计算机技术 |
|
|
|
|
基于虚拟机监控器的类蜜罐实时内存取证 |
赵宇韬1,2, 李清宝1, 张贵民1, 程三军3 |
1. 解放军信息工程大学 数学工程与先进计算国家重点实验室, 河南 郑州 450001;
2. 信息保障技术重点实验室, 北京 100072;
3. 河南省人民检察院, 河南 郑州 450000 |
|
Honeypot-like real-time memory forensics based on virtual machine monitor |
ZHAO Yu-tao1,2, LI Qing-bao1, ZHANG Gui-min1, CHENG San-jun3 |
1. State Key Laboratory of Mathematical Engineering and Advanced Computing, PLA Information Engineering University, Zhengzhou 450001, China;
2. Science and Technology on Information Assurance Laboratory, Beijing 100072, China;
3. People's Procuratorate of Henan Province, Zhengzhou 450000, China |
引用本文:
赵宇韬, 李清宝, 张贵民, 程三军. 基于虚拟机监控器的类蜜罐实时内存取证[J]. 浙江大学学报(工学版), 2018, 52(2): 387-397.
ZHAO Yu-tao, LI Qing-bao, ZHANG Gui-min, CHENG San-jun. Honeypot-like real-time memory forensics based on virtual machine monitor. JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE), 2018, 52(2): 387-397.
链接本文:
http://www.zjujournals.com/eng/CN/10.3785/j.issn.1008-973X.2018.02.022
或
http://www.zjujournals.com/eng/CN/Y2018/V52/I2/387
|
[1] TTGEN J, COHEN M. Anti-forensic resilient memory acquisition[J]. Digital Investigation the International Journal of Digital Forensics & Incident Response, 2013, 10:S105-S115.
[2] 张瑜, 刘庆中, 李涛, 等. 内存取证研究与进展[J]. 软件学报, 2015, 26(5):1151-1172. ZHANG Yu, LIU Qing-zhong, LI Tao, et al. Research and development of memory forensics[J]. Ruan Jian Xue Bao/Journal of Software, 2015,26(5):1151-1172.
[3] ADELSTEIN F. Live forensics:diagnosing your system without killing it first[J]. Communications of the Acm, 2006, 49(2):63-66.
[4] VÖMEL S, FREILING F C. A survey of main memory acquisition and analysis techniques for the windows operating system[J]. Digital Investigation, 2011, 8(1):3-22.
[5] OSBORNE G. Memory forensics:review of acquisition and analysis techniques[EB/OL].[2016-12-10]. http://dspace.dsto.defence.gov.au/dspace/handle/dsto/10393.
[6] 钟贤明. 基于虚拟化技术的在线取证系统[D]. 上海:上海交通大学, 2014. ZHONG Xian-ming. A live forensics system based on virtualization technology[D]. Shanghai:Shanghai Jiao Tong University, 2014.
[7] CHENG Y X, FU X, LUO B, et al. Investigating the hooking behavior:a page-level memory monitoring method for live forensics[M]//Information Security. Cham:Springer International Publishing.2014:255-272.
[8] PETRONI N L, FRASER T, MOLINA J, et al. Copilot-a coprocessor-based kernel runtime integrity monitor[J]. In Proceedings of the 13th USENIX Security Symposium, 2010, 13:179-194.
[9] PETRONI N L, HICKS M. Automated detection of persistent kernel control-flow attacks[C]//ACM Conference on Computer and Communications Security, CCS 2007.Alexandria, Virginia, USA:ACM, 2007:103-115.
[10] HOFMANN O S, DUNN A M, KIM S, et al. Ensuring operating system kernel integrity with OSck.[J]. Computer Architecture News, 2011, 46(3):279-290.
[11] YIN H, POOSANKAM P, HANNA S, et al. HookScout:proactive binary-centric hook detection[C]//Detection of Intrusions and Malware, and Vulnerability Assessment, International Conference, DIMVA 2010. Bonn, Germany:Springer, 2010:1-20
[12] RHEE J, RILEY R, XU D, et al. Defeating dynamic data kernel rootkit attacks via vmm-based guest-transparent monitoring[C]//International Conference on Availability, Reliability and Security. Fukuoka, Japan:IEEE, 2009:74-81.
[13] SHI J, YANG Y, TANG C. Hardware assisted hypervisor introspection[J]. SpringerPlus, 2016, 5(1):1-23.
[14] AZAB A M, NING P, SEZER E C, et al. HIMA:a hypervisor-based integrity measurement agent[C]//Computer Security Applications Conference. Honolulu, USA:IEEE Computer Society, 2009:461-470.
[15] GUIDE P. Intel 64 and IA-32 architectures software developer's manual[J]. Volume 3B:System programming Guide, 2011.
[16] PHAM C, ESTRADA Z, CAO P, et al. Reliability and security monitoring of virtual machines using hardware architectural invariants[C]//IEEE/ifip International Conference on Dependable Systems and Networks. Atlanta, Georgia, USA:IEEE, 2014:13-24.
[17] ZHONG X, XIANG C, YU M, et al. A virtualization based monitoring system for mini-intrusive live forensics[J]. International Journal of Parallel Programming, 2015, 43(3):455-471.
[18] YU M, LIN Q, LI B, et al. Vis:virtualization enhanced live acquisition for native system[C]//Asia-Pacific Workshop on Systems. Shanghai, China:ACM, 2011:13.
[19] YU M, QI Z, LIN Q, et al. Vis:Virtualization enhanced live forensics acquisition for native system[J]. Digital Investigation, 2012, 9(1):22-33.
[20] SHINAGAWA T, EIRAKU H, TANIMOTO K, et al. BitVisor:a thin hypervisor for enforcing I/O device security[C]//International Conference on Virtual Execution Environments, VEE 2009.Washington, Dc, USA:ACM 2009:121-130.
[21] 张贵民. 基于Intel VT的内核完整性监控技术研究[D]. 郑州:解放军信息工程大学, 2014. ZHANG Gui-min. Research on kernel integrity monitoring technology based on Intel VT[D]. Zhengzhou:PLA Information Engineering University, 2014.
[22] BUCHANAN E, ROEMER R, SHACHAM H, et al. When good instructions go bad:generalizing return-oriented programming to RISC[C]//ACM Conference on Computer and Communications Security. Alexandria, Virginia, USA:ACM, 2008:27-38.
[23] WANG Z, JIANG X, CUI W, et al. Countering kernel rootkits with lightweight hook protection[C]//ACM Conference on Computer and Communications Security. Chicago, Illinois, USA:ACM, 2009:545-554.
[24] BALIGA A, GANAPATHY V, IFTODE L. Detecting kernel-level rootkits using data structure invariants[J]. IEEE Transactions on Dependable & Secure Computing, 2011, 8(5):670-684.
[25] SHACHAM H. The geometry of innocent flesh on the bone:return-into-libc without function calls (on the x86)[C]//ACM Conference on Computer and Communications Security.Alexandria, Virginia, USA:DBLP, 2007:552-561.
[26] 任建宝, 齐勇, 戴月华,等. 基于虚拟机监控器的隐私透明保护[J]. 软件学报, 2015, 26(8):2124-2137. REN Jian-bao, QI Yong, DAI Yue-hua, et al. Transparent privacy protection based on virtual machine monitor[J]. Ruan Jian Xue Bao/Journal of Software, 2015, 26(8):2124-2137. |
|
Viewed |
|
|
|
Full text
|
|
|
|
|
Abstract
|
|
|
|
|
Cited |
|
|
|
|
|
Shared |
|
|
|
|
|
Discussed |
|
|
|
|