014.

Memory map

Kernel Space / User Space

Stack, Heap, Segments ..

https://manybutfinite.com/post/anatomy-of-a-program-in-memory/

Memory Profiles

A profile is the template that allows us to know where each field member begins and ends in memory.

The compiler will normally plan how to lay each struct member in memory and generate code that access this struct:

Socała, Arkadiusz, and Michael Cohen. "Automatic profile generation for live Linux Memory analysis." Digital Investigation 16 (2016): S11-S24

Memory Profiles

메모리구조는

시스템아키텍처

운영체제종류

Kernerl버전

등에따라

적재방식이모두다름.

따라서,

각각에알맞은해법필요

유사한연구 :

OS Fingerprinting

Gu, Yufei. "Derandomizing kernel address space layout for memory introspection and forensics.”, ACM CODASPY 2016

[Volatility가 Windows OS 탐지에 사용하는 KDBG Signature]

Windows Profiles

Volatility

Windows Profiles

Rekall (from Google)

Microsoft Windows XP Service Pack 2 and 3

Microsoft Windows 7 Service Pack 0 and 1

Microsoft Windows 8 and 8.1

Microsoft Windows 10

macOS 10.7 – 10.12.x

Auto detecting – specific version of GUID

(Major) Linux Profiles

Linux Profile Github

CentOS, Debian, Fedora, OpenSUSE, RedHat, Ubuntu

https://github.com/volatilityfoundation/profiles

How about Custom Linux ?

특별한목적에맞게제작된커스텀리눅스다수존재

Kali Linux for Penetration Testing

Gentoo Linux

FreeBSD or ETC

Linux Distribution Timeline (version 16.12)

From Wikipedia : https://en.wikipedia.org/wiki/Linux_distribution

Rapid Kernel Updates

Linux Kernel Version Check

Ubuntu 18.04 with kernel 4.15.0-29-generic

https://git.kernel.org

커널소숫점 1자리만달라져도불가

난제 : 임의의리눅스프로파일생성

Detect kernel version from ELF binary

Leveraging Relocations in ELF-binaries for Linux Kernel Version Identification

Bhatt, Manish, and Irfan Ahmed. "Leveraging relocations in ELF-binaries for Linux kernel version identification." Digital Investigation 26 (2018): S12-S20.

Let’s Create Linux Kernel Profiles.

Goals:

- (알려지지않은)커스텀리눅스환경에서직접프로파일제작

Amazon EC2 Cloud

인프라구축을위해클라우드자원활용

실험에사용한환경 :

Virtualization Tech

Open-source (Linux/Unix) Virtual machines (VDIs)

Both VirtualBox & Vmware

Over 100 images with pre- installed

Import to Amazon EC2 Instance

KVM, Oracle VirtualBox경우메모리페이징오류발생(timeout error)

VMware Workstation 채택

www.osboxes.org

VM Import/Export Guide for Amazon EC2, https://aws.amazon.com/ec2/vm-import/

lmg (Hal Pomeranz)

Hal Pomeranz, Automating Linux Memory Capture

https://github.com/halpomeranz/lmg

SANS DFIR Summit 2014

Memory Acquisition(LiME)

Profile Creation(dwarfdump)

(Need to modify some errors)

5년이상업데이트중단된것으로보임

설치시약간의오류발생으로직접수정필요

lmc (cpuu)

lmc - Linux Memory Capturer

https://github.com/cpuu/lmc

(어제벼락치기로…)

Hal Pomeranz스크립트수정

관련패키지최신버전으로자동설치

Generate Volatility Profile

Kali Linux 2018.3 Release

Linux Kernel 4.9

2018년 8월 21일출시

프로파일생성사례없음

아마존 AWS 이용

프로파일생성

Linux header

Kernel module

분석성공

(+) Google Rekal

$ pip install rekall-layout-expert

Socała, Arkadiusz, and Michael Cohen. "Automatic profile generation for live Linux Memory analysis." Digital Investigation 16 (2016): S11-S24

Compile test module with debug information generated - stored in zip file.

(+) Google Rekal

$ pip install rekall-layout-expert

Socała, Arkadiusz, and Michael Cohen. "Automatic profile generation for live Linux Memory analysis." Digital Investigation 16 (2016): S11-S24

De-randomizing Kernel Address Space layoutfor Memory forensics

Goals:

- Linux 4.8 Kernel 부터적용된 KASLR 에대한이해

-메모리포렌식을위해 KASLR 을우회하는플러그인개발

ASLR

ASLR : Address Space Layout Randomization

메모리상의공격을막기위해힙, 라이브러리등의주소를프로세스주소공간에무작위적으로배치하여실행시마다주소가바뀌도록하는보호기법.

