Locating Zero-day Exploits With Course-Grained Forensics.

This paper describes a novel coarse-grained forensics capability for locating zero-day exploits by recording and correlating on-host actions with network packets, with no discernible impact on user experience. The capability provides an alternative to fine-grained techniques, such as memory taint tracking, that are intractable approaches for typical high volume internet facing servers. Two associated network attack scenarios are described, based upon typical website designs, to illustrate how the technique can be used. These have been implemented and tested to verify the capability. Many government and businesses entities already record large volumes of network traffic for regulatory compliance and security analysis; specialized, high-performance hardware appliances are now available to support this activity. To augment this store, the course-grain forensics capability utilizes a small-footprint (i.e. attack surface) custom hypervisor with built in virtual machine introspection (VMI) mechanisms. These mechanisms allow forensic observation to extract exploits by observing the running micro-kernel's process creation, communications and network activities. This allows recorded network events to be directly correlated with on host actions. A custom micro-kernel has been developed to explore the core ideas which, in common with other designs such as Minix, uses a message passing for inter-process communication. This communication model enables strict enforcement of process interactions, which must pass through the kernel, creating a natural observation point for events of interest. Recording only process interactions minimizes the storage requirements to a manageable level -- sixteen bytes per event. This imparts minimal performance impact -- less than six micro seconds to record each event on host, enables recording of the process communication ontology in a computationally efficient manner. The process history allows an analyst to observe the past actions taken by a malicious or compromised process; supporting post-mortem analysis of on system events tracing back to the initial network packets containing the exploit. The results were experimental verified by non-deterministically injecting fake exploits into a vulnerable webserver running on top of the kernel. The LARIAT network traffic generator was used to simulate high-density, real world network loads over a period of 18 and 35 days respectively. The techniques were able to record all associations in real-time. Post-mortem, the forensics capability was able to isolate the packets containing the exploit and highlight the process interaction history in less than 5 minutes, reducing the numbers of packets subject to manual search by more than 99%. Two scenarios were constructed using a typical website with and without a connected database. These scenarios were chosen to exercise two specific cases: one in which there was a direct path to the exploit via the process history, the other demonstrates the isolation of an exploit where there is no direct discernible trace in the process history. The forensics capability provides more than just isolation of zero-day exploits: this represents a jumping off point for further investigation into the process / network interaction history. These further investigations can then determine the impact of the attack, the processes affected, and the spread of tainted data to provide a basis for clean-up operations. [ABSTRACT FROM AUTHOR]