Скачать презентацию Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
70b0bced81139d5a512226bc8d01e29f.ppt
- Количество слайдов: 50
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion COE 589 : Digital Forensics Bin-Carver Automatic Recovery of Binary Executable Files Scott Hand†, Zhiqiang Lin†, Guofei Gu*, Bhavani Thuraisingham† Presented by: Mohammed Younus Siddiqui 201103270 1
Mapping the ELF Introduction Pinpointing Fragmentation Evaluation Conclusion Outline 1 Introduction Binary File Carving 2 Mapping the ELF Recovery without Fragmentation 3 Pinpointing Fragmentation Recovery with Fragmentation Removing the Fragmentation 4 Evaluation Procedure Results 5 Conclusion 2
Outline 1 Introduction Binary File Carving 2 Mapping the ELF Recovery without Fragmentation 3 Pinpointing Fragmentation Recovery with Fragmentation Removing the Fragmentation 4 Evaluation Procedure Results 5 Conclusion 3
Mapping the ELF Introduction Pinpointing Fragmentation Evaluation Conclusion What is that paper trying to accomplish? Basic Idea Recover meaningful data (files) from unorganized data (data from disk) Disk Level A 1 A 2 A 3 B 1 B 2 B 3 B 4 A 5 C 1 C 2 C 3 File System Level File A File C File B 4
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion Why do we care? Needed whenever there is no file metadata Deletion • Corruption Data Recovery is Lucrative Market • Not part of file system. Deletion in other files, etc. ) Unintentional (VM, embedded • Corruption by Malware Needed any time file system metadata is not present 5
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion Motivation for focusing on binary executables • Difficult to carve • No explicit footers Difficult to carve • Heterogeneous content Heterogeneous No explicit footers Lots of internal structure • Present in all file systems They’re everywhere Malware loves to hide • Decrease the traditional carving space • Finding Malware 6
Mapping the ELF Introduction Pinpointing Fragmentation Evaluation Conclusion Previous Approaches - Bifragment Carving Simson Garfinkel - Carving Contiguous and Fragmented Files with Fast Object Validation DFRWS’ 07 Header Footer 7
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion Previous Approaches - Shortest Path Pal, A. and Shanmugasundaram, K. and Memon, N. Automated reassembly of fragmented images using greedy algorithms IEEE Transactions on Image Processing 2006 Header 1 6 1 7 Header 2 2 3 5 Header 3 4 8 8
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion Previous Approaches - Shortest Path Header 1 2 6 7 Header 2 3 4 8 Header 3 1 5 9
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion Common elements • Fragment edge identification • Needs edge location heuristics • Need both header and footer 10
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion Assumptions • Recover only ELF executable file. • Linux platform with EXT 2 file systems. • Content in the file is not overwritten. 11
Outline 1 Introduction Binary File Carving 2 Mapping the ELF Recovery without Fragmentation 3 Pinpointing Fragmentation Recovery with Fragmentation Removing the Fragmentation 4 Evaluation Procedure Results 5 Conclusion 12
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion Executable and Linkable Format (ELF) It is a common standard file ELF ELF format for executables, object code, shared libraries, and core dumps. ELF ELF Elf File n Magic Number ? ? ? 13
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion Start with the magic number and expand Build a list of ELF file headers by searching for ELF file magic numbers (0 x 7 f, 0 x 45, 0 x 4 c, 0 x 46) ELF ELF ELF Elf File n Magic Number ? ? ? 14
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion Load the ELF header Luckily the ELF header will always be on the same block as the magic number Elf File n Magic Number File Header ? ? ? 15
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion Find the section header table The header will have a pointer to the section header table (SHT). Elf File n Magic Number File Header ? ? ? Section Header Table ? ? ? 16
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion Identify the "footer" The last part of the ELF file will either be the last section or the SHT. This can be easily checked, the footer identified, and the file size inferred. Elf File n Magic Number File Header ? ? ? Section Header Table Footer 17
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion We’re done! Write everything from beginning to end √ √ √ 18
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion Uh oh! Disaster strikes √ √ √ X √ 19
Outline 1 Introduction Binary File Carving 2 Mapping the ELF Recovery without Fragmentation 3 Pinpointing Fragmentation Recovery with Fragmentation Removing the Fragmentation 4 Evaluation Procedure Results 5 Conclusion 20
Mapping the ELF Introduction Pinpointing Fragmentation Evaluation Conclusion Pointers Before Fragmentation 1 1 2 Block Offset: 3 4 2 3 Block Number: 4 5 6 7 a e i m q u y b f j n r v z c g k o s w 0 d h l p t x 1 21
Mapping the ELF Introduction Pinpointing Fragmentation Evaluation Conclusion Pointers After Fragmentation 1 1 2 Block Offset: 3 4 2 3 Block Number: 4 6 7 8 a e i m q u y b f j n r v z c g k o s w 0 d h l p t x 1 5 22
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion Finding the SHT Without fragmentation: Header Data SHT Data 23
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion Finding the SHT Without fragmentation: Header Data SHT Data Data Pad SHT Data With fragmentation: Header 24
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion Finding the SHT Without fragmentation: Header Data SHT Data Data Pad SHT Data With fragmentation: Header After moving forward twice, we find the SHT: Header Data Pad SHT Data 25
Outline 1 Introduction Binary File Carving 2 Mapping the ELF Recovery without Fragmentation 3 Pinpointing Fragmentation Recovery with Fragmentation Removing the Fragmentation 4 Evaluation Procedure Results 5 Conclusion 26
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion The next step What next? Finding fragmentation in the ELF file now becomes finding fragmentation within sections Targeting. text Let’s focus on. text, as it comprises a large part of the ELF file 27
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion Strategy for validating machine code blocks Taking advantage of internal structure Explore the structure provided by pointers in the code Map a CALL instruction to a function prologue at its target to validate a pair of locations 28
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion Code 8049480: 8049481: 8049483: . . . 804949 d: . . . <_init>: 55 89 e 5 53 push mov push e 8 de 00 00 00 %ebp %esp, %ebp %ebx call 8049580 80494 b 0: 80494 b 6: 80494 bc: . . .
