| Computer Technology |
|
|
|
|
| Honeypot-like real-time memory forensics based on virtual machine monitor |
| ZHAO Yu-tao1,2, LI Qing-bao1, ZHANG Gui-min1, CHENG San-jun3 |
1. State Key Laboratory of Mathematical Engineering and Advanced Computing, PLA Information Engineering University, Zhengzhou 450001, China;
2. Science and Technology on Information Assurance Laboratory, Beijing 100072, China;
3. People's Procuratorate of Henan Province, Zhengzhou 450000, China |
|
|
|
Abstract Traditional image-analysis based memory forensics technologies face two issues:one is that the time for extracting memory images is too long, the other is that transient memory attacks cannot be effectively intercepted. A honeypot-like real-time memory forensics method RTMF was proposed to solve these issues. Virtual machine monitor (VMM) was used to purposefully extract memory fragments, then obtained data were semantically reconstructed to get the OS-level semantic information. Extended page table (EPT) mechanism was applied to set access permissions for key memory pages, and these pages were treated as "honeypot". EPT violation would be triggered by the violated access aiming at the honeypot, and the guest OS would be trapped in VMM. Thus memory attacks could be captured in real time. Results show that RTMF can record the attack-modifying history on memory and trace the attacker after the memory attack is found. The MicroBench tests results show that the performance overhead RTMF introduces is acceptable.
|
|
Received: 15 December 2016
Published: 09 March 2018
|
|
|
基于虚拟机监控器的类蜜罐实时内存取证
为了解决传统的基于“镜像-分析”的内存取证技术面临的提取内存镜像时间过长及无法有效截获瞬时性内存攻击的问题,提出类蜜罐的实时内存取证方法(RTMF).利用虚拟机监控器针对性地提取内存片段,对提取的数据进行语义重构,以获得操作系统级语义信息.利用扩展页表机制设置关键内存页面的访问权限,将这些内存页面作为蜜罐;针对蜜罐的违规访问会触发扩展页表故障而陷入虚拟机监控器,实时拦截攻击.结果表明,在发现内存攻击后,RTMF既可记录攻击者对内存的修改历史,又可对攻击者追踪溯源.经微基准测试,该方法引入的性能开销在可接受的范围内.
|
|
| [1] TTGEN J, COHEN M. Anti-forensic resilient memory acquisition[J]. Digital Investigation the International Journal of Digital Forensics & Incident Response, 2013, 10:S105-S115.
[2] 张瑜, 刘庆中, 李涛, 等. 内存取证研究与进展[J]. 软件学报, 2015, 26(5):1151-1172. ZHANG Yu, LIU Qing-zhong, LI Tao, et al. Research and development of memory forensics[J]. Ruan Jian Xue Bao/Journal of Software, 2015,26(5):1151-1172.
[3] ADELSTEIN F. Live forensics:diagnosing your system without killing it first[J]. Communications of the Acm, 2006, 49(2):63-66.
[4] VÖMEL S, FREILING F C. A survey of main memory acquisition and analysis techniques for the windows operating system[J]. Digital Investigation, 2011, 8(1):3-22.
[5] OSBORNE G. Memory forensics:review of acquisition and analysis techniques[EB/OL].[2016-12-10]. http://dspace.dsto.defence.gov.au/dspace/handle/dsto/10393.
[6] 钟贤明. 基于虚拟化技术的在线取证系统[D]. 上海:上海交通大学, 2014. ZHONG Xian-ming. A live forensics system based on virtualization technology[D]. Shanghai:Shanghai Jiao Tong University, 2014.
[7] CHENG Y X, FU X, LUO B, et al. Investigating the hooking behavior:a page-level memory monitoring method for live forensics[M]//Information Security. Cham:Springer International Publishing.2014:255-272.
[8] PETRONI N L, FRASER T, MOLINA J, et al. Copilot-a coprocessor-based kernel runtime integrity monitor[J]. In Proceedings of the 13th USENIX Security Symposium, 2010, 13:179-194.
[9] PETRONI N L, HICKS M. Automated detection of persistent kernel control-flow attacks[C]//ACM Conference on Computer and Communications Security, CCS 2007.Alexandria, Virginia, USA:ACM, 2007:103-115.
