pith. sign in

arxiv: 1907.10835 · v1 · pith:M345S6KFnew · submitted 2019-07-25 · 💻 cs.CR

Decrypting live SSH traffic in virtual environments

Peter McLaren , Gordon Russell , William J.Buchanan , Zhiyuan Tan This is my paper

Pith reviewed 2026-05-24 16:34 UTC · model grok-4.3

classification 💻 cs.CR
keywords SSH decryptionvirtual machine memoryAES key extractionlive traffic analysisencrypted communication inspectiondata exfiltration detectionsecure shell forensicsmemory artifact recovery
0
0 comments X

The pith

Memory access in virtual machines recovers AES keys to decrypt live SSH traffic including file contents.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper shows how inspecting memory in virtual machines can locate the encryption keys used by SSH sessions. Experiments demonstrate that these keys allow rapid decryption of ongoing secure file transfers, revealing user credentials, the names of transferred files, and their actual contents. The approach targets the detection of malicious communications and data leaks over encrypted channels. A reader might care because it illustrates a method for monitoring encrypted traffic in virtualized setups where memory can be accessed, potentially aiding security efforts without needing to break the encryption algorithm itself.

Core claim

Access to client or server memory enables the discovery of artefacts required for decrypting secure communications. Applied to Secure Shell in virtual machines, the method yields AES-encrypted details for a live secure file transfer including remote user credentials, transmitted file name and file contents, thus allowing quick decryption of live SSH malicious communications and detection of data exfiltration.

What carries the argument

Memory scanning of SSH processes in virtual machines to extract live AES session keys for decryption.

Load-bearing premise

The assumption that SSH process memory in a virtual machine remains accessible and contains the live AES session keys in recoverable form without additional protections or obfuscation.

What would settle it

Running an SSH session in a virtual machine with memory protection mechanisms or key obfuscation that prevents extraction of usable AES keys from memory would falsify the claim if decryption fails.

Figures

Figures reproduced from arXiv: 1907.10835 by Gordon Russell, Peter McLaren, William J.Buchanan, Zhiyuan Tan.

Figure 1
Figure 1. Figure 1: SSH Handshake Example [PITH_FULL_IMAGE:figures/full_fig_p004_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: MemDecrypt Activity Flow Diagram memory are more likely to contain the key. In contrast with IVs, keys do not generally change during a session. So, static, high-entropy contents are candidate encryption keys. This ob￾servation assists in improving memory analysis performance. Decrypt analysis. Candidate keys and IVs identified in memory analysis are used in decrypting network packets until a valid key and… view at source ↗
Figure 3
Figure 3. Figure 3: MemDecrypt Virtualization Architecture the hypervisor, a Dom0 privileged virtual machine, an untrusted Windows virtual machine, and an untrusted Ubuntu virtual ma￾chine. The hypervisor is Xen Project 4.4.1 and the Dom0 hy￾pervisor console is Debian release 3.16.0-4-amd64 version 1. Tests run on Windows client and Linux server virtual ma￾chines. One client runs a standard Windows 7 SP1 operating system with… view at source ↗
Figure 4
Figure 4. Figure 4: SSH Decrypt Output The first experiment compares the relative performance of Windows 7 and Windows 10 client virtual machines. For AES-CTR, two memory extracts are required for the analysis whereas, for CBC, one extract suffices. Memory analysis typ￾ically executes for approximately nine seconds for Windows 7 clients and 16 seconds for Windows 10 clients with a maximum of 25.1 seconds. Decrypt analysis dur… view at source ↗
Figure 5
Figure 5. Figure 5: Typical Memory Segment Entropy Distribution [PITH_FULL_IMAGE:figures/full_fig_p008_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Key Length Analysis Durations in each extract and values to increment by the sum of payload blocks in the previous packets. As with keys, tests where IV memory addresses changed induced delay of 0.5 seconds. As a result, the measure may not suffice. AES-CTR IVs incre￾ments make them detectable when stored in the clear in mem￾ory. Another delaying measure is encrypting artefacts with an additional key. Howe… view at source ↗
read the original abstract

