introduction mapping the elfpinpointing fragmentationevaluationconclusion bin-carver automatic...
TRANSCRIPT
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Bin-CarverAutomatic Recovery of Binary Executable Files
Scott Hand†, Zhiqiang Lin†,Guofei Gu*, Bhavani Thuraisingham†
COE 589 : Digital Forensics
Presented by:Mohammed Younus Siddiqui201103270
1
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Outline
1 IntroductionBinary File Carving
Mapping the ELFRecovery without Fragmentation
Pinpointing FragmentationRecovery with FragmentationRemoving the Fragmentation
EvaluationProcedureResults
Conclusion
2
3
4
5
2
Outline
1 IntroductionBinary File Carving
Mapping the ELFRecovery without Fragmentation
Pinpointing FragmentationRecovery with FragmentationRemoving the Fragmentation
EvaluationProcedureResults
Conclusion
2
3
4
5
3
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
What is that paper trying to accomplish?
Basic Idea
Recover meaningful data (files) from unorganized data (datafrom disk)
Disk LevelA1 A2 A3 B1 B2 B3 B4 A4 A5 C1 C2 C3
File System Level
File AFile C
File B
4
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Why do we care?
Needed any time file system metadata is not present
Deletion
Corruption
Not part of file system (VM, embedded in other files, etc.)
5
Needed whenever there is no file metadata•Data Recovery is Lucrative Market•Unintentional Deletion•Corruption by Malware
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Motivation for focusing on binary executables
Difficult to carveHeterogeneous contentsNo explicit footers
Lots of internal structure
They’re everywhere
Malware loves to hide
6
• Difficult to carve• No explicit footers• Heterogeneous content
• Present in all file systems
• Decrease the traditional carving space
• Finding Malware
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Previous Approaches - Bifragment Carving
Simson Garfinkel - Carving Contiguous and Fragmented Fileswith Fast Object ValidationDFRWS’07
Header Footer
7
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Previous Approaches - Shortest Path
Pal, A. and Shanmugasundaram, K. and Memon, N. Automatedreassembly of fragmented images using greedy algorithmsIEEE Transactions on Image Processing 2006
6
7
Header 2
Header 1 1
32
5
Header 34 8
8
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Previous Approaches - Shortest Path
Header 1 2 6 7
Header 2 3 4 8
Header 3 1 5
9
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Common elements
10
• Fragment edge identification
• Needs edge location heuristics
• Need both header and footer
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Assumptions
11
• Recover only ELF executable file.
• Linux platform with EXT2 file systems.
• Content in the file is not overwritten.
Outline
1 IntroductionBinary File Carving
Mapping the ELFRecovery without Fragmentation
Pinpointing FragmentationRecovery with FragmentationRemoving the Fragmentation
EvaluationProcedureResults
Conclusion
2
3
4
5
12
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
ELF ELF ELF ELF ELF ELF
Elf File n
Magic Number
???
13
Executable and Linkable Format (ELF)
It is a common standard file format for executables, object code, shared libraries, and core dumps.
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Start with the magic number and expandBuild a list of ELF file headers by searching for ELF file magicnumbers (0x7f,0x45,0x4c,0x46)
ELF ELF ELF ELF ELF ELF
Elf File n
Magic Number
???
14
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Load the ELF header
Luckily the ELF header will always be on the same block as themagic number
Elf File n
Magic Number
File Header
???
15
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Find the section header tableThe header will have a pointer to the section header table(SHT).
Elf File n
Magic Number
File Header
???
Section Header Table
???
16
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Identify the "footer"The last part of the ELF file will either be the last section or theSHT. This can be easily checked, the footer identified, and thefile size inferred.
Elf File n
Magic Number
File Header
???
Section Header Table
Footer
17
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
We’re done!
Write everything from beginning to end
√ √ √ √ √
18
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Uh oh!
Disaster strikes
√ √ √ √ √
√ X √ X √ √ X √
19
Outline
1 IntroductionBinary File Carving
Mapping the ELFRecovery without Fragmentation
Pinpointing FragmentationRecovery with FragmentationRemoving the Fragmentation
EvaluationProcedureResults
Conclusion
2
3
4
5
20
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Pointers Before Fragmentation
11
2
BlockOffset:
3
4
a
b
c
d
2
e
f
g
h
3
i
j
k
l
Block Number:4
m
n
o
p
5
q
r
s
t
6
u
v
w
x
7
y
z
0
1
21
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Pointers After Fragmentation
1
1
2
BlockOffset:
3
4
a
b
c
d
2
e
f
g
h
3
i
j
k
l
Block Number:4
m
n
o
p
5 6
q
r
s
t
7
u
v
w
x
8
y
z
0
1
22
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Finding the SHTWithout fragmentation:
Header Data SHT Data Data Data Data
23
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Finding the SHTWithout fragmentation:
Header Data SHT Data Data Data Data
With fragmentation:
Header Data Pad Pad SHT Data Data
24
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Finding the SHT
Without fragmentation:
Header Data SHT Data Data Data Data
With fragmentation:
Header Data Pad Pad SHT Data Data
After moving forward twice, we find the SHT:
Header Data Pad Pad SHT Data Data
25
Outline
1 IntroductionBinary File Carving
Mapping the ELFRecovery without Fragmentation
Pinpointing FragmentationRecovery with FragmentationRemoving the Fragmentation
EvaluationProcedureResults
Conclusion
2
3
4
5
26
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
The next step
What next?
Finding fragmentation in the ELF file now becomes findingfragmentation within sections
Targeting .text
Let’s focus on .text, as it comprises a large part of the ELF file
27
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Strategy for validating machine code blocks
Taking advantage of internal structure
Explore the structure provided by pointers in the code
Map a CALL instruction to a function prologue at its targetto validate a pair of locations
28
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Code
8049480 <_init>:8049480: 558049481: 89 e58049483: 53...
804949d: e8 de 00 00 00...
80494b0 <abort@plt-0x10>:80494b0: ff 35 08 e1 05 0880494b6: ff 25 0c e1 05 0880494bc: 00 00...
8049580 <__gmon_start__@plt>:8049580: ff 25 40 e1 05 088049586: 68 60 00 00 00804958b: e9 20 ff ff ff...
8059e84:...
e8 f7 f5 fe ff
pushmovpush
call
%ebp%esp,%ebp%ebx
8049580 <__gmon_start__@plt>
pushljmpadd
0x805e108*0x805e10c%al,(%eax)
jmppushjmp
call
*0x805e140$0x6080494b0 <_init+0x30>
8049480 <_init>
29
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Example
A quick example shows this algorithm handling three calls tothree different blocks.Before fragmentation:
Call 1 FP3 FP1 Call 2 FP2 Call3
30
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Example - Call 3Call 3 previously pointed four blocks back to FP3, now it isinvalid.
Call 1 FP3 FP1 Call 2 FP2 Call3
31
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Example - Call 3Call 3 previously pointed four blocks back to FP3, now it isinvalid.
Call 1 FP3 FP1 Call 2 FP2 Call3
We look backward to find FP3:
Call 1 FP3 FP1 Call 2 FP2 Call3
32
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Example - Call 2
Call 2 previously pointed one block forward to FP2, now it isinvalid.
Call 1 FP3 FP1 Call 2 FP2 Call3
33
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Example - Call 2
Call 2 previously pointed one block forward to FP2, now it isinvalid.
Call 1 FP3 FP1 Call 2 FP2 Call3
We look forward to find FP2:
Call 1 FP3 FP1 Call 2 FP2 Call3
34
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Example - Call 1Call 1 previously pointed two blocks forward to FP1, now it isinvalid.
Call 1 FP3 FP1 Call 2 FP2 Call3
35
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Example - Call 1Call 1 previously pointed two blocks forward to FP1, now it isinvalid.
Call 1 FP3 FP1 Call 2 FP2 Call3
We look forward to find FP1:
Call 1 FP3 FP1 Call 2 FP2 Call3
36
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Other Sections
Other important sections need recovery approaches as well,but many of them (rodata, debug sections, etc.) havepredictable structures that lend themselves to dataclassification approaches.
37
Outline
1 IntroductionBinary File Carving
Mapping the ELFRecovery without Fragmentation
Pinpointing FragmentationRecovery with FragmentationRemoving the Fragmentation
EvaluationProcedureResults
Conclusion
2
3
4
5
38
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Setup
Bin-Carver
Prototype was coded in C#
Python used for collection of accuracy statistics
Test Data
Tested on 8 different disk images
Each differed in the number of files as well as the numberof deletes and copies executed after its creation
39
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Disks
1
2
3
Disk 1 was a small baseline sample, only contained /bin
Disk 2 contained a larger number of ELF files
Disk 3 contained some of the files from disk 2, with someof them deleted before the image was made
Disk 4 contained all of disk 2 as well as SO ELF files from/lib
4
40
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Disks
1 Disk 5 had all the files from disk 4 which were thendeleted. Half were then picked randomly and copied back.
Disk 6 is the same as disk 5 except that only half weredeleted
Disk 7 repeated the same process as 6, but twice withsmaller batches
Disk 8 did lots of unpredictable small copy and deletecycles to create the most chaotic image
2
3
4
41
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Disks
1 Disk 5 had all the files from disk 4 which were thendeleted. Half were then picked randomly and copied back.
Disk 6 is the same as disk 5 except that only half weredeleted
Disk 7 repeated the same process as 6, but twice withsmaller batches
Disk 8 did lots of unpredictable small copy and deletecycles to create the most chaotic image
2
3
4
42
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Evaluating accuracy
Effectiveness
Identification Rate - number of valid files on the disk wecan identify
Recovery Rate - number of files that were recoveredsuccessfully after identification
43
Outline
1 IntroductionBinary File Carving
Mapping the ELFRecovery without Fragmentation
Pinpointing FragmentationRecovery with FragmentationRemoving the Fragmentation
EvaluationProcedureResults
Conclusion
2
3
4
5
44
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Accuracy Metrics
Identification RateRecovery Rate
100%
80%
60%
40%
20%
0%
Disk Images
45
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Performance Metrics
80
70
60
50
40
30
20
10
0
Disk Images
46
Outline
1 IntroductionBinary File Carving
Mapping the ELFRecovery without Fragmentation
Pinpointing FragmentationRecovery with FragmentationRemoving the Fragmentation
EvaluationProcedureResults
Conclusion
2
3
4
5
47
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Conclusion
Remarks
Recovery approaches were shown to be effective
Hopefully, more research will be done in executable filecarving
Exclusionary carving could benefit other kinds of filecarving
48
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Conclusion
Remarks
Recovery approaches were shown to be effective
Hopefully, more research will be done in executable filecarving
Exclusionary carving could benefit other kinds of filecarving
Limitations and Future Work
PE Files
More signatures
Robustness
49
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion
Thank you for your patience
Any questions?
50