[10] HOFMANN O S, DUNN A M, KIM S, et al. Ensuring operating system kernel integrity with OSck.[J]. Computer Architecture News, 2011, 46(3):279-290.
[11] YIN H, POOSANKAM P, HANNA S, et al. HookScout:proactive binary-centric hook detection[C]//Detection of Intrusions and Malware, and Vulnerability Assessment, International Conference, DIMVA 2010. Bonn, Germany:Springer, 2010:1-20
[12] RHEE J, RILEY R, XU D, et al. Defeating dynamic data kernel rootkit attacks via vmm-based guest-transparent monitoring[C]//International Conference on Availability, Reliability and Security. Fukuoka, Japan:IEEE, 2009:74-81.
[13] SHI J, YANG Y, TANG C. Hardware assisted hypervisor introspection[J]. SpringerPlus, 2016, 5(1):1-23.
[14] AZAB A M, NING P, SEZER E C, et al. HIMA:a hypervisor-based integrity measurement agent[C]//Computer Security Applications Conference. Honolulu, USA:IEEE Computer Society, 2009:461-470.
[15] GUIDE P. Intel 64 and IA-32 architectures software developer's manual[J]. Volume 3B:System programming Guide, 2011.
[16] PHAM C, ESTRADA Z, CAO P, et al. Reliability and security monitoring of virtual machines using hardware architectural invariants[C]//IEEE/ifip International Conference on Dependable Systems and Networks. Atlanta, Georgia, USA:IEEE, 2014:13-24.
[17] ZHONG X, XIANG C, YU M, et al. A virtualization based monitoring system for mini-intrusive live forensics[J]. International Journal of Parallel Programming, 2015, 43(3):455-471.
[18] YU M, LIN Q, LI B, et al. Vis:virtualization enhanced live acquisition for native system[C]//Asia-Pacific Workshop on Systems. Shanghai, China:ACM, 2011:13.
[19] YU M, QI Z, LIN Q, et al. Vis:Virtualization enhanced live forensics acquisition for native system[J]. Digital Investigation, 2012, 9(1):22-33.
[20] SHINAGAWA T, EIRAKU H, TANIMOTO K, et al. BitVisor:a thin hypervisor for enforcing I/O device security[C]//International Conference on Virtual Execution Environments, VEE 2009.Washington, Dc, USA:ACM 2009:121-130.
[21] 张贵民. 基于Intel VT的内核完整性监控技术研究[D]. 郑州:解放军信息工程大学, 2014. ZHANG Gui-min. Research on kernel integrity monitoring technology based on Intel VT[D]. Zhengzhou:PLA Information Engineering University, 2014.
[22] BUCHANAN E, ROEMER R, SHACHAM H, et al. When good instructions go bad:generalizing return-oriented programming to RISC[C]//ACM Conference on Computer and Communications Security. Alexandria, Virginia, USA:ACM, 2008:27-38.
[23] WANG Z, JIANG X, CUI W, et al. Countering kernel rootkits with lightweight hook protection[C]//ACM Conference on Computer and Communications Security. Chicago, Illinois, USA:ACM, 2009:545-554.
[24] BALIGA A, GANAPATHY V, IFTODE L. Detecting kernel-level rootkits using data structure invariants[J]. IEEE Transactions on Dependable & Secure Computing, 2011, 8(5):670-684.
[25] SHACHAM H. The geometry of innocent flesh on the bone:return-into-libc without function calls (on the x86)[C]//ACM Conference on Computer and Communications Security.Alexandria, Virginia, USA:DBLP, 2007:552-561.
[26] 任建宝, 齐勇, 戴月华,等. 基于虚拟机监控器的隐私透明保护[J]. 软件学报, 2015, 26(8):2124-2137. REN Jian-bao, QI Yong, DAI Yue-hua, et al. Transparent privacy protection based on virtual machine monitor[J]. Ruan Jian Xue Bao/Journal of Software, 2015, 26(8):2124-2137. |
|
Viewed |
|
|
|
Full text
|
|
|
|
|
Abstract
|
|
|
|
|
Cited |
|
|
|
|
| |
Shared |
|
|
|
|
| |
Discussed |
|
|
|
|