Decrypting and inspecting encrypted malicious communications may assist crime detection and prevention. Access to client or server memory enables the discovery of artefacts required for decrypting secure communications. This paper develops the MemDecrypt framework to investigate the discovery of encrypted artefacts in memory and applies the methodology to decrypting the secure communications of virtual machines. For Secure Shell, used for secure remote server management, file transfer, and tunnelling inter alia, MemDecrypt experiments rapidly yield AES-encrypted details for a live secure file transfer including remote user credentials, transmitted file name and file contents. Thus, MemDecrypt discovers cryptographic artefacts and quickly decrypts live SSH malicious communications including the detection and interception of data exfiltration of confidential data.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper introduces the MemDecrypt framework, which leverages virtual machine introspection (VMI) to scan guest memory for cryptographic artifacts (primarily AES session keys) used by SSH processes. Through experiments on live secure file transfers (e.g., scp), the authors report successful extraction of keys enabling decryption of remote user credentials, transmitted filenames, and file contents in virtualized environments.

Significance. If the extraction technique proves robust, the result would highlight a concrete memory-resident attack surface against SSH in VMs, with direct relevance to forensic analysis and virtualized security monitoring. The experimental demonstration of end-to-end decryption of live traffic is a concrete strength; however, the work does not include machine-checked proofs, open code, or parameter-free derivations.

major comments (2)
  1. [Experiments] Experiments section (exact subsection unspecified in abstract but central to claim): the manuscript reports that MemDecrypt 'rapidly yield[s] AES-encrypted details' but supplies no quantitative metrics—success rate across trials, extraction latency, false-positive rate for key candidates, or number of distinct SSH versions/configurations tested. This absence prevents verification that the central claim is supported by reproducible data rather than a single successful run.
  2. [Methodology] Methodology / threat model (load-bearing for generalizability): the extraction relies on AES keys and state remaining in plaintext, contiguous, and locatable within guest memory. No evaluation is described against modern OpenSSH mitigations (key zeroing after use, ASLR, or memory-protection mechanisms), leaving open whether the result holds only for the authors' test binaries or generalizes to production deployments.
minor comments (2)
  1. [Abstract] Abstract and introduction use the phrase 'AES-encrypted details' when the intended meaning is 'details decrypted via recovered AES keys'; this phrasing should be clarified for precision.
  2. No mention of ethical considerations or responsible disclosure for the demonstrated attack technique on live SSH sessions.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback highlighting the need for stronger quantitative evidence and discussion of generalizability. We address each major comment below.

read point-by-point responses

  1. Referee: [Experiments] Experiments section (exact subsection unspecified in abstract but central to claim): the manuscript reports that MemDecrypt 'rapidly yield[s] AES-encrypted details' but supplies no quantitative metrics—success rate across trials, extraction latency, false-positive rate for key candidates, or number of distinct SSH versions/configurations tested. This absence prevents verification that the central claim is supported by reproducible data rather than a single successful run.

    Authors: We agree that the current presentation lacks sufficient quantitative detail. In the revised manuscript we will add a dedicated evaluation subsection reporting success rates over repeated trials, measured extraction latencies, false-positive rates for key candidate identification, and results across multiple OpenSSH versions and configurations. revision: yes

  2. Referee: [Methodology] Methodology / threat model (load-bearing for generalizability): the extraction relies on AES keys and state remaining in plaintext, contiguous, and locatable within guest memory. No evaluation is described against modern OpenSSH mitigations (key zeroing after use, ASLR, or memory-protection mechanisms), leaving open whether the result holds only for the authors' test binaries or generalizes to production deployments.

