Security/Mentorships/MWoS/2014/Cross-platform memory scanning in Go: Difference between revisions

Team

Introduction

We are a team of Computer Science students from Argentina, highly motivated by coding, security and free software.

Members

• Agustin Martinez Suñé
• Marco Vanotti
• Nahuel Lascano
• Patricio Palladino
• Professor: Alejandro Furfaro
• Mozilla Advisor: Julien Vehent

Project

Description

The Mozilla InvestiGator (MIG) project needs a way to inspect the content of the memory of a system, and detect threats. The typical approach in memory forensic is to dump the memory of a system, and perform analysis on another system, using tools like Volatility. We are looking for an approach that is less invasive, where an agent running on a target system can inspect its own memory without disrupting operations. Existing libraries, such as Volatility, are hard to ship to remote systems because of their size and dependencies. The goal of this project is to design and code a lean, cross-platform, memory inspection library in the Go language that can be integrated into MIG.

Scope

Success Criteria

Updates

2014-08-08

Summary of the week

• Linux program to check libs for regexp done.
• Port windows EnumProcessModules to go: 50% (only ported EnumProcesses and started with EnumProcessModules)
• Mac: Program to list memory regions of a pid. This enables us to do vm_read to read arbitrary memory addresses.
• We have now a repository on github: https://github.com/mozilla/migmem

Plan for next week:

• Researh more about Mac, read The art of memory forensics.
• Read about: Hollow process detection
  • influence of ASLR ? /proc/sys/kernel/randomize_va_space
• Finish porting windows EnumProcessModules to go.
• Write a symbol table attack in C and write the module that detects it.

2014-08-01

Summary of the week:

• Linux: /proc/<pid>/maps for .so mapped files, and /proc/<pid>/mem for raw memory.
• Windows has a couple of functions via the Windows API, that can be called with LoadLibrary or CGO. We decided to use CGO because it was easier.
• Mac: Not so easy, there's a way to get a coredump without killing the process, we can do that to analyze what we want. osxbook has an example.
• If we use CGO we won't be able to cross-compile. Not a problem.
• Go has packages for accessing ELF/Mach-O/PE files in the debug package, we can analyze binaries and get more info.
• We got working examples on Linux and Windows to get a process loaded libraries.

Plan for next week:

• Investigate how to get more information about libraries (version number, build, revision, etc)
• Read more about Mac and how to get the data that we need.
• Decide on a name for the project
• Sign committer agreement

2014-07-14

• Team presentation
• Project introduction: MIG and the memory scanner module.
• Set deadline: mid/end of December
• Agreed on meeting once a week. Meetings scheduled by the team.
• Plan for the next week: Investigate how to get the information that the memory scanner will provide in linux, windows and OS X.

<date>

• current work
• blocking points
• discussion points
• upcoming work