Table 3 - uploaded by Nezer Jacob Zaidenberg
Content may be subject to copyright.
Source publication
Reliable memory acquisition is essential to forensic analysis of a cyber-crime. Various methods of memory acquisition have been proposed, ranging from tools based on a dedicated hardware to software only solutions. Recently, a hypervisor-based method for memory acquisition was proposed (Qi et al., 2017; Martignoni et al., 2010). This method obtains...
Context in source publication
Context 1
... size of the queue is mainly dictated by the number of delay-sensitive pages. Table 3 delay-sensitive pages because regular pages can be modified by the operating system before the content of the queue is exported. Our empirical study shows that it is sufficient to enlarge the queue by 60MB. ...
Citations
... Such snapshots are often referred to as instantaneous snapshots. Methods to create instantaneous snapshots either have strong assumptions, e.g., assume that the analyzed system runs as a virtual machine (Martignoni, Fattori, Paleari and Cavallaro, 2010;Yu, Qi, Lin, Zhong, Li and Guan, 2012;Kiperberg, Leon, Resh, Algawi and Zaidenberg, 2019), or are cumbersome to execute, like cold boot attacks (Halderman, Schoen, Heninger, Clarkson, Paul, Calandrino, Feldman, Appelbaum and Felten, 2009;Bauer, Gruhn and Freiling, 2016). Therefore, in many practical situations memory acquisition is necessarily performed live and the resulting snapshots are not instantaneous. ...
Memory dumps that are acquired while the system is running often contain inconsistencies like page smearing which hamper the analysis. One possibility to avoid inconsistencies is to pause the system during the acquisition and take an instantaneous memory dump. While this is possible for virtual machines, most systems cannot be frozen and thus the ideal dump can only be quasi-instantaneous, i.e., consistent despite the system running. In this article, we introduce a method allowing us to measure quasi-instantaneous consistency and show both, theoretically, and practically, that our method is valid but that in reality, dumps can be but usually are not quasi-instantaneously consistent. For the assessment, we run a pivot program enabling the evaluation of quasi-instantaneous consistency for its heap and allowing us to pinpoint where exactly inconsistencies occurred.
... ForenVisor [31], HyperSleuth [32] are two hypervisors that are capable of performing precise memory acquisition. Kiperberg et al. [33] described an adaptation of these ideas to modern operating systems. ...
We present H-KPP, hypervisor-based protection for kernel code and data structures. H-KPP
prevents the execution of unauthorized code in kernel mode. In addition, H-KPP protects certain
object fields from malicious modifications. H-KPP can protect modern kernels equipped with BPF facilities and loadable kernel modules. H-KPP does not require modifying or recompiling the kernel.
Unlike many other systems, H-KPP is based on a thin hypervisor and includes a novel SLAT switching mechanism, which allows H-KPP to achieve very low (≈ 6%) performance overhead compared to baseline Linux.
... Then the page can be copied and the write permission for the page can be turned on again. Over the last years the technical means to implement the technique changed, as can be seen in the works of Martignoni, Fattori, Paleari and Cavallaro (2010); Yu, Qi, Lin, Zhong, Li and Guan (2012) and Kiperberg, Leon, Resh, Algawi and Zaidenberg (2019). As it cannot always be expected that a system is already virtualized, methods for the "on the fly" virtualization of a system have Figure 10: Each memory region has an assigned vector clock and an index for the local counter. ...
The acquisition of data from main memory or from hard disk storage is usually one of the first steps in a forensic investigation. We revisit the discussion on quality criteria for "forensically sound" acquisition of such storage and propose a new way to capture the intent to acquire an instantaneous snapshot from a single target system. The idea of our definition is to allow a certain flexibility into when individual portions of memory are acquired, but at the same time require being consistent with causality (i.e., cause/effect relations). Our concept is much stronger than the original notion of atomicity defined by Vömel and Freiling (2012) but still attainable using copy-on-write mechanisms. As a minor result, we also fix a conceptual problem within the original definition of integrity.
... Another approach to dynamic analysis is the phases approach. On the first (online) step, the entire memory of the inspected system is grabbed [35]. Then, the memory is examined using volatility [36] or AI-based tools to detect anomalies in memory [37]. ...
This paper presents an improvement of control flow attestation (C-FLAT) for Linux. C-FLAT is a control attestation system for embedded devices. It was implemented as a software executing in ARM’s TrustZone on bare-metal devices. We extend the design and implementation of C-FLAT through the use of a type 2 Nanovisor in the Linux operating system. We call our improved system “C-FLAT Linux”. Compared to the original C-FLAT, C-FLAT Linux reduces processing overheads and is able to detect the SlowLoris attack. We describe the architecture of C-FLAT Linux and provide extensive measurements of its performance in benchmarks and real-world scenarios. In addition, we demonstrate the detection of the SlowLoris attack on the Apache web server.
