Skip to main content

VIDEO: Peering Into The Depths Of TLS Traffic In Real Time

posted onJune 21, 2016
by l33tdawg

Analyzing network traffic is a task that comes up often in the context of malware analysis: both before infection, in malware delivery from sites and after infection, in the communication with the C&C servers. Having this information is vital when doing dynamic analysis. However, the current solutions to this issue involve either adding a root CA (certificate authority) to the machine, splitting the traffic and resigning certificates on-the-fly or modifying crypto libraries to log extra information (a solution usually deemed non-portable) or using mechanisms already present that log such information (such as the SSLKEYLOGFILE environment variable). All these methods rely, in the end, on modifications in the guest; modifications that are visible and can be detected by the malware itself.

An ingenious solution to this problem is to exfiltrate the data using an out-of-guest approach such as the one present in “Tappan Zee (North) Bridge: Mining Memory Accesses for Introspection”. Although elegant, the approach has several drawbacks: both in terms of speed (the machine is emulated, not virtualized) and in terms of setup.

In this presentation, we first do away with the performance overhead of the previous approach by replicating the process using memory introspection techniques similar to the ones employed in DRAKVUF and then present a novel technique that not only works for virtualized machines with a minimal overhead but is actually OS-agnostic and crypto-library-agnostic: no assumptions about these are required to obtain the TLS keys. We also cover the issue that the TLS context has multiple parameters: encryption keys, IVs/nonces, MAC keys and would imply that searching for them in the “micro memory dump” takes quadratic or even cubic time. However, we have developed techniques for each cipher that require only linear time.

Source

Tags

HITB hitb2016ams Security Privacy

You May Also Like

Recent News

Friday, November 29th

Tuesday, November 19th

Friday, November 8th

Friday, November 1st

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th