DECAF Keylogging Behaviour

[Jesse Bartels]

Greetings folks,

Recently I have been working with the DECAF keylogger example using the Windows XP SP3 image from the sycurelab repo on github. I've gotten the keylogger example built and working with a simple keylogging example (i.e. the process shows up in the logfile when I send a tainted keystroke and the keylogger reads it). I wanted to extend this to see what happens to tainted values (i.e. those from the keystroke) when those values were written to a file and then that file was read by another process. My intuition from the "Make it Work, Make it Right" paper (and whole system taint analysis in general) is that this other process should also show up the logfile reported by the keylogger demo. Unfortunately this doesn't seem to be occurring and I was wondering if you folks have any suggestions as to why this would be the case. I turned on pointer tainting for both loads and stores, and I've looked through the DECAF configuration options but nothing immediate stands out to me. I appreciate you taking the time to read this and hope that answering this isn't too much of a hassle. Thanks

[Heng Yin]

Hi Zhenxiao,

Can you take a look?

Thanks,

Heng

On Wed, Jan 30, 2019, 11:19 AM Jesse Bartels <jbart...@gmail.com wrote:

Greetings folks,

Recently I have been working with the DECAF keylogger example using the Windows XP SP3 image from the sycurelab repo on github. I've gotten the keylogger example built and working with a simple keylogging example (i.e. the process shows up in the logfile when I send a tainted keystroke and the keylogger reads it). I wanted to extend this to see what happens to tainted values (i.e. those from the keystroke) when those values were written to a file and then that file was read by another process. My intuition from the "Make it Work, Make it Right" paper (and whole system taint analysis in general) is that this other process should also show up the logfile reported by the keylogger demo. Unfortunately this doesn't seem to be occurring and I was wondering if you folks have any suggestions as to why this would be the case. I turned on pointer tainting for both loads and stores, and I've looked through the DECAF configuration options but nothing immediate stands out to me. I appreciate you taking the time to read this and hope that answering this isn't too much of a hassle. Thanks

--
You received this message because you are subscribed to the Google Groups "decaf-platform-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to decaf-platform-di...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Zhenxiao Qi]

Sure, I will.

[Zhenxiao Qi]

Hi Jesse,

as far as I am concerned, it is correct that the process which sent the keystroke should be logged in the logfile. but another process that accesses this tainted file wound not be logged into the logfile by keylogger plugin. 

for instance, if you open notepad and send keystroke using keylogger plugin and then close notepad, the notepad process would be logged and that file would be marked as tainted in the system. then you use a  browser to open the tainted file, this would be a normal behavior from the point of view of keylogger plugin. so it won't be logged but that file is truly tainted in the system. in other words, keylogger is only monitoring the keystroke activity.

Zhenxiao 

[Heng Yin]

Zhenxiao, 

I don't think you understand Jesse's question. When a tainted keystroke is sent to notepad, and then saved into a file, and then another program (say browser) reads this file, the browser should appear in the log file, because DECAF perform system-wide tainting.

Jesse, which version of DECAF did you try? There were some bugs in the old versions.

-Heng

--

[Jesse Bartels]

I used the version from the master branch on github. The keylogger program I have simply prints/writes out the keys typed by the user and the other process reads the file and prints the result. The result from taint_sendkey appears in the resulting file/stdout from the writer process as well as when read by the reader process, but only the writer process gets picked up in the log. As far as I can tell, the reader process is reading the key value after the keylogger has written it out (and while the keylogger detector is running), but is not getting tainted.

To unsubscribe from this group and stop receiving emails from it, send an email to decaf-platform-discuss+unsub...@googlegroups.com.