Introducing Masche: memory scanning for server security

winterOfSecurity_logo_dark_vertical2Mozilla operates thousands of servers to build products and run services for our users. Keeping these servers secure is the primary concern of the Operations Security team, and the reason why we have built Mozilla InvestiGator (MIG), a cross-platform endpoint security system.

MIG can inspect the file system and network information of thousands of hosts in parallel, which greatly helps increase visibility across the infrastructure. But until recently, it lacked the ability to look into the memory of running processes, a need that often arises during security investigations.

This is where Mozilla Winter of Security team Masche comes into play. Over the last 6 months, students Marco Vanotti, Patricio Palladino, Nahuel Lascano and Agustin Martinez Suñé from University of Buenos Aires, Argentina, have designed and built a memory forensics library that runs on Linux, Mac OS and Windows.

Masche provides basic primitives for scanning the memory of processes without disrupting the normal operations of a system. Compared with frameworks like Volatility or Rekall, Masche does not provide the same level of advanced forensics features. Instead, it focuses on searching for regexes and byte strings in the processes of large pools of systems, and does so live and very fast.

The source code of Masche is completely open source under the Mozilla Public License, version 2.0, and can be found on github at https://github.com/mozilla/masche.

The effort needed to implement a complex scanning solution across three operating systems, and complete this work in just a few months, was no easy feat. In the recording below, Marco, Patricio, Nahuel and Agustin present their work, the challenges they had to overcome, and the necessity to mix Go and C to access the lowest parts of the system.

We are now integrating Masche as a module for MIG with the goal to deploy it across our infrastructure. As we use it more for live memory forensics, we will continue to improve its scanning capabilities and contribute the results back to the community.