... However, since investigators are primarily confronted with already infected systems running on bare metal, conventional hypervisor technologies like KVM [85] or Xen [25] cannot virtualize such targets during runtime but must initially boot them inside the VM. This led analysts to use on-the-fly virtualization, initially introduced for offensive purposes [200,243], which installs a hypervisor through a kernel extension and migrates the running system into a hardware-accelerated VM for further analysis [148,238,184,122]. Although on-thefly virtualization greatly improves the analysis of a system, it falls short in several categories. ...
... • We present a sound approach of snapshotting the target's memory, using an adapted version of the known dump-on-write method [122,148,238]. ...
... While a sound analysis method must inherently be correct and atomic, the target impact can be seen as the equivalent of integrity. Various approaches emphasized the benefits of acquiring volatile memory through on-the-fly virtualization [122,148,238]. Most rely on a dump-on-write mechanism, which provides high degrees of atomicity and correctness for the acquired image. ...
This thesis investigates novel anti-forensic techniques for hiding malicious activity and proposes counter strategies for conducting robust digital analysis through virtualization technology. We begin by surveying the current landscape of memory acquisition, a technique extensively used during forensic investigations. In order to evade analysis, malware nowadays incorporates sophisticated anti-forensics, which hinder the analysis process. We present advances in anti-forensics by introducing new methods for hiding memory from analysis tools to expand existing knowledge. The final part demonstrates analysis techniques that provide resilience against anti-forensics. First, we define a universal taxonomy of different methods for acquiring a system’s memory, many of which have proven to be vital against modern malware threats. Then, based on this taxonomy, we comprehensively survey the field of modern memory acquisition, abstracting from both Operating Systems (OSs) and specific hardware architectures. Finally, we unveil the limitations of today’s acquisition techniques and conclude that most approaches are prone to anti-forensics, enabling malware to subvert the analysis process and escape the investigation. In the second part, we introduce new approaches that hide memory from forensic applications, preventing analysts from accessing the content of specific regions. On the one hand, we manipulate the memory management subsystem of different OSs to alter the memory view of live forensic tools. In addition, we demonstrate different strategies to detect these subversion techniques, providing a possibility to improve respective tools. With Styx, on the other hand, we present a powerful rootkit technique that leverages hardware-based virtualization to counter even robust acquisition methods. Styx subverts the highly privileged hypervisor layer to take complete control over a system without introducing detectable modifications. Furthermore, to prevent acquisition software from noticing the rootkit’s memory footprint, Styx locates in particular memory regions reserved for device mappings. As these regions are not always entirely consumed by devices, the resulting offcuts serve our rootkit as a perfect hiding spot. Furthermore, by simulating invalid address ranges which are not accessible to a processor, Styx deceives forensic tools with a tampered view on these leftovers. Finally, we demonstrate the design of anti-forensic resilient systems which enable a forensically robust analysis through virtualization. We first present SEVGuard which protects (forensic) applications from malicious threats operating at the highest privilege levels. Based on virtualization and encryption features of modern processor architectures, SEVGuard provides a secure execution environment that enforces confidentiality and integrity of existing applications by encrypting their memory and processor state. Instead of protecting an application, StealthProbes hides the analysis component from the examined target, giving analysts the chance to inspect its functionality without risking the sample to notice the investigation. Our system stealthily instruments an application’s memory and hides these modifications, leveraging the latest virtualization features and exploiting cache incoherencies that arise from memory address translations. Furthermore, StealthProbes integrates a transparent function-level tracer for enabling deep insight into an application’s runtime behavior. As a result, even programs that thwart the analysis by enforcing code integrity are stealthily dissectable. For achieving a forensically sound investigation, the actual deployment or execution of a forensic method must not alter the state of an analyzed system. With HyperLeech, we present a minimally invasive approach which uses Direct Memory Access (DMA) to stealthily deploy a forensic hypervisor through external Peripheral Component Interconnect Express (PCIe) hardware. The hypervisor transparently virtualizes the running target system, serving analysts as a stealthy and privileged execution layer for all kinds of forensic tasks. Without causing a notable impact on the target’s state, HyperLeech enables forensic methods to execute without the risk of destroying evidence or alerting malware.
... It provides VM based snapshots and has an integrated volatility plugin. It was also suggested to use Lguest [27] or Xen [6] for detection of kernel bugs [14], profiling [18], Hypertracing [7], security issues [31], and access the guest's memory through a thin hypervisor for remote attestation as suggested by Kiperberg et al. [15]. Forenvisor [25] uses the hypervisor to grab and store forensics data on the cloud for later inspection. ...
... Forenvisor [25] uses the hypervisor to grab and store forensics data on the cloud for later inspection. Kiperberg et al. [15] provided a system for atomic memory acquisition and guaranteed atomic access. Andrew et al. [9] discuss page swapping and demand paging as another obstacle to complete the acquisition of memory. ...
Cyber forensics use memory acquisition in advanced forensics and malware analysis. We propose a hypervisor based memory acquisition tool. Our implementation extends the volatility memory forensics framework by reducing the processor's consumption, solves the in-coherency problem in the memory snapshots and mitigates the pressure of the acquisition on the network and the disk. We provide benchmarks and evaluation.
