Automated Forensic Techniques for Locating Zero-day Exploits

Posted on:2015-07-21

Degree:Ph.D

Type:Thesis

University:Dartmouth College

Candidate:Kuhn, Stephen

Full Text:PDF

GTID:2478390017491608

Subject:Engineering

Abstract/Summary:

This thesis approaches the problem of locating zero-day exploits used in network attacks. The hypothesis is that the advent of high-performance virtualization presents a unique opportunity to both discover these events and increase the attacker's workload. Much of the traffic in modern computer networks is conducted between clients and servers, rather than client-to-client. As a result, servers represent a high-value target for collection and analysis of network traffic. The observe, orient, decide, and act (OODA) loop for computer network attack involves surveillance, to determine if a vulnerability is present, selection of an appropriate exploit, use of the exploit to gain access, and persistence for a time sufficient enough to carry out some effect. The time spent in surveillance and persistence may range from seconds to months depending upon the intent of the attacker. In contrast, exploitation of the system can occur in milliseconds. The difficulty in generating a suitable exploit and its potential for reuse, dictates that an attacker's first on-host action is likely to be the removal of any on-host trace associated with the exploit. Therefore, the first notice that an intrusion has occurred may well be several months later when an effect is eventually perpetrated. The intervening period is populated by terabytes of network traffic, reboots, upgrades, and changes of operating system state obfuscating the analysis after the fact.;This thesis approaches the problem of locating the initial exploit through a novel coarse-grained forensics technique facilitated by virtualization. This new capability simultaneously increases the attacker's workload associated with conducting surveillance and maintaining persistence on host systems. In addition, it provides mechanisms to identify network traffic corresponding with the initial intrusion and any subsequent communication within the operating system and within the network. These goals are accomplished by enhancing non-determinism in operating systems: utilizing a hypervisor to refresh micro kernel's and introspection techniques that enable the hypervisor to peer into a running microkernel observing its state and recording actions of interest for later analysis.

Keywords/Search Tags:

Exploit, Locating, Network

Related items

1	Design And Implementation Of Vulnerability Exploit Generation Technology For Linux Platform Program
2	The Research Of Network Vulnerability Assessment Based On The Exploit Graph
3	The Design Of Locating, Supervising And Rescuing System For Mining Staff
4	Research On Resource Locating Technologies In Unstructured Peer-to-Peer System
5	Research On Key Technology Of Passive Locating Based On Wireless Sensor Network
6	Study On High Accuracy Locating System Based On Computer Vision
7	Research On The Automatic Exploit Generation Method Of Binary Programs
8	A Method And Tool For Automatic Exploit Generation Of Binary Program Vulnerabilities
9	Research Of Vulnerability Discovery And Exploit Based On FUZZ Technique Under Windows Plateform
10	Research And Achievement Of The Coal Synthetical-exploit Underground Automatic Control System