TY - GEN
T1 - Katana
T2 - 25th International Symposium on Researchin Attacks, Intrusions and Defenses, RAID 2022
AU - Franzen, Fabian
AU - Holl, Tobias
AU - Andreas, Manuel
AU - Kirsch, Julian
AU - Grossklags, Jens
N1 - Publisher Copyright:
© 2022 Owner/Author.
PY - 2022/10/26
Y1 - 2022/10/26
N2 - The development and research of tools for forensically analyzing Linux memory snapshots have stalled in recent years as they cannot deal with the high degree of configurability and fail to handle security advances like structure layout randomization. Existing tools such as Volatility and Rekall require a pre-generated profile of the operating system, which is not always available, and can be invalidated by the smallest source code or configuration changes in the kernel. In this paper, we create a reference model of the control and data flow of selected representative Linux kernels. Using this model, ABI properties, and Linux's own runtime information, we apply a configuration-and instruction-set-agnostic structural matching between the reference model and the loaded kernel to obtain enough information to drive all practically relevant forensic analyses. We implemented our approach in Katana 1, and evaluated it against Volatility. Katana is superior where no perfect profile information is available. Furthermore, we show correct functionality on an extensive set of 85 kernels with different configurations and 45 realistic snapshots taken while executing popular Linux distributions or recent versions of Android from version 8.1 to 11. Our approach translates to other CPU architectures in the Internet-of-Things (IoT) device domain such as MIPS and ARM64 as we show by analyzing a TP-Link router and a smart camera. We also successfully generalize to modified Linux kernels such as Android.
AB - The development and research of tools for forensically analyzing Linux memory snapshots have stalled in recent years as they cannot deal with the high degree of configurability and fail to handle security advances like structure layout randomization. Existing tools such as Volatility and Rekall require a pre-generated profile of the operating system, which is not always available, and can be invalidated by the smallest source code or configuration changes in the kernel. In this paper, we create a reference model of the control and data flow of selected representative Linux kernels. Using this model, ABI properties, and Linux's own runtime information, we apply a configuration-and instruction-set-agnostic structural matching between the reference model and the loaded kernel to obtain enough information to drive all practically relevant forensic analyses. We implemented our approach in Katana 1, and evaluated it against Volatility. Katana is superior where no perfect profile information is available. Furthermore, we show correct functionality on an extensive set of 85 kernels with different configurations and 45 realistic snapshots taken while executing popular Linux distributions or recent versions of Android from version 8.1 to 11. Our approach translates to other CPU architectures in the Internet-of-Things (IoT) device domain such as MIPS and ARM64 as we show by analyzing a TP-Link router and a smart camera. We also successfully generalize to modified Linux kernels such as Android.
KW - automated profile generation
KW - binary analysis
KW - memory forensics
UR - http://www.scopus.com/inward/record.url?scp=85142529422&partnerID=8YFLogxK
U2 - 10.1145/3545948.3545980
DO - 10.1145/3545948.3545980
M3 - Conference contribution
AN - SCOPUS:85142529422
T3 - ACM International Conference Proceeding Series
SP - 214
EP - 231
BT - Proceedings of 25th International Symposium on Researchin Attacks, Intrusions and Defenses, RAID 2022
PB - Association for Computing Machinery
Y2 - 26 October 2022 through 28 October 2022
ER -