research-article

TLSkex

Authors:

Benjamin Taubmann,

Christoph Frädrich,

Dominik Dusold,

Hans P. ReiserAuthors Info & Claims

Digital Investigation: The International Journal of Digital Forensics & Incident Response, Volume 16, Issue S

Pages S114 - S123

https://doi.org/10.1016/j.diin.2016.01.014

Published: 29 March 2016 Publication History

Abstract

Nowadays, many applications by default use encryption of network traffic to achieve a higher level of privacy and confidentiality. One of the most frequently applied cryptographic protocols is Transport Layer Security (TLS). However, also adversaries make use of TLS encryption in order to hide attacks or command & control communication. For detecting and analyzing such threats, making the contents of encrypted communication available to security tools becomes essential. The ideal solution for this problem should offer efficient and stealthy decryption without having a negative impact on over-all security. This paper presents TLSkex (TLS Key EXtractor), an approach to extract the master key of a TLS connection at runtime from the virtual machine's main memory using virtual machine introspection techniques. Afterwards, the master key is used to decrypt the TLS session. In contrast to other solutions, TLSkex neither manipulates the network connection nor the communicating application. Thus, our approach is applicable for malware analysis and intrusion detection in scenarios where applications cannot be modified. Moreover, TLSkex is also able to decrypt TLS sessions that use perfect forward secrecy key exchange algorithms. In this paper, we define a generic approach for TLS key extraction based on virtual machine introspection, present our TLSkex prototype implementation of this approach, and evaluate the prototype.

References

[1]

S. Bahram, X. Jiang, Z. Wang, M. Grace, J. Li, D. Srinivasan, DKSM: subverting virtual machine introspection for fun and profit, in: Reliable distributed systems, 2010 29th IEEE symposium, 2010, pp. 82-91.

[2]

D. Balzarotti, M. Cova, C. Karlberger, E. Kirda, C. Kruegel, G. Vigna, Efficient detection of split personalities in malware, in: Proc. of the network and distributed system security symposium, NDSS, 2010.

[3]

Jurriaan Bremer, Transparent MITM with cuckoo sandbox, 2015. http://jbremer.org/mitm/

[4]

M. Butler, Finding hidden threats by decrypting SSL, A SANS analyst whitepaper, SANS Institute, 2013. http://www.sans.org/reading-room/whitepapers/analyst/finding-hidden-threats-decrypting-ssl-34840

[5]

B. Dolan-Gavitt, T. Leek, M. Zhivich, J. Giffin, W. Lee, Virtuoso: narrowing the semantic gap in virtual machine introspection, in: Proceedings of the 2011 IEEE symposium on security and privacy, SP'11, IEEE Computer Society, Washington, DC, USA, 2011, pp. 297-312.

Digital Library

[6]

T. Garfinkel, M. Rosenblum, A virtual machine introspection based architecture for intrusion detection, in: Proc. network and distributed systems security symposium, 2003, pp. 191-206.

[7]

P.C. Heckel, Use SSLsplit to transparently sniff TLS/SSL connections - Including non-HTTP(S) protocols, 2013. http://blog.philippheckel.com/2013/08/04/use-sslsplit-to-transparently-sniff-tls-ssl-connections/

[8]

J. Halderman, S.D. Schoen, N. Heninger, W. Clarkson, W. Paul, J.A. Calandrino, Lest we remember: cold boot attacks on encryption keys, in: Proc. of the 17th USENIX Security Symposium, 2008.

[9]

J. Homan, How to decrypt OpenSSL sessions using wireshark and SSL session identifiers, 2013. http://www.cloudshield.com/blog/advanced-malware/how-to-decrypt-openssl-sessions-using-wireshark-and-ssl-session-identifiers/

[10]

S. Iveson, Using ssldump to decode/decrypt SSL/TLS packets, 2014. http://packetpushers.net/using-ssldump-decode-ssltls-packets/

[11]

B. Jain, M. Baig, D. Zhang, D. Porter, R. Sion, Sok: introspections on trust and the semantic gap, in: Security and privacy (SP), 2014 IEEE symposium, 2014, pp. 605-620.