    Authors: The paper's threat model explicitly assumes VMI access to guest memory in which keys remain resident; the experiments demonstrate the attack surface under that assumption. We will expand the threat-model and limitations sections to discuss key zeroing, ASLR, and memory protections, clarifying that the technique applies when keys are not zeroed or when mitigations are absent or bypassed. A full empirical evaluation against all current mitigations is beyond the scope of the present work and will be noted as future work. revision: partial

Circularity Check

0 steps flagged

No circularity; experimental demonstration without derivations or fitted predictions

full rationale

The paper presents MemDecrypt as an experimental framework for locating and extracting AES keys from VM guest memory during live SSH sessions. No equations, parameter fitting, predictions, or uniqueness theorems are described. Central claims rest on empirical extraction success in tested setups rather than any derivation chain that reduces to inputs by construction. Self-citations, if present, are not load-bearing for the reported results.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim depends on the unstated premise that SSH implementations store session keys in accessible memory locations during live operation and that virtual machine introspection can reliably extract them without triggering protections.

axioms (1)
  • domain assumption SSH processes keep AES session keys in plaintext in memory while the connection is active.
    Required for the memory extraction step to succeed; stated implicitly by the claim that artefacts are discoverable.

pith-pipeline@v0.9.0 · 5642 in / 1106 out tokens · 13855 ms · 2026-05-24T16:34:41.932526+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

52 extracted references · 52 canonical work pages · 1 internal anchor

  1. [1]

    “How Dutch Police Decrypted BlackBerry PGP Messages For Criminal Investigation,

    S. Khandelwal, ““How Dutch Police Decrypted BlackBerry PGP Messages For Criminal Investigation,” The Hacker News,” https: // thehackernews.com/2017/03/decrypt-pgp-encryption.html, 2017, [On- line; accessed 29-Jan-2019]

    work page 2017

  2. [2]

    An overview of insider at- tacks in cloud computing,

    A. Duncan, S. Creese, and M. Goldsmith, “An overview of insider at- tacks in cloud computing,” Concurrency and Computation: Practice and Experience, vol. 27, no. 12, pp. 2964–2981, 2015

    work page 2015

  3. [3]

    Ferguson, B

    N. Ferguson, B. Schneier, and T. Kohno, Cryptography engineering: de- sign principles and practical applications. John Wiley & Sons, 2011

    work page 2011

  4. [4]

    Memory forensic challenges under misused architectural features,

    N. Zhang, R. Zhang, K. Sun, W. Lou, Y . T. Hou, and S. Jajodia, “Memory forensic challenges under misused architectural features,” IEEE Transac- tions on Information Forensics and Security , vol. 13, no. 9, pp. 2345– 2358, 2018

    work page 2018

  5. [5]

    Lest we 8 remember: cold-boot attacks on encryption keys,

    J. A. Halderman, S. D. Schoen, N. Heninger, W. Clarkson, W. Paul, J. A. Calandrino, A. J. Feldman, J. Appelbaum, and E. W. Felten, “Lest we 8 remember: cold-boot attacks on encryption keys,” Communications of the ACM, vol. 52, no. 5, pp. 91–98, 2009

    work page 2009

  6. [6]

    The persistence of memory: Forensic identification and extraction of cryptographic keys,

    C. Maartmann-Moe, S. E. Thorkildsen, and A. Årnes, “The persistence of memory: Forensic identification and extraction of cryptographic keys,” digital investigation, vol. 6, pp. S132–S140, 2009

    work page 2009

  7. [7]

    Virtual machine introspec- tion based ssh honeypot,

    S. Sentanoe, B. Taubmann, and H. P. Reiser, “Virtual machine introspec- tion based ssh honeypot,” in Proceedings of the 4th Workshop on Security in Highly Connected IT Systems. ACM, 2017, pp. 13–18

    work page 2017

  8. [8]

    Tlskex: Har- nessing virtual machine introspection for decrypting tls communication,

