1. InfoconDB
  2. Black Hat
  3. Black Hat USA 2021
  4. Fixing a Memory Forensics Blind Spot: Linux Kernel Tracing

Fixing a Memory Forensics Blind Spot: Linux Kernel Tracing

Presented at Black Hat USA 2021, Aug. 5, 2021, 2:30 p.m. (30 minutes)

<div><span>The ubiquity of Linux servers across the internet and within cloud instances necessitates that defensive research maintains pace with the introduction of new features to the platform. Unfortunately, these research efforts have not adequately kept pace with advances in Linux kernel development, leaving blind spots for attackers to remain undetected. </span></div><div><span><br></span></div><div><span>In this presentation, we document our effort to close a significant blind spot - the Linux kernel's tracing infrastructure. This infrastructure is installed and enabled by default on essentially all Linux distributions and is heavily utilized across a significant number of cloud-centric organizations, such as Facebook, Netflix, Google, GitLab, and Adobe.</span></div><div><span><br></span></div><div><span>The provided tracing features have legitimate uses for system monitoring, but also allow for code in userland and the kernel to observe and modify key portions of the operating system. This includes the ability to hook kernel subsystems, such as the networking stack, system call handling facilities, and file system drivers as well as all exported APIs. </span></div><div><span><br></span></div><div><span>Current memory forensics techniques provide no means to effectively analyze these tracing features, leaving a significant number of malware capabilities to potentially go undetected. To close this gap, we developed new memory forensic techniques that can analyze the various tracing subsystems and report on potential abuses. These new analysis techniques are embodied in Volatility plugins, as Volatility is the most commonly used analysis framework in the field. </span></div><div><span><br></span></div><div><span>To provide capabilities that are useful both now and well into the future, we developed each technique as a plugin for both Volatility 2 and Volatility 3. Our team plans to contribute all the new plugins to the public Volatility repositories upon publication of this paper. This will allow the techniques to be immediately usable in the field as well as provide reference code for future researchers.</span></div>

Presenters:

  • Andrew Case - Director of Research, Volexity
    Andrew Case is a senior incident response handler and malware analyst. He has conducted numerous large-scale investigations that span enterprises and industries. Andrew's previous experience includes penetration tests, source code audits, and binary analysis. Andrew is the co-developer of Registry Decoder, a National Institute of Justice funded forensics application, as well as a developer on the Volatility memory analysis framework. He is a co-author of the highly popular and technical forensics analysis book "The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory". He has delivered trainings in the fields of digital forensics and incident response to a number of private and public organizations as well as at industry conferences. Andrew's primary research focus is physical memory analysis, and he has published a number of peer-reviewed papers in the field. He has presented his research at conferences including Black Hat, RSA, SOURCE, BSides, OMFW, GFirst, and DFRWS.
  • Golden Richard - Professor of Computer Science and Engineering, Louisiana State University
    Golden G. Richard III is a cybersecurity researcher and teacher and a Fellow of the American Academy of Forensic Sciences. He has over 40 years of practical experience in computer systems and computer security and is a devoted advocate for applied cybersecurity education. He is currently Professor of Computer Science and Engineering and Associate Director for Cybersecurity at the Center for Computation and Technology (CCT) at LSU. He also supports NSA's CAE-CO internship program, teaching memory forensics, vulnerability analysis, and other topics to cleared interns. His primary research interests are memory forensics, digital forensics, malware analysis, reverse engineering, and operating systems. Dr. Richard earned his B.S. in Computer Science from the University of New Orleans and M.S. and PhD in Computer Science from The Ohio State University. His first floppy drive cost $600 and required financing; despite that, he's still very much alive.

Links:

Similar Presentations: