Decrypting live SSH traffic in virtual environments
This addresses crime detection and prevention by enabling interception of data exfiltration in virtual environments, though it is incremental as it applies existing memory analysis techniques to SSH.
The paper tackles the problem of decrypting encrypted malicious communications by developing the MemDecrypt framework, which discovers cryptographic artifacts in memory to rapidly decrypt live SSH traffic, including credentials and file contents.
Decrypting and inspecting encrypted malicious communications may assist crime detection and prevention. Access to client or server memory enables the discovery of artefacts required for decrypting secure communications. This paper develops the MemDecrypt framework to investigate the discovery of encrypted artefacts in memory and applies the methodology to decrypting the secure communications of virtual machines. For Secure Shell, used for secure remote server management, file transfer, and tunnelling inter alia, MemDecrypt experiments rapidly yield AES-encrypted details for a live secure file transfer including remote user credentials, transmitted file name and file contents. Thus, MemDecrypt discovers cryptographic artefacts and quickly decrypts live SSH malicious communications including the detection and interception of data exfiltration of confidential data.