Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
An Experience Report on Extrac/ng and Viewing Memory Events Via
Wireshark
Sarah Laing, Michael E. Locasto, John Aycock University of Calgary
USENIX WOOT 2014
Challenge: Memory Event Analysis
Cage: a kernel-‐level mechanism for monitoring process memory events and expor/ng them via a network interface
Neat twist: display in Wireshark
Example Uses: find private key in SSH, overwrite data, overwrite instruc/ons, find all buffers in a program, …
8/20/14 2 University of Calgary
8/20/14 3 University of Calgary
8/20/14 4 University of Calgary
8/20/14 5 University of Calgary
Challenge: Memory Event Analysis
Cage: a kernel-‐level mechanism for monitoring (+ modifying) process memory events and expor/ng them via a network interface
Neat twist: display in Wireshark
Example Uses: find private key in SSH, overwrite data, overwrite instruc/ons, find all buffers in a program, …
8/20/14 6 University of Calgary
Underlying Insight / Why Wireshark? BPF: pre-‐filtering
Wireshark: post-‐filtering
Treat a stream of memory events like a packet trace, and then benefit from the types of filtering languages that exist for such streams.
8/20/14 7 University of Calgary
Building a memory trapping system seems conceptually easy, but is non-‐trivial and difficult if you want to do seamlessly; see Figures 5 and 6 in the paper for valida/on across mul/ple architectures, OS distros, and VMs
Only raises our level of respect for prior work on memory intercep/on techniques
8/20/14 8 University of Calgary
Cage Implementa/on
Modifica/ons to the Linux 3.9.4 kernel
23 files changed, 1002 insertions(+), 23 deletions(-) !
create mode 100644 linux-3.9.4/arch/x86/mm/cage.c create mode 100644 linux-3.9.4/chmem/Makefile create mode 100644 linux-3.9.4/chmem/chmem.c create mode 100644 linux-3.9.4/include/linux/cage.h!
8/20/14 University of Calgary 9
8/20/14 University of Calgary 10
CPU/MMU Page/PTE Bits Page/Debug!Fault Handler
BPF Net DeviceFetch
Page Fault
PTE Entry
Fetch PTE Bits
PTE EntryFilter
Result
Emit Packet
To User
SpaceFix PTE (UnCage)
Restart Instruction
Single Step Trap
Set PTE (ReCage)
Continue Execution
Page Fault Handler
Debug Fault Handler
BPF Filters (In-‐kernel, pre-‐event)
Temporal Filter: Watch for a specific address range. Emit a packet every n-‐th event. Rate limi/ng.
Data Overwri/ng Filter: Watch for a specific address and replace the data at that address with a user specified value.
Instruc/on Overwri/ng Filter: Watch for a specific RIP/EIP and replace the instruc/on at that address with a user specified instruc/on.
Buffer Viewing Filter: Watch for the crea/on of a specific buffer and emit all packets that touch that buffer. (SSH example)
Buffer Finding Filter: Find all buffers in a program by watching for sequen/al accesses to memory loca/ons.
8/20/14 University of Calgary 11
FETCH/EXECUTE
8/20/14 12 University of Calgary
8/20/14 13 University of Calgary
8/20/14 14 University of Calgary
8/20/14 15 University of Calgary
8/20/14 16 University of Calgary
8/20/14 17 University of Calgary
8/20/14 18 University of Calgary
8/20/14 19 University of Calgary
EXECUTE/READ
8/20/14 20 University of Calgary
8/20/14 21 University of Calgary
8/20/14 22 University of Calgary
Memory Analysis Based on a Simple Language
Friend asks me: “What do I go ‘WOOT’ about?”
Answer: viewing non-‐network stuff in Wireshark is kind of cool, but our efforts to design, build, and use Cage are “…part of a broader argument [6] that “offensive” does not mean unprincipled or ad hoc.”
8/20/14 23 University of Calgary
Takeaway Message
“…it is precisely the variety of crea/ve abuses of exis/ng memory management circuitry that argue for a more sane and powerful hardware support for memory introspec/on on commodity architectures.”
8/20/14 24 University of Calgary
Thanks!
The reviewers
Our shepherd, Julien
Research is supported by Canada’s NSERC Discovery Grant program
hnps://github.com/selaing/Cage
8/20/14 25 University of Calgary