Welcome to Security Engineering Lab (SEL) at the department of Engineering and Information Technology of the Bern University of Applied Sciences, Switzerland. The lab is headed by Endre Bangerter and was established in 2007. We are generally interested in security engineering research, i.e., how to systematically analyze, build, and verify secure systems. Our current R&D activities are in the field of intrusion forensics, especially memory forensics and malware analysis techniques. Our earlier work was in the field of crypto, especially on crypto compilers and the secure implementation of crypto protocols.
Some of our current projects are with partners from industry, and thus non-public. Vortessence and KAN are public R&D projects with the goal to improve existing memory forensics techniques.
Vortessence is a tool, whose aim is to partially automate memory forensics analysis. In fact, a key problem in memory forensics is that an analyst needs to be able to memorize lots of "encyclopedic" details about the state of a clean system in order to be able to spot anomalies originating from an intrusion. Examples of such encyclopedic details would be names of legitimate drivers, legitimate parent child relations ships for processes, legitimate DLLs being loaded into processes etc. We believe that it is impossible for (normal ?) humans to memorize all the relevant information -- and even if it would be possible, it is still a rather boring and cumbersome task to check a candidate memory image against the clean states. The fun parts in memory forensics are the more advanced analysis techniques, as well as researching new analysis techniques.
Another issue concerns memory forensics techniques that are geared towards the direct detection of anomalies caused by malware. An example is the
malfind plugin in Volatility which uses heuristics to detect anomalous memory allocations which are characteristic for code injections. Although clever heuristics are being employed, it seems to be impossible to entirely avoid false positives. Sorting out these false positives from true positives requires manual intervention by the analyst, whereas in some cases it can be hard to tell false from true positives.
Vortessence provides some remedy to the above issues, by automatically checking the memory image to be analyzed against a white-list. The white-list is built from known clean memory images. While Vortessence is conceptually a rather straightforward tool, it turns out to be quite effective in practice. Vortessence allows users to populate their own white-list, and to run the detection component (driven by the Vortessence rule engine) on unknown memory images. The rule engine performs white-list lookups and also employs heuristics to provide automated anomaly detection.
The analysis results can be queried using a command line tool or be displayed using the Vortessence Web front. Technically, Vortessence is currently based on Volatility and uses the Volatility plugins to query memory information for populating white-lists as well as detection. The image below shows process related findings in the Vortessence Web front-end.
An initial release of Vortessence will be made available in March 2015 (with several months of delay, please apologize) under an open source license. For details please check the dedicated Web site of the Vortessence project (the site is under construction, it will be available later in March 2015).
Presentations on Vortessence:
KAN is a novel dynamic analysis system which is based on what we call memory traces, which are a temporal sequence of physical memory snapshots. The core of KAN is the recorder which records physical memory snapshots of an instrumented system while it executes the target software (e.g., a piece of malware) to be reverse engineered, with a high frequency (roughly, ~20-100 snapshots per second). A memory trace obviously contains a wealth of information on the system being monitored, i.e., one gets information on all memory resident processes, virtual memory, code, data, the OS kernel state, etc. and the evolution of these entities over time (i.e., the recording period). Our analysis toolchain processes and visualizes memory traces to reverse engineer the behavior of the target. It allows for various novel reverse engineering techniques, and in some cases simplifies and speeds up or automates existing ones.
In fact, our analysis toolchain allows to automate several aspects of the analysis of malware infection behavior, for instance by correlating memory modifications and contents. The resulting information will guide the reverse engineer to the snapshots, processes, code regions, etc. which contain interesting behavior and require further investigation using traditional manual reversing techniques. The fact that we are working with memory snapshots allows the use of the standard toolchain of a reverse engineer such as IDA Pro (by exporting PE files, code etc. from memory snapshots), Volatility, WinDBG etc. We believe that this is another strength of our approach.
The image below shows an example of the visualization of the temporal behavior of the virtual address space of a selected process.
The KAN recorder is an extension of the KVM hypervisor. We can thus basically record memory traces for any x86 / x64 OS that is supported by KVM, which for instance currently includes various versions of Windows as well as Linux systems. A crucial aspect of the recorder is what we call triggering, i.e., the events in the guest OS being monitored that trigger a memory snapshot. We currently support various configurable triggering mechanisms (some are Win 7 only), which typically allow to capture relevant malware behavior in memory.
Finally, we believe that memory tracing adds a forensic quality to dynamic analysis. In fact, unlike classical sandboxes and similar dynamic techniques where the analyst only gets relatively high level information, memory traces yield a substantially more complete and deep recording of system behavior at the time of capture. This allows a reverse engineer any time to go back to a memory trace and perform follow up analysis, often without the need to relaunch the sample in a debugger or similar tools. This is particularly interesting for samples that use anti-* techniques, or samples which only feature interesting behavior under some circumstances, e.g., during some time windows, upon first execution etc.
Presentations on KAN:
Our Memory Tracing - Forensic Reverse Engineering presentation at recon 2014 in Montreal gives an overview of KAN and also contains a walk through demo of the analysis of a zeroaccess malware sample using KAN. The demo is only partially found in the slides, however the video of the talk should contain the full details.
We have also presented KAN at the Open Memory Forensics Workshop 2014 in Herndon/VA. The slides are quite similar to those shown at recon.
We are currently thinking of open sourcing (at least parts of) KAN towards the end of 2015. We also plan to publish paper(s) on KAN later this year.