Image from : https://bpsecblog.wordpress.com/2016/05/16/memory_protect_linux_1/

echo 1 > /proc/sys/kernel/randomize_va_space

Kernel ASLR

K-ASLR : Kernel mode ASLR

부팅시마다메모리주소레이아웃을난독화함

공격자는공격할 code/data 의위치를정확히예측하기어려워짐

Image from : Breaking-Kernel-Address-Space-Layout-Randomization-KASLR-With-Intel-TSX, Black Hat USA 2015

KASLR changes kernel symbol addresses every boot

Popular OSes Adopted KASLR

Cook, K. “KASLR, 2013” Linux Security Summit

First released : Linux 3.14 Kernel (optional)

Image from : Breaking-Kernel-Address-Space-Layout-Randomization-KASLR-With-Intel-TSX, Black Hat USA 2015

Example : Ubuntu Linux

Ubuntu Linux 의경우연도별로새로운 Release

16.10 version에포함된 4.8 kernel 부터 default : enable KASLR

Fedora 25 등에도 KASLR 기본적용

Version Kernel KASLR

12.04 LTS 3.11 Unsupported

14.04 LTS 3.13 Unsupported

15.04 3.19 Optional

16.04 LTS 4.4 Optional

16.10 4.8 Default

17.04 4.10 Default

Ubuntu Version/Kernel에따른 KASLR 적용여부

https://kernelnewbies.org/Linux_4.8

Side Effect (?)

Volatility Error on Linux 4.8+ => KASLR error

KASLR 적용여부를감지하고우회할수있는방안필요.

ERROR : No suitable address space mapping found

KASLR Shift Plugin 개발 (1)

calculate() Initialization

dtb < dtb_candidates

pte_to_search_for = pte_to_search_for.replace(pte_to_search_for[-4:-1], '...')pte_regex = re.compile(pte_to_search_for)

pte=_match = find_key(tree,pte_regex)

Searches for a leaf in a nested dictionary and returns the path taken

dtbs_and_offsets[dtb] = index_offsets

yield [dtb, candidate, dtb_candidates[dtb] - candidate]

dtb++

KASLR Shift Plugin 개발 (2)

unified_output()

def unified_output(self, data):return TreeGrid([("DTB", Address), ("VirtualShift", Address), ("Physical Shift", Address)],

self.generator(data))def generator(self, data):

for dtb, virtualshift, physicalshift in data:yield(0, [Address(dtb), Address(virtualshift), Address(physicalshift)])

Volatility Core Patch

volatility/plugins/overlays/linux/linux.py

https://github.com/volatilityfoundation/volatility/pull/385/files

Simple test

It works!

--dtb=0x11406000 --virtual=0x39200000 --physical=-700448768

Conclusion & Discussion

• Linux Memory Forensic : Current state of the art

• Live 시스템에서 직접 프로파일 생성 및 덤프

• 프로파일 공유를 위한 오픈 커뮤니티 필요

• Auto OS Fingerprinting 연구 접목 필요

• 리눅스 프로세스 메모리 구조 분석 및 바이너리 복원

Conclusion & Discussion

[1] Burdach, Mariusz. "Physical memory forensics." Black Hat USA (2006).[2] Amari, Kristine. "Techniques and tools for recovering and analyzing data from volatile memory." SANS Institute (2009).[3] 주한익. “리눅스물리메모리덤프파일을이용한심볼정보재구성포렌식도구구현.” 서강대학교정보통신대학원학위논문(석사), 2016.[4] LiME : Linux Memory Extractor, 2012. https://github.com/504ensicsLabs/LiME[5] Sylve, Joe, et al. "Acquisition and analysis of volatile memory from android devices." Digital Investigation 8.3 (2012)[6] The Volatility Framework: Volatile Memory Artifact extraction Utility Framework, 2016. https://github.com/volatilityfoundation/volatility[7] Ligh, Michael Hale, et al. “The art of memory forensics: detecting malware and threats in windows, linux, and Mac memory.” John Wiley & Sons, 2014.[8] Google, Rekall Memory Forensic Framework, 2016. https://github.com/google/rekall[9] Brezinski, D., and Tom Killalea. “Guidelines for evidence collection and archiving. No. RFC 3227.”, 2002.[10] Farmer, Dan, and Wietse Venema. Forensic discovery. Vol. 6. Upper Saddle River: Addison-Wesley, 2005.[11] 대법원 2007. 12. 13. 선고 2007도7257[12] Volatility profiles for Linux and Mac OS X, 2014, https://github.com/volatilityfoundation/profiles[13] Cook, K. "Kernel address space layout randomization, 2013." Linux Security Summit.[14] Hal Pomeranz. "Automating Linux Memory Capture." SANS DFIR Summit, 2014.[15] Anderson, D. "Libdwarf and dwarfdump." (2011).[16] Gu, Yufei, and Zhiqiang Lin. "Derandomizing kernel address space layout for memory introspection and forensics." Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy. ACM, 2016.[17] Volafox memory analysis framework, 2015, https://github.com/n0fate/volafox.[18] 이경식. "Mac OS X의물리메모리분석연구." 고려대학교정보경영공학전문대학원학위논문(석사), 2010.[19] Andrew Case, et al. "Memory forensics: The path forward," Digital Investigation, Volume 20, 2017.

Reference

Q&A

cpuu@cs.kaist.ac.kr