TLSkex: Harnessing virtual machine introspection for decrypting TLS communication. (29th March 2016)
- Record Type:
- Journal Article
- Title:
- TLSkex: Harnessing virtual machine introspection for decrypting TLS communication. (29th March 2016)
- Main Title:
- TLSkex: Harnessing virtual machine introspection for decrypting TLS communication
- Authors:
- Taubmann, Benjamin
Frädrich, Christoph
Dusold, Dominik
Reiser, Hans P. - Abstract:
- Abstract: Nowadays, many applications by default use encryption of network traffic to achieve a higher level of privacy and confidentiality. One of the most frequently applied cryptographic protocols is Transport Layer Security (TLS). However, also adversaries make use of TLS encryption in order to hide attacks or command & control communication. For detecting and analyzing such threats, making the contents of encrypted communication available to security tools becomes essential. The ideal solution for this problem should offer efficient and stealthy decryption without having a negative impact on over-all security. This paper presents TLSkex (TLS Key EXtractor), an approach to extract the master key of a TLS connection at runtime from the virtual machine's main memory using virtual machine introspection techniques. Afterwards, the master key is used to decrypt the TLS session. In contrast to other solutions, TLSkex neither manipulates the network connection nor the communicating application. Thus, our approach is applicable for malware analysis and intrusion detection in scenarios where applications cannot be modified. Moreover, TLSkex is also able to decrypt TLS sessions that use perfect forward secrecy key exchange algorithms. In this paper, we define a generic approach for TLS key extraction based on virtual machine introspection, present our TLSkex prototype implementation of this approach, and evaluate the prototype.
- Is Part Of:
- Digital investigation. Volume 16(2015)Supplement 1
- Journal:
- Digital investigation
- Issue:
- Volume 16(2015)Supplement 1
- Issue Display:
- Volume 16, Issue 1 (2015)
- Year:
- 2015
- Volume:
- 16
- Issue:
- 1
- Issue Sort Value:
- 2015-0016-0001-0000
- Page Start:
- S114
- Page End:
- S123
- Publication Date:
- 2016-03-29
- Subjects:
- Virtual machine introspection -- Transport layer security -- Decryption -- Malware analysis -- Virtualization -- Semantic gap
Forensic sciences -- Data processing -- Periodicals
Criminal investigation -- Data processing -- Periodicals
363.250285 - Journal URLs:
- http://www.sciencedirect.com/science/journal/17422876 ↗
http://www.elsevier.com/journals ↗ - DOI:
- 10.1016/j.diin.2016.01.014 ↗
- Languages:
- English
- ISSNs:
- 1742-2876
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 3588.396620
British Library DSC - BLDSS-3PM
British Library STI - ELD Digital store - Ingest File:
- 7518.xml