Digital Library

[12]

T. Klein, All your private keys are belong to us - Extracting RSA private keys and certificates from process memory, 2006. http://www.trapkit.de/research/sslkeyfinder/keyfinder_v1.0_20060205.pdf

[13]

H. Krawczyk, M. Bellare, R. Canetti, HMAC: Keyed-hashing for message authentication, IETF, RFC 2104, (1997).

[14]

KVM, http://www.linux-kvm.org/ (July 30 2015).

[15]

LibVMI, http://libvmi.com/ (July 30 2015).

[16]

C. Maartmann-Moe, S.E. Thorkildsen, A. Årnes, The persistence of memory: forensic identification and extraction of cryptographic keys, Digit Investig, 6 (2009) S132-S140.

Digital Library

[17]

M. Marlinspike, sslsniff, http://www.thoughtcrime.org/software/sslsniff/, accessed 19.08.15 (2002).

[18]

M. Marlinspike, sslstrip, http://www.thoughtcrime.org/software/sslstrip/, accessed 19.08.15 (2009).

[19]

J. Pfoh, C. Schneider, C. Eckert, Nitro: hardware-based system call tracing for virtual machines, in: Advances in information and computer security, Vol. 7038 of lecture notes in computer science, Springer, 2011, pp. 96-112.

[20]

J.W. Pric, Significant SSL performance loss leaves much room for improvement, 2013. https://www.nsslabs.com/reports/ssl-performance-problems

[21]

T. Raffetseder, C. Kruegel, E. Kirda, Detecting system emulators, in: Information security, Vol. 4779 of LNCS, Springer, 2007, pp. 1-18.

[22]

Rekall, Memory forensics analysis framework, http://www.rekall-forensic.com (January 15 2015).

[23]

J. Salowey, H. Zhou, P. Eronen, H. Tschofenig, Transport Layer Security (TLS) Session Resumption Without Server-Side State, IETF, RFC 5077, (2008).

[24]

A. Schuster, Searching for processes and threads in microsoft windows memory dumps, Digit Investig, 3 (2006) 10-16. http://dx.doi.org/10.1016/j.diin.2006.06.010

Digital Library

[25]

A. Shamir, N.V. Someren, Playing "hide and seek" with stored keys, in: Proc. of the 3rd Int. conf. on financial cryptography, FC'99, Springer-Verlag, London, UK, UK, 1999, pp. 118-124.

[26]

B. Taubmann, D. Dusold, C. Frädrich, H.P. Reiser, Analysing malware attacks in the cloud: a use case for the tlsinspector toolkit, in: 2nd Workshop on security in highly connected IT systems (SHCIS), 2015.

[27]

Tcpdump contributors, TCPDUMP/LIBPCAP public repository, http://www.tcpdump.org/, accessed 19.08.15.

[28]

Volatility Foundation, Volatility command reference, https://github.com/volatilityfoundation/volatility/wiki/Command-Reference accessed 19.08.15.

[29]

Wireshark contributors, Wireshark wiki about secure socket layer (SSL), 2015. https://wiki.wireshark.org/SSL

[30]

Xen, http://www.xenproject.org (July 30 2015).

[31]

Xu Guanglin, Klemperer Peter, Hoe James, Improving LibVMI introspection performance with shared memory snapshots, 2013.

[32]

T. Ylonen, C. Lonvick, The secure shell (SSH) transport layer protocol, IETF, RFC 4253, (2006).

Cited By

Moriconi FLevillain OFrancillon ATroncy RQuek TGao DZhou JCardenas A(2024)X-Ray-TLS: Transparent Decryption of TLS Sessions by Extracting Session Keys from MemoryProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3637654(35-48)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3637654
Zhang JGao CGong LGu ZMan DYang WLi W(2020)Malware Detection Based on Multi-level and Dynamic Multi-feature Using Ensemble Learning at HypervisorMobile Networks and Applications10.1007/s11036-019-01503-426:4(1668-1685)Online publication date: 8-Jan-2020
https://dl.acm.org/doi/10.1007/s11036-019-01503-4
Pan JZhuang YSun BNepal S(2019)Efficient and Transparent Method for Large-Scale TLS Traffic Analysis of Browsers and Analogous ProgramsSecurity and Communication Networks10.1155/2019/84670812019Online publication date: 1-Jan-2019
https://dl.acm.org/doi/10.1155/2019/8467081
Show More Cited By

TLSkex

Recommendations

RapidVMI: Fast and multi-core aware active virtual machine introspection
ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

Virtual machine introspection (VMI) is a technique for the external monitoring of virtual machines. Through previous work, it became apparent that VMI can contribute to the security of distributed systems and cloud architectures by facilitating stealthy ...
Assessment of Virtualization as a Sensor Technique
SADFE '10: Proceedings of the 2010 Fifth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering

The explosive growth of malware development and the increasing sophistication of malware behavior require thatsecurity researchers be on the lookout for new vectors of attacks. Drive-by-downloads are among the types of attacks that are onthe rise. To ...
Virtual Machine Introspection: Techniques and Applications
ARES '15: Proceedings of the 2015 10th International Conference on Availability, Reliability and Security

Virtual Machine Introspection (VMI) is a technique that enables monitoring virtual machines at the hypervisor layer. This monitoring concept has gained recently a considerable focus in computer security research due to its complete but semantic less ...

Comments

Information & Contributors

Information

Published In

cover image Digital Investigation: The International Journal of Digital Forensics & Incident Response

Digital Investigation: The International Journal of Digital Forensics & Incident Response Volume 16, Issue S

March 2016

135 pages

ISSN:1742-2876

Issue’s Table of Contents

Copyright © The Authors.

Publisher

Elsevier Science Publishers B. V.

Netherlands

Publication History

Published: 29 March 2016

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 10 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Moriconi FLevillain OFrancillon ATroncy RQuek TGao DZhou JCardenas A(2024)X-Ray-TLS: Transparent Decryption of TLS Sessions by Extracting Session Keys from MemoryProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3637654(35-48)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3637654
Zhang JGao CGong LGu ZMan DYang WLi W(2020)Malware Detection Based on Multi-level and Dynamic Multi-feature Using Ensemble Learning at HypervisorMobile Networks and Applications10.1007/s11036-019-01503-426:4(1668-1685)Online publication date: 8-Jan-2020
https://dl.acm.org/doi/10.1007/s11036-019-01503-4
Pan JZhuang YSun BNepal S(2019)Efficient and Transparent Method for Large-Scale TLS Traffic Analysis of Browsers and Analogous ProgramsSecurity and Communication Networks10.1155/2019/84670812019Online publication date: 1-Jan-2019
https://dl.acm.org/doi/10.1155/2019/8467081
Pan JZhuang Y(2017)PMCAPSecurity and Communication Networks10.1155/2017/46215872017Online publication date: 22-May-2017
https://dl.acm.org/doi/10.1155/2017/4621587
Miura RTakano YMiwa SInoue TThang HHu ZBui MSikdar BIDE IBinh HEngchuan WSang DOanh N(2017)GINTATEProceedings of the 8th International Symposium on Information and Communication Technology10.1145/3155133.3155152(234-241)Online publication date: 7-Dec-2017
https://dl.acm.org/doi/10.1145/3155133.3155152
Sentanoe STaubmann BReiser H(2017)Virtual Machine Introspection Based SSH HoneypotProceedings of the 4th Workshop on Security in Highly Connected IT Systems10.1145/3099012.3099016(13-18)Online publication date: 19-Jun-2017
https://dl.acm.org/doi/10.1145/3099012.3099016

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents