https://www.sciencedirect.com/science/article/pii/S1742287617301986
DFRWS is a non-profit organization that organizes digital forensic conferences, challenges, and collaborations. Their goal is to promote transdisciplinary knowledge and growth in the field. Conferences include technical workshops, demos, and panels on digital forensics issues. DFRWS conferences provide a snapshot of the field's research and direction. The contents presented at DFRWS will be published in
the journal Forensic Science International: Digital Investigation in the form of a paper.
This paper was written by Andrew Case, a well-known security thought leader. Andrew co-developed the NIJ-funded Registry Decoder forensics application and is a core developer of
The Volatility Framework. He has published peer-reviewed papers and presented at conferences worldwide. In addition, he is the author of
The Art of Memory Forensics, a popular book on memory forensics.
Paper Abstract:
Memory forensics is now a standard component of digital forensic investigations and incident response handling, since memory forensic techniques are quite effective in uncovering artifacts that might be missed by traditional storage forensics or live analysis techniques. Because of the crucial role that memory forensics plays in investigations and because of the increasing use of automation of memory forensics techniques, it is imperative that these tools be resilient to memory smear and deliberate tampering. Without robust algorithms, malware may go undetected, frameworks may crash when attempting to process memory samples, and automation of memory forensics techniques is difficult. In this paper we present Gaslight, a powerful and flexible fuzz-testing architecture for stress-testing both open and closed-source memory forensics frameworks. Gaslight automatically targets critical code paths that process memory samples and mutates samples in an efficient way to reveal implementation errors. In experiments we conducted against several popular memory forensics frameworks, Gaslight revealed a number of critical previously undiscovered bugs.
My Review:
The paper introduces the importance of robust algorithms in memory forensics frameworks to detect system state anomalies and prevent tampering by malware, discusses the common problem of memory smear and malicious tampering, and describes an automated fuzzing architecture called Gaslight, which efficiently and intelligently tests critical components of memory forensics frameworks without requiring modifications to the framework itself.
Several studies have been conducted on the topic of fuzzing for various purposes, including security vulnerabilities, forensics tools, and dynamic taint analysis. Fuzzing is a technique for testing software by feeding it with invalid or unexpected inputs. In the context of security, fuzzing is used to discover vulnerabilities in software by testing it with various input combinations. Fuzzing can also be used to test forensics tools to ensure they function correctly and to detect any potential issues. Additionally, dynamic taint analysis can be used to track and identify data flows through software systems, providing a means to detect vulnerabilities and improve security.
Chapter 3 of the paper describes the design goals and implementation of Gaslight, a powerful and flexible fuzz-testing architecture for stress-testing both open and closed-source memory forensics frameworks. The chapter explains that Gaslight was designed to support seamless testing of any memory forensics framework without modification to the framework and to automatically scale to utilize all available cores. The authors also discuss how Gaslight generates millions of fuzzing states, which are used to test the memory forensics framework's ability to handle different types of data and detect anomalies. Finally, the chapter mentions that current efforts are underway to support distributed fuzzing in Gaslight.
The experiment tested the Gaslight tool, which uses fuzzing to test memory forensics frameworks. The hardware used was commodity hardware, including an Alienware laptop and a desktop with Intel i7 processors and 32GB of RAM. Three operating systems were chosen for testing, including Windows 7 SP1 64-bit, Debian Wheezy 32-bit, and Mac OS X Sierra 64-bit. The testing was focused on two memory forensics frameworks, Volatility and Rekall. Results were given for the testing of various plugins for each operating system, detailing which plugins crashed or entered infinite loops due to mutations by Gaslight and which produced extremely large amounts of data. The study was not exhaustive, as only 10-12 plugins per operating system were tested, but the results demonstrate the potential of Gaslight for memory forensic testing.
The Gaslight paper describes a robust fuzzing architecture for testing memory forensics frameworks, which has been demonstrated to find crashes in numerous core Volatility plugins and can be utilized against other memory analysis frameworks. The next performance improvement for Gaslight is to automate scaling to as many systems as are available, with the development of a cluster-based, distributed implementation that will run a large number of tasks in a distributed computing environment in parallel and include a task manager to coordinate creation and management of individual fuzzing tasks across the cluster. Gaslight's eventual goal is to have it running 24/7/365 against a wide variety of memory samples and utilizing a wide variety of frameworks.
The Gaslight team is also reviewing the source code bases of Volatility and Rekall to identify which kernel versions of Linux, Mac, and Windows made changes that broke existing algorithms implemented by memory forensic plugins. Once this study is complete, the Gaslight team plans to generate memory samples for all the operating systems versions needed to fully test each plugin. Finally, after some code cleanup, Gaslight will be released as an open source project.
My critiques are as follows:
Firstly, the fuzzing mutation method employed in this study seems to be overly simplistic in its design
Secondly, despite the researchers' declaration in 2017 that they intended to make the related tool available as an open-source project, it has not been made public as of 2023.
Lastly, in 2020, a paper titled "Gaslight revisited: Efficient and powerful fuzzing of digital forensics tools" was published, featuring Andrew Case as a co-author. I plan to conduct a review of this publication in the near future.
No comments:
Post a Comment