DroidKex: Fast extraction of ephemeral TLS keys from the memory of Android apps

Taubmann, Benjamin; Alabduljaleel, Omar; Reiser, Hans P.

doi:10.1016/j.diin.2018.04.013

Cited by 13 publications

(12 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Saltaformaggio et al [15][16][17] and Taubmann et al [21] also developed tools which are after ephemeral data in memory, to reconstruct flows within an app's runtime which can be critical in a forensic investigation. They do so by reconstructing critical data structures from memory dumps.…”

Section: Related Workmentioning

confidence: 99%

“…Rather than within a general concept, their ephemeral data is very specific (GUI elements for screen flows and TLS private keys respectively). DroidKex [21] acquires memory dumps upon send and receive functionality of an app, an indicator that TLS connections are being established, similar to JIT-MF's concept of trigger points.…”

Section: Related Workmentioning

confidence: 99%

“…Evidence collected from volatile memory becomes essential. While forensics tools that operate similarly have shown promise within very narrow domains, one cannot underestimate the significant challenge of dealing with short-lived evidence [15,21,22].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Real-Time Triggering of Android Memory Dumps for Stealthy Attack Investigation

et al. 2021

View full text Add to dashboard Cite

Attackers regularly target Android phones and come up with new ways to bypass detection mechanisms to achieve long-term stealth on a victim’s phone. One way attackers do this is by leveraging critical benign app functionality to carry out specific attacks.In this paper, we present a novel generalised framework, JIT-MF (Just-in-time Memory Forensics), which aims to address the problem of timely collection of short-lived evidence in volatile memory to solve the stealthiest of Android attacks. The main components of this framework are i) Identification of critical data objects in memory linked with critical benign application steps that may be misused by an attacker; and ii) Careful selection of trigger points, which identify when memory dumps should be taken during benign app execution.The effectiveness and cost of trigger point selection, a cornerstone of this framework, are evaluated in a preliminary qualitative study using Telegram and Pushbullet as the victim apps targeted by stealthy malware. Our study identifies that JIT-MF is successful in dumping critical data objects on time, providing evidence that eludes all other forensic sources. Experimentation offers insight into identifying categories of trigger points that can strike a balance between the effort required for selection and the resulting effectiveness and storage costs. Several optimisation measures for the JIT-MF tools are presented, considering the typical resource constraints of Android devices.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Real-Time Triggering of Android Memory Dumps for Stealthy Attack Investigation

et al. 2021

View full text Add to dashboard Cite

show abstract

“…Taubmann et al [14] utilizes a combination of both approaches outlined previously to identify TLS session keys in memory dumps of Android OS applications.…”

Section: Related Workmentioning

confidence: 99%

Extracting Cryptographic Keys from .NET Applications

Brearty

Farrelly

Curran

2021

semicond. sci. and inf. n.a.

View full text Add to dashboard Cite

In the absence of specialized encryption hardware,cryptographic operations must be performed in main memory.As such,it is common place for cyber criminals to examine the content of main memory with a view to retrieving high-value data in plaintext form and/or the associated decryption key.In this paper,the author presents a number of simple methods for identifying and extracting cryptographic keys from memory dumps of software applications that utilize the Microsoft .NET Framework,as well as sourcecode level countermeasures to protect against same.Given the EXE file of an application and a basic knowledge of the cryptographic libraries utilized in the .NET Framework,the author shows how to create a memory dump of a running application and how to extract cryptographic keys from same using WinDBG - without any prior knowledge of the cryptographic key utilized.Whilst the proof-of-concept application utilized as part of this paper uses an implementation of the DES cipher,it should be noted that the steps shown can be utilized against all three generations of symmetric and asymmetric ciphers supported within the .NET Framework.

show abstract

“…While there exist ways to get a peek [7]- [9], the inherent deficiency lies in assuming that keys are visible in memory at acquisition time. Until now, attempts to narrow on the timeliness [10], [11] or locating (or reduce the search space of) key material once the memory is obtained [7], [8], [12]- [14] have been inherently cryptosystem-or software-dependent.…”

Section: Introductionmentioning

confidence: 99%