... These factors em-phasize the need for a project such as ours. Another way to detect zombies is by using an introspection solution, such as libvmi (Payne, 2012) or NSX (Pettit et al., 2018), or software inside the VM (Kiperberg et al., 2019). The memory can later be analyzed using tools such as rekall (Block and Dewald, 2017) or volatility [25]. ...
Virtual servers are important in many data-centers. Multiple guest virtual machines are consolidated on several hosts on-site or on the cloud, and serve the organization's computational needs. However, virtual machines not cleared from the system, known as zombie machines, waste resources and pose a security risk. We present a novel tool to optimize resource use by tracking down zombie machines: HERO (Host Environment Resource Optimization). HERO leverages multiple testing approaches and machine learning to assist system administrators in locating "zombie" machines.
... Therefore, preventing measures must be taken to avoid inconsistencies in the acquired memory image. We present a software hypervisor-based tool for consistent memory acquisition, [22]. The Hypervisor can also be used to create tripwires to detect malicious software. ...
... We solved the problems mentioned above in [22] in the following method. Our hypervisor invokes an operating system's mechanism to perform an atomic access rights configuration on all the processors. ...
... Furthermore, the malware can detect our memory acquisition hypervisor, proposed in [22]. Modern operating systems such as Windows and OSX are using hypervisors as part of the system, however the malware may also detect the hypervisor, suspect an inspection [51] and alter its behaviour. ...
Memory acquisition is a tool used in advanced forensics and malware analysis. Various methods of memory acquisition exist. Such solutions are ranging from tools based on dedicated hardware to software-only solutions. We proposed a hypervisor based memory acquisition tool. [22]. Our method supports ASLR and Modern operating systems which is an innovation compared to past methods [27, 36]. We extend the hypervisor assisted memory acquisition by adding mass storage device honeypots for the malware to cross and propose hiding the hypervisor using bluepill technology.
... We will present an innovative technique to run C-FLAT in Linux with our new RPC. Kiperberg et al. [44] present a hypervisor-assisted atomic memory acquisition for the x86 architecture, and we intend to present a port for hypervisor memory acquisition tool in ARM through the use of a microvisor. The offline scheduler [45] is a technique to execute programs in an unplugged processor in Linux. ...
With the advent of the mobile industry, we face new security challenges. ARM architecture is deployed in most mobile phones, homeland security, IoT, autonomous cars and other industries, providing a hypervisor API (via virtualization extension technology). To research the applicability of this virtualization technology for security in this platform is an interesting endeavor. The hypervisor API is an addition available for some ARMv7-a and is available with any ARMv8-a processor. Some ARM platforms also offer TrustZone, which is a separate exception level designed for trusted computing. However, TrustZone may not be available to engineers as some vendors lock it. We present a method of applying a thin hypervisor technology as a generic security solution for the most common operating system on the ARM architecture. Furthermore, we discuss implementation alternatives and differences, especially in comparison with the Intel architecture and hypervisor with TrustZone approaches. We provide performance benchmarks for using hypervisors for reverse engineering protection.
... (Khen et al 2011, Khen et al 2013 They can even be used in order to detect security weaknesses on a target systems . Later Kiperberg (Kiperberg 2019) has shown that the hypervisor can inspect the entire guest memory. It follows such a tool can be used in ensuring the end point security. ...
Microsoft windows is a family of client and server operating systems that needs no introduction. Microsoft windows operating system family has a feature to handle exceptions by storing in the stack the address of an exception handler. This feature of Microsoft Windows operating system family is called SEH (Structured exception handlers). When using SEH the exception handler address is specifically located on the stack like the function return address. When an exception occurs the address acts as a trampoline and the EIP jumps to the SEH address. By overwriting the stack one can create a unique type of return oriented programming (ROP) exploit that force the instruction pointer to jump to a random memory address. This memory address may contain random malicious code. Multiple Microsoft Windows applications are particularly vulnerable to this type of exploit. Attacks on Microsoft Window application that exploit these mechanisms are found in many common windows applications (including Microsoft Office, Adobe Acrobat, Flash and other popular software). These attacks are well documented in CVE database in numerous exploits. We previously described how hypervisors can be used to white list an end point and provide application control for a workstation and servers and protect against malware and viruses that may run on the end point computer. In this work we extend the protection mechanism for end points and servers that uses the hypervisor to white list the machine. The hypervisor detects permission elevation from user space to kernel space (system calls invocation) and detects anomalies in the software execution. The hypervisor based mechanism allows for detection and prevention of SEH return oriented exploits execution. Our hypervisor based SEH-exploit prevention mechanism was tested on multiple well documented CVE vulnerabilities. Our hypervisor was found to prevent a large collection of different types of SEH exploits in multiple applications and multiple flavours and versions of Windows OS in both 32 and 64 bit environments