    B. Taubmann, C. Frädrich, D. Dusold, and H. P. Reiser, “Tlskex: Har- nessing virtual machine introspection for decrypting tls communication,” Digital Investigation, vol. 16, pp. S114–S123, 2016

    work page 2016

  9. [9]

    Key extraction attack using statistical analysis of memory dump data,

    Y . Nakano, A. Basu, S. Kiyomoto, and Y . Miyake, “Key extraction attack using statistical analysis of memory dump data,” in International Confer- ence on Risks and Security of Internet and Systems. Springer, 2014, pp. 239–246

    work page 2014

  10. [10]

    Circumventing cryptography in virtualized envi- ronments,

    B. Hay and K. Nance, “Circumventing cryptography in virtualized envi- ronments,” in Malicious and Unwanted Software (MALWARE), 2012 7th International Conference on. IEEE, 2012, pp. 32–38

    work page 2012

  11. [11]

    A dynamic prime number based efficient security mechanism for big sensing data streams,

    D. Puthal, S. Nepal, R. Ranjan, and J. Chen, “A dynamic prime number based efficient security mechanism for big sensing data streams,” Journal of Computer and System Sciences, vol. 83, no. 1, pp. 22–42, 2017

    work page 2017

  12. [12]

    Chacha20 and poly1305 for ietf protocols,

    Y . Nir and A. Langley, “Chacha20 and poly1305 for ietf protocols,” Tech. Rep., 2018

    work page 2018

  13. [13]

    “ChaCha Usage & Deployment,

    Ianix, ““ChaCha Usage & Deployment,” Ianix,” https: //ianix.com, 2019, [Online; accessed 29-Jan-2019]

    work page 2019

  14. [14]

    Strategies against replay attacks,

    T. Aura, “Strategies against replay attacks,” in Computer Security Foun- dations Workshop, 1997. Proceedings., 10th. IEEE, 1997, pp. 59–68

    work page 1997

  15. [15]

    Evaluation of some blockcipher modes of operation,

    P. Rogaway, “Evaluation of some blockcipher modes of operation,” Cryp- tography Research and Evaluation Committees (CRYPTREC) for the Government of Japan, 2011

    work page 2011

  16. [16]

    The secure shell (ssh) trans- port layer encryption modes,

    M. Bellare, T. Kohno, and C. Namprempre, “The secure shell (ssh) trans- port layer encryption modes,” Tech. Rep., 2005

    work page 2005

  17. [17]

    Recommendation for block cipher modes of opera- tion. methods and techniques,

    M. Dworkin, “Recommendation for block cipher modes of opera- tion. methods and techniques,” NATIONAL INST OF STANDARDS AND TECHNOLOGY GAITHERSBURG MD COMPUTER SECU- RITY DIV , Tech. Rep., 2001

    work page 2001

  18. [18]

    The secure shell (ssh) protocol architecture,

    T. Ylonen and C. Lonvick, “The secure shell (ssh) protocol architecture,” Tech. Rep., 2005

    work page 2005

  19. [19]

    The secure shell (ssh) transport layer protocol,

    ——, “The secure shell (ssh) transport layer protocol,” Tech. Rep., 2005

    work page 2005

  20. [20]

    The secure shell (ssh) authentication protocol,

    ——, “The secure shell (ssh) authentication protocol,” Tech. Rep., 2005

    work page 2005

  21. [21]

    The secure shell (ssh) connection protocol,

    ——, “The secure shell (ssh) connection protocol,” Tech. Rep., 2005

    work page 2005

  22. [22]

    O’Reilly Media, Inc

    D. J. Barrett, D. J. Barrett, R. E. Silverman, and R. Silverman, SSH, the Secure Shell: the definitive guide. " O’Reilly Media, Inc.", 2001

    work page 2001

  23. [23]

    “PuTTY”,

    S. Tatham, ““PuTTY”,” https: //www.chiark.greenend.org.uk/~sgtatham/ putty/latest.html, 2019, [Online; accessed 29-Jan-2019]

    work page 2019

  24. [24]

