Pengfei Sun
ABSTRACT
A yet-to-be-solved but very vital problem in forensics analysis is accurate memory dump data type reverse engineering where the target process is not a priori specified and could be any of the running processes within the system. We present ReViver, a lightweight system-wide solution that extracts data type information from the memory dump without its past execution traces. ReViver constructs the dump's accurate data structure layout through collection of statistical information about possible past traces, forensics inspection of the present memory dump, and speculative investigation of potential future executions of the suspended process. First, ReViver analyzes a heavily instrumented set of execution paths of the same executable that end in the same state of the memory dump (the eip and call stack), and collects statistical information the potential data structure instances on the captured dump. Second, ReViver uses the statistical information and performs a word-byword data type forensics inspection of the captured memory dump. Finally, ReViver revives the dump's execution and explores its potential future execution paths symbolically. ReViver traces the executions including library/system calls for their known argument/return data types, and performs backward taint analysis to mark the dump bytes with relevant data type information. ReViver's experimental results on real-world applications are very promising (98.1%), and show that ReViver improves the accuracy of the past trace-free memory forensics solutions significantly while maintaining a negligible runtime performance overhead (1.8%).
- Ansel, J., Arya, K., and Cooperman, G. DMTCP: Transparent checkpointing for cluster computations and the desktop. In 23rd IEEE International Parallel and Distributed Processing Symposium (Rome, Italy, May 2009). Google Scholar
Digital Library
- Arasteh, A. R., and Debbabi, M. Forensic memory analysis: From stack and code to execution history. digital investigation 4 (2007), 114--125. Google ScholarDigital Library
- Betz, C., 2015. Memparser: Memparser Analysis Tool; available at http://www.dfrws.org/2005/challenge/memparser.shtml.Google Scholar
- Brumley, D., Jager, I., Avgerinos, T., and Schwartz, E. J. Bap: a binary analysis platform. In Computer aided verification (2011), Springer, pp. 463--469. Google ScholarDigital Library
- Bugcheck, C. Grepexec: Grepping executive objects from pool memory. In Report from the Digital Forensic Research Workshop (DFRWS) (2006).Google Scholar
- Cadar, C., Dunbar, D., and Engler, D. Klee: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation (Berkeley, CA, USA, 2008), OSDI'08, USENIX Association, pp. 209--224. Google ScholarDigital Library
- Carbone, M., Cui, W., Lu, L., Lee, W., Peinado, M., and Jiang, X. Mapping kernel objects to enable systematic integrity checking. In Proceedings of the 16th ACM conference on Computer and communications security (2009), ACM, pp. 555--565. Google ScholarDigital Library
- Case, A., Cristina, A., Marziale, L., Richard, G. G., and Roussev, V. Face: Automated digital evidence discovery and correlation. digital investigation 5 (2008), S65--S75. Google ScholarDigital Library
- Chen, S., Xu, J., Sezer, E. C., Gauriar, P., and Iyer, R. K. Non-control-data attacks are realistic threats. In Usenix Security (2005), vol. 5. Google ScholarDigital Library
- Chikofsky, E. J., Cross, J. H., et al. Reverse engineering and design recovery: A taxonomy. Software, IEEE 7, 1 (1990), 13--17. Google ScholarDigital Library
- Cozzie, A., Stratton, F., Xue, H., and King, S. T. Digging for data structures. In OSDI (2008), vol. 8, pp. 255--266. Google ScholarDigital Library
- Dolan-Gavitt, B., Srivastava, A., Traynor, P., and Giffin, J. Robust signatures for kernel data structures. In Proceedings of the 16th ACM conference on Computer and communications security (2009), ACM, pp. 566--577. Google ScholarDigital Library
- Hu, H., Chua, Z. L., Adrian, S., Saxena, P., and Liang, Z. Automatic generation of data-oriented exploits. In 24th USENIX Security Symposium (USENIX Security 15) (2015), pp. 177--192. Google ScholarDigital Library
- Hu, H., Shinde, S., Adrian, S., Chua, Z. L., Saxena, P., and Liang, Z. Data-oriented programming: On the expressiveness of non-control data attacks.Google Scholar
- Kruegel, C., Robertson, W., Valeur, F., and Vigna, G. Static disassembly of obfuscated binaries. In USENIX security Symposium (2004), vol. 13, pp. 18--18. Google ScholarDigital Library
- Krumins, P. Gnu coreutils cheat sheet. good coders code, great reuse (2012).Google Scholar
- Kuznetsov, V., Szekeres, L., Payer, M., Candea, G., Sekar, R., and Song, D. Code-pointer integrity. In USENIX Symposium on Operating Systems Design and Implementation (OSDI) (2014). Google ScholarDigital Library
- Lee, J., Avgerinos, T., and Brumley, D. Tie: Principled reverse engineering of types in binary programs. In NDSS (2011).Google Scholar
