Memory forensics analysis of Cisco IOS XR 32 bits routers with 'Amnesic-Sherpa'
2019-10-22, 17:00–17:20, Europe

Nowadays attackers are targeting not only computers but also core network equipment like routers by using memory-only attacks that are difficult to detect as the firmware image is not modified. In order to determine if a router was compromised by a memory-only attack, we need to be able to perform forensics analysis on it, but this requires specialized tools. This presentation is about CISCO IOS XR router forensics. We will explain how work the internal of a CISCO IOS XR 32 bits, router running under the QNX operating system. And, as no tool currently exists to analyze CISCO IOS XR routers, we developed a router forensics framework called 'Amnesic-Sherpa', aimed at analyzing memory dump, that can be used to know if a router was compromised. This framework will be released as open-source.

This presentation will be divided in different parts:

The first part gives the necessary background: the context and the wide number of OSes in routers. We also describe the architecture of QNX, the microkernel running on IOS XR-32, and how it works: the startup
process, how the firmware is packed, the file systems in the firmware images, and the specific communication system between the processes.

Then, we will explain how we developed a specific memory acquisition tool and an analysis framework call 'Amnesic-Sherpa', aim at analyze those routers.

The tool first looks for all the interesting structures and information that can be present in an IOS XR memory dump, then tries to re-create the memory structures present in different parts of the microkernel memory at the moment of the dump, and extracts all available information. The tool then let the user inspects theses structures to find traces of compromise or anomalies.

In the last part, we verify the detection capabilities of our framework by manually modifying processes to simulate a memory attack. We then demonstrate how to use 'Amnesic-Sherpa' (and third party tools) to detect this attack and how the detection process could be automated.

See also: