Results 1 - 10
of
32
Automatic Reverse Engineering of Data Structures from Binary Execution
"... With only the binary executable of a program, it is useful to discover the program’s data structures and infer their syntactic and semantic definitions. Such knowledge is highly valuable in a variety of security and forensic applications. Although there exist efforts in program data structure infere ..."
Abstract
-
Cited by 61 (17 self)
- Add to MetaCart
(Show Context)
With only the binary executable of a program, it is useful to discover the program’s data structures and infer their syntactic and semantic definitions. Such knowledge is highly valuable in a variety of security and forensic applications. Although there exist efforts in program data structure inference, the existing solutions are not suitable for our targeted application scenarios. In this paper, we propose a reverse engineering technique to automatically reveal program data structures from binaries. Our technique, called REWARDS, is based on dynamic analysis. More specifically, each memory location accessed by the program is tagged with a timestamped type attribute. Following the program’s runtime data flow, this attribute is propagated to other memory locations and registers that share the same type. During the propagation, a variable’s type gets resolved if it is involved in a type-revealing execution point or “type sink”. More importantly, besides the forward type propagation, REWARDS involves a backward type resolution procedure where the types of some previously accessed variables get recursively resolved starting from a type sink. This procedure is constrained by the timestamps of relevant memory locations to disambiguate variables reusing the same memory location. In addition, REWARDS is able to reconstruct in-memory data structure layout based on the type information derived. We demonstrate that REWARDS provides unique benefits to two applications: memory image forensics and binary fuzzing for vulnerability discovery. 1
SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures
"... Brute force scanning of kernel memory images for finding kernel data structure instances is an important function in many computer security and forensics applications. Brute force scanning requires effective, robust signatures of kernel data structures. Existing approaches often use the value invari ..."
Abstract
-
Cited by 30 (13 self)
- Add to MetaCart
(Show Context)
Brute force scanning of kernel memory images for finding kernel data structure instances is an important function in many computer security and forensics applications. Brute force scanning requires effective, robust signatures of kernel data structures. Existing approaches often use the value invariants of certain fields as data structure signatures. However, they do not fully exploit the rich pointsto relations between kernel data structures. In this paper, we show that such points-to relations can be leveraged to generate graph-based structural invariant signatures. More specifically, we develop SigGraph, a framework that systematically generates non-isomorphic signatures for data structures in an OS kernel. Each signature is a graph rooted at a subject data structure with its edges reflecting the points-to relations with other data structures. Our experiments with a range of Linux kernels show that SigGraph-based signatures achieve high accuracy in recognizing kernel data structure instances via brute force scanning. We further show that SigGraph achieves better robustness against pointer value anomalies and corruptions, without requiring global memory mapping and object reachability. We demonstrate that SigGraph can be applied to kernel memory forensics, kernel rootkit detection, and kernel version inference. 1
Kernel malware analysis with un-tampered and temporal views of dynamic kernel memory
- In Proceedings of the 13th International Symposium of Recent Advances in Intrusion Detection
, 2010
"... Abstract. Dynamic kernel memory has been a popular target of recent kernel malware due to the difficulty of determining the status of volatile dynamic kernel objects. Some existing approaches use kernel memory mapping to identify dynamic kernel objects and check kernel integrity. The snapshot-based ..."
Abstract
-
Cited by 13 (5 self)
- Add to MetaCart
Abstract. Dynamic kernel memory has been a popular target of recent kernel malware due to the difficulty of determining the status of volatile dynamic kernel objects. Some existing approaches use kernel memory mapping to identify dynamic kernel objects and check kernel integrity. The snapshot-based memory maps generated by these approaches are based on the kernel memory which may have been manipulated by kernel malware. In addition, because the snapshot only reflects the memory status at a single time instance, its usage is limited in temporal kernel execution analysis. We introduce a new runtime kernel memory mapping scheme called allocation-driven mapping, which systematically identifies dynamic kernel objects, including their types and lifetimes. The scheme works by capturing kernel object allocation and deallocation events. Our system provides a number of unique benefits to kernel malware analysis: (1) an un-tampered view wherein the mapping of kernel data is unaffected by the manipulation of kernel memory and (2) a temporal view of kernel objects to be used in temporal analysis of kernel execution. We demonstrate the effectiveness of allocation-driven mapping in two usage scenarios. First, we build a hidden kernel object detector that uses an un-tampered view to detect the data hiding attacks of 10 kernel rootkits that directly manipulate kernel objects (DKOM). Second, we develop a temporal malware behavior monitor that tracks and visualizes malware behavior triggered by the manipulation of dynamic kernel objects. Allocation-driven mapping enables a reliable analysis of such behavior by guiding the inspection only to the events relevant to the attack.
Dimsum: Discovering semantic data of interest from un-mappable with confidence
- in: Proceedings of the 19th Annual Network and Distributed System Security Symposium (NDSS’12
, 2012
"... Uncovering semantic data of interest in memory pages without memory mapping information is an important capability in computer forensics. Existing memory mappingguided techniques do not work in that scenario as pointers in the un-mappable memory cannot be resolved and navigated. To address this prob ..."
Abstract
-
Cited by 12 (6 self)
- Add to MetaCart
(Show Context)
Uncovering semantic data of interest in memory pages without memory mapping information is an important capability in computer forensics. Existing memory mappingguided techniques do not work in that scenario as pointers in the un-mappable memory cannot be resolved and navigated. To address this problem, we present a probabilistic inference-based approach called DIMSUM to enable the recognition of data structure instances from un-mappable memory. Given a set of memory pages and the specification of a target data structure, DIMSUM will identify instances of the data structure in those pages with quantifiable confidence. More specifically, it builds graphical models based on boolean constraints generated from the data structure and the memory page contents. Probabilistic inference is performed on the graphical models to generate results ranked with probabilities. Our experiments with realworld applications on both Linux and Android platforms show that DIMSUM achieves higher effectiveness than nonprobabilistic approaches without memory mapping information. 1
Using Every Part of the Buffalo in Windows Memory Analysis ∗ Abstract
"... All Windows memory analysis techniques depend on the examiner’s ability to translate the virtual addresses used by programs and operating system components into the true locations of data in a memory image. In some memory images up to 20 % of all the virtual addresses in use point to so called “inva ..."
Abstract
-
Cited by 8 (0 self)
- Add to MetaCart
(Show Context)
All Windows memory analysis techniques depend on the examiner’s ability to translate the virtual addresses used by programs and operating system components into the true locations of data in a memory image. In some memory images up to 20 % of all the virtual addresses in use point to so called “invalid ” pages that cannot be found using a naive method for address translation. This paper explains virtual address translation, enumerates the different states of invalid memory pages, and presents a more robust strategy for address translation. This new method incorporates invalid pages and even the paging file to greatly increase the completeness of the analysis. By using every available page, every part of the buffalo as it were, the examiner can more accurately recreate the state of the machine as it existed at the time of imaging.
Combining Static and Live Digital Forensic Analysis in Virtual Environment
"... Abstract—Traditional digital forensics is performed through static analysis of data preserved on permanent storage media. Not all data needed to understand the state of examined system exists in nonvolatile memory. Live analysis uses running system to obtain volatile data for deeper understanding of ..."
Abstract
-
Cited by 7 (0 self)
- Add to MetaCart
(Show Context)
Abstract—Traditional digital forensics is performed through static analysis of data preserved on permanent storage media. Not all data needed to understand the state of examined system exists in nonvolatile memory. Live analysis uses running system to obtain volatile data for deeper understanding of events going on. Sampling running system might irreversibly change its state making collected evidence invalid. This paper proposes combination of static and live analysis. Virtualization is used to bring static data to life. Volatile memory dump is used to enable offline analysis of live data. Using data from memory dump, virtual machine created from static data can be adjusted to provide better picture of the live system at the time when the dump was made. Investigator can have interactive session with virtual machine without violating evidence integrity. Tests with sample system confirm viability of proposed approach. Keywords-forensics; hard disk image; volatile memory dump; virtual machine;hibernation; I.
FIA: an open forensic integration architecture for composing digital evidence
- In Sorell, Matthew (Ed.) Forensics in Telecommunications, Information and Multimedia
, 2009
"... Abstract. The analysis and value of digital evidence in an investigation has been the domain of discourse in the digital forensic community for several years. While many works have considered different approaches to model digital evidence, a comprehensive understanding of the process of merging diff ..."
Abstract
-
Cited by 5 (0 self)
- Add to MetaCart
(Show Context)
Abstract. The analysis and value of digital evidence in an investigation has been the domain of discourse in the digital forensic community for several years. While many works have considered different approaches to model digital evidence, a comprehensive understanding of the process of merging different evidence items recovered during a forensic analysis is still a distant dream. With the advent of modern technologies, pro-active measures are integral to keeping abreast of all forms of cyber crimes and attacks. This paper motivates the need to formalize the process of analyzing digital evidence from multiple sources simultaneously. In this paper, we present the forensic integration architecture (FIA) which provides a framework for abstracting the evidence source and storage format information from digital evidence and explores the concept of integrating evidence information from multiple sources. The FIA architecture identifies evidence information from multiple sources that enables an investigator to build theories to reconstruct the past. FIA is hierarchically composed of multiple layers and adopts a technology independent approach. FIA is also open and extensible making it simple to adapt to technological changes. We present a case study using a hypothetical car theft case to demonstrate the concepts and illustrate the value it brings into the field. 1
Fatkit: Detecting malicious library injection and upping the“anti
, 2006
"... In this white paper, we discuss how the Forensic Analysis ToolKit (FATKit) can facilitate the process of enumerating suspicious artifacts manifested as a result of remote library injection. We discuss a number of techniques that have proven effective at elucidating artifacts that are by-products of ..."
Abstract
-
Cited by 5 (0 self)
- Add to MetaCart
(Show