    Ssh file transfer protocol,

    J. Galbraith and O. Saarenmaa, “Ssh file transfer protocol,” Work in Progress, 2006

    work page 2006

  25. [25]

    An evaluation platform for forensic memory acquisition software,

    S. Vömel and J. Stüttgen, “An evaluation platform for forensic memory acquisition software,” Digital Investigation, vol. 10, pp. S30–S40, 2013

    work page 2013

  26. [26]

    A survey of main memory acquisition and analysis techniques for the windows operating system,

    S. Vömel and F. C. Freiling, “A survey of main memory acquisition and analysis techniques for the windows operating system,”Digital Investiga- tion, vol. 8, no. 1, pp. 3–22, 2011

    work page 2011

  27. [27]

    "FTK Imager

    AccessData, “"FTK Imager",” http: //marketing.accessdata.com/ ftkimager4.2.0, 2018, [Online; accessed 29-Jan-2019]

    work page 2018

  28. [28]

    FireEye", ““Memoryze

    "FireEye", ““Memoryze”,” https: //www.fireeye.com/services/freeware. html, 2018, [Online; accessed 29-Jan-2019]

    work page 2018

  29. [29]

    , ““WinPMEM

    M. Cohen", ““WinPMEM”,” https: //github.com/google/rekall/tree/ master/tools/windows/winpmem, 2018, [Online; accessed 29-Jan-2019]

    work page 2018

  30. [30]

    Advances in forensic data acquisition,

    F. Freiling, T. Groß, T. Latzo, T. Müller, and R. Palutke, “Advances in forensic data acquisition,” IEEE Design & Test, vol. 35, no. 5, pp. 63–74, 2018

    work page 2018

  31. [31]

    , ““LiME Linux Memory Extractor

    J. Sylve", ““LiME Linux Memory Extractor”,” https: //github.com/ 504ensicslabs/lime, 2019, [Online; accessed 29-Jan-2019]

    work page 2019

  32. [32]

    A tool for volatile memory acqui- sition from android devices,

    H. Yang, J. Zhuge, H. Liu, and W. Liu, “A tool for volatile memory acqui- sition from android devices,” in IFIP International Conference on Digital Forensics. Springer, 2016, pp. 365–378

    work page 2016

  33. [33]

    Reliable and trustworthy memory acquisition on smartphones,

    H. Sun, K. Sun, Y . Wang, and J. Jing, “Reliable and trustworthy memory acquisition on smartphones,” IEEE Transactions on Information Foren- sics and Security, vol. 10, no. 12, pp. 2547–2561, 2015

    work page 2015

  34. [34]

    Cellebrite

    "Cellebrite", ““Advanced Extraction Service”,” https: //www.cellebrite. com/en/services/advanced-extraction-services, 2018, [Online; accessed 29-Jan-2019]

    work page 2018

  35. [35]

    Memory forensics: The path forward,

    A. Case and G. G. Richard III, “Memory forensics: The path forward,” Digital Investigation, vol. 20, pp. 23–33, 2017

    work page 2017

  36. [36]

    Live acquisition of main memory data from android smartphones and smartwatches,

    S. J. Yang, J. H. Choi, K. B. Kim, R. Bhatia, B. Saltaformaggio, and D. Xu, “Live acquisition of main memory data from android smartphones and smartwatches,” Digital Investigation, vol. 23, pp. 50–62, 2017

    work page 2017

  37. [37]

    , ““What is IoT Forensics and How is it Di fferent from Digital Forensics?