- Lin, Z., Rhee, J., Wu, C., Zhang, X., and Xu, D. Dimsum: Discovering semantic data of interest from un-mappable memory with confidence. In Proc. ISOC Network and Distributed System Security Symposium (2012).Google Scholar
- Lin, Z., Rhee, J., Zhang, X., Xu, D., and Jiang, X. Siggraph: Brute force scanning of kernel data structure instances using graph-based signatures. In NDSS (2011).Google Scholar
- Lin, Z., Zhang, X., and Xu, D. Automatic reverse engineering of data structures from binary execution.Google Scholar
- Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V. J., and Hazelwood, K. Pin: building customized program analysis tools with dynamic instrumentation. In Acm Sigplan Notices (2005), vol. 40, ACM, pp. 190--200. Google ScholarDigital Library
- Movall, P., Nelson, W., and Wetzstein, S. Linux physical memory analysis. In USENIX Annual Technical Conference, FREENIX Track (2005), pp. 23--32. Google ScholarDigital Library
- Petroni, N. L., Walters, A., Fraser, T., and Arbaugh, W. A. Fatkit: A framework for the extraction and analysis of digital forensic data from volatile system memory. Digital Investigation 3, 4 (2006), 197--210. Google ScholarDigital Library
- Polishchuk, M., Liblit, B., and Schulze, C. W. Dynamic heap type inference for program understanding and debugging. In ACM SIGPLAN Notices (2007), vol. 42, ACM, pp. 39--46. Google ScholarDigital Library
- Ramalingam, G., Field, J., and Tip, F. Aggregate structure identification and its application to program analysis. In Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages (1999), ACM, pp. 119--132. Google ScholarDigital Library
- Saltaformaggio, B., Bhatia, R., Gu, Z., Zhang, X., and Xu, D. Guitar: Piecing together android app guis from memory images. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (2015), ACM, pp. 120--132. Google ScholarDigital Library
- Saltaformaggio, B., Bhatia, R., Gu, Z., Zhang, X., and Xu, D. Vcr: App-agnostic recovery of photographic evidence from android device memory images. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (2015), ACM, pp. 146--157. Google ScholarDigital Library
- Saltaformaggio, B., Gu, Z., Zhang, X., and Xu, D. Dscrete: Automatic rendering of forensic information from memory images via application logic reuse. In 23rd USENIX Security Symposium (USENIX Security 14) (2014), USENIX Association, pp. 255--269. Google ScholarDigital Library
- Schuster, A. Searching for processes and threads in microsoft windows memory dumps. digital investigation 3 (2006), 10--16. Google ScholarDigital Library
- Slowinska, A., Stancescu, T., and Bos, H. Howard: A dynamic excavator for reverse engineering data structures. In NDSS (2011).Google Scholar
- Song, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M. G., Liang, Z., Newsome, J., Poosankam, P., and Saxena, P. Bitblaze: A new approach to computer security via binary analysis. In Information systems security. Springer, 2008, pp. 1--25. Google ScholarDigital Library
- Urbina, D., Gu, Y., Caballero, J., and Lin, Z. Sigpath: A memory graph based approach for program data introspection and modification. In Computer Security-ESORICS 2014. Springer, 2014, pp. 237--256.Google Scholar
- Walls, R. J., Learned-Miller, E. G., and Levine, B. N. Forensic triage for mobile phones with dec0de. In USENIX Security Symposium (2011). Google ScholarDigital Library
- Walters, A. The volatility framework: Volatile memory artifact extraction utility framework, 2007.Google Scholar
- Zamfir, C., and Candea, G. Execution synthesis: a technique for automated software debugging. In Proceedings of the 5th European conference on Computer systems (2010), ACM, pp. 321--334. Google ScholarDigital Library
- Zeng, J., Fu, Y., Miller, K. A., Lin, Z., Zhang, X., and Xu, D. Obfuscation resilient binary code reuse through trace-oriented programming. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security (2013), ACM, pp. 487--498. Google ScholarDigital Library
- Trace-free memory data structure forensics via past inference and future speculations
Recommendations
Energy efficient Phase Change Memory based main memory for future high performance systems
IGCC '11: Proceedings of the 2011 International Green Computing Conference and WorkshopsPhase Change Memory (PCM) has recently attracted a lot of attention as a scalable alternative to DRAM for main memory systems. As the need for high-density memory increases, DRAM has proven to be less attractive from the point of view of scaling and ...
Next high performance and low power flash memory package structure
In general, NAND flash memory has advantages in low power consumption, storage capacity, and fast erase/write performance in contrast to NOR flash. But, main drawback of the NAND flash memory is the slow access time for random read operations. Therefore,...
Write Activity Minimization for Nonvolatile Main Memory Via Scheduling and Recomputation
Nonvolatile memories such as Flash memory, phase change memory (PCM), and magnetic random access memory (MRAM) have many desirable characteristics for embedded systems to employ them as main memory. However, there are two common challenges we need to ...
Comments