Mapping the ELF Introduction Pinpointing Fragmentation Evaluation Conclusion Example A quick example shows this algorithm handling three calls to three different blocks. Before fragmentation: Call 1 FP 3 FP 1 Call 2 FP 2 Call 3 30
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion Example - Call 3 previously pointed four blocks back to FP 3, now it is invalid. Call 1 FP 3 FP 1 Call 2 FP 2 Call 3 31
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion Example - Call 3 previously pointed four blocks back to FP 3, now it is invalid. Call 1 FP 3 FP 1 Call 2 FP 2 Call 3 We look backward to find FP 3: Call 1 FP 3 32
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion Example - Call 2 previously pointed one block forward to FP 2, now it is invalid. Call 1 FP 3 FP 1 Call 2 FP 2 Call 3 33
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion Example - Call 2 previously pointed one block forward to FP 2, now it is invalid. Call 1 FP 3 FP 1 Call 2 FP 2 Call 3 We look forward to find FP 2: Call 1 FP 3 34
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion Example - Call 1 previously pointed two blocks forward to FP 1, now it is invalid. Call 1 FP 3 FP 1 Call 2 FP 2 Call 3 35
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion Example - Call 1 previously pointed two blocks forward to FP 1, now it is invalid. Call 1 FP 3 FP 1 Call 2 FP 2 Call 3 We look forward to find FP 1: Call 1 FP 3 36
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion Other Sections Other important sections need recovery approaches as well, but many of them (rodata, debug sections, etc. ) have predictable structures that lend themselves to data classification approaches. 37
Outline 1 Introduction Binary File Carving 2 Mapping the ELF Recovery without Fragmentation 3 Pinpointing Fragmentation Recovery with Fragmentation Removing the Fragmentation 4 Evaluation Procedure Results 5 Conclusion 38
Mapping the ELF Introduction Pinpointing Fragmentation Evaluation Conclusion Setup Bin-Carver Prototype was coded in C# Python used for collection of accuracy statistics Test Data Tested on 8 different disk images Each differed in the number of files as well as the number of deletes and copies executed after its creation 39
Mapping the ELF Introduction Pinpointing Fragmentation Evaluation Conclusion Disks 1 Disk 1 was a small baseline sample, only contained /bin 2 Disk 2 contained a larger number of ELF files 3 4 Disk 3 contained some of the files from disk 2, with some of them deleted before the image was made Disk 4 contained all of disk 2 as well as SO ELF files from /lib 40
Mapping the ELF Introduction Pinpointing Fragmentation Evaluation Conclusion Disks 1 2 3 4 Disk 5 had all the files from disk 4 which were then deleted. Half were then picked randomly and copied back. Disk 6 is the same as disk 5 except that only half were deleted Disk 7 repeated the same process as 6, but twice with smaller batches Disk 8 did lots of unpredictable small copy and delete cycles to create the most chaotic image 41
Mapping the ELF Introduction Pinpointing Fragmentation Evaluation Conclusion Disks 1 2 3 4 Disk 5 had all the files from disk 4 which were then deleted. Half were then picked randomly and copied back. Disk 6 is the same as disk 5 except that only half were deleted Disk 7 repeated the same process as 6, but twice with smaller batches Disk 8 did lots of unpredictable small copy and delete cycles to create the most chaotic image 42
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion Evaluating accuracy Effectiveness Identification Rate - number of valid files on the disk we can identify Recovery Rate - number of files that were recovered successfully after identification 43
Outline 1 Introduction Binary File Carving 2 Mapping the ELF Recovery without Fragmentation 3 Pinpointing Fragmentation Recovery with Fragmentation Removing the Fragmentation 4 Evaluation Procedure Results 5 Conclusion 44
Mapping the ELF Introduction Pinpointing Fragmentation Evaluation Conclusion Accuracy Metrics Identification Rate Recovery Rate 100% 80% Normalized 60% 40% 20% Average Disk− 8 Disk− 7 Disk− 6 Disk− 5 Disk− 4 Disk− 3 Disk− 2 Disk− 1 0% Disk Images 45
Mapping the ELF Introduction Pinpointing Fragmentation Evaluation Conclusion Performance Metrics 80 70 60 50 Run−time 40 30 20 10 Average Disk− 8 Disk− 7 Disk− 6 Disk− 5 Disk− 4 Disk− 3 Disk− 2 Disk− 1 0 Disk Images 46
Outline 1 Introduction Binary File Carving 2 Mapping the ELF Recovery without Fragmentation 3 Pinpointing Fragmentation Recovery with Fragmentation Removing the Fragmentation 4 Evaluation Procedure Results 5 Conclusion 47
Mapping the ELF Introduction Pinpointing Fragmentation Evaluation Conclusion Remarks Recovery approaches were shown to be effective Hopefully, more research will be done in executable file carving Exclusionary carving could benefit other kinds of file carving 48
Mapping the ELF Introduction Pinpointing Fragmentation Evaluation Conclusion Remarks Recovery approaches were shown to be effective Hopefully, more research will be done in executable file carving Exclusionary carving could benefit other kinds of file carving Limitations and Future Work PE Files More signatures Robustness 49
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion Thank you for your patience Any questions? 50