    B. P. Kondapally", ““What is IoT Forensics and How is it Di fferent from Digital Forensics?”,” https: //securitycommunity.tcs.com/infosecsoapbox/articles/2018/02/27/ what-iot-forensics-and-how-it-di fferent-digital-forensic, 2018, [Online; accessed 29-Jan-2019]

    work page 2018

  38. [38]

    Internet of things forensics: Challenges and Case Study

    S. Alabdulsalam, K. Schaefer, T. Kechadi, and N.-A. Le-Khac, “In- ternet of things forensics: Challenges and case study,” arXiv preprint arXiv:1801.10391, 2018

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  39. [39]

    LibVMI Project

    "LibVMI Project", ““LibVMI”,” http: //libvmi.com/, 2013, [Online; ac- cessed 29-Jan-2019]

    work page 2013

  40. [40]

    , ““pyvmi – A Python adapter for LibVMI

    B. D. Payne", ““pyvmi – A Python adapter for LibVMI”,” https: //github. com/libvmi/libvmi/tree/master/tools/pyvmi, 2013, [Online; accessed 29- Jan-2019]

    work page 2013

  41. [41]

    The V olatility Foundation

    "The V olatility Foundation", ““The V olatility Foundation - Open Source Memory Forensics”,” http: //www.volatilityfoundation.org/, 2017, [On- line; accessed 29-Jan-2019]

    work page 2017

  42. [42]

    , “Rekall Memory Forensic Framework

    M. Cohen", “Rekall Memory Forensic Framework”,” http: //www. rekall-forensic.com/, 2017, [Online; accessed 29-Jan-2019]

    work page 2017

  43. [43]

    A mathematical theory of communication,

    C. E. Shannon, “A mathematical theory of communication,” Bell system technical journal, vol. 27, no. 3, pp. 379–423, 1948

    work page 1948

  44. [44]

    Entropy measures and unconditional security in cryptogra- phy,

    C. Cachin, “Entropy measures and unconditional security in cryptogra- phy,” Ph.D. dissertation, ETH Zurich, 1997

    work page 1997

  45. [45]

    Xen Project

    "Xen Project", “Xen Project Software Overview”,” https: //wiki. xenproject.org, 2018, [Online; accessed 27-Nov-2018]

    work page 2018

  46. [46]

    NetFilterQueue,

    Kerkho ff Technologies, “NetFilterQueue,” https: //pypi.org/project/ NetfilterQueue, 2017, [Online; accessed 29-Jan-2019]

    work page 2017

  47. [47]

    , “Scapy

    P. Biondi", “Scapy”,” https: //scapy.readthedocs.io/en/latest/, 2017, [On- line; accessed 29-Aug-2018]

    work page 2017

  48. [48]

    , “Python Cryptography Toolkit (pycrypto)

    D. C. Litzenberger", “Python Cryptography Toolkit (pycrypto)”,” http: //www.rekall-forensic.com/, 2013, [Online; accessed 29-Jan-2018]

    work page 2013

  49. [49]

    SSH Communications

    "SSH Communications", “SSH Client for Windows - Comparison”,” https://www.ssh.com/ssh/client, 2018, [Online; accessed 29-Jan-2018]

    work page 2018

  50. [50]

    Security of inter- active and automated access management using secure shell (ssh),

    T. Ylonen, P. Turner, K. Scarfone, and M. Souppaya, “Security of inter- active and automated access management using secure shell (ssh),” Tech. Rep., 2015

    work page 2015

  51. [51]

    , “Intel Releases New Technology Specification for Mem- ory Encryption

    B. Patel", “Intel Releases New Technology Specification for Mem- ory Encryption”,” https: //software.intel.com/en-us/blogs/2017/12/22/ intel-releases-new-technology-specification-for-memory-encryptio, 2017, [Online; accessed 15-Oct-2018]

    work page 2017

  52. [52]

    , “Epyc fail? We can defeat AMD’s virtual machine en- cryption, say boffins,

    S. Nichols", “Epyc fail? We can defeat AMD’s virtual machine en- cryption, say boffins,”,” https://www.theregister.co.uk, 2017, [Online; ac- cessed 15-Oct-2018]. 9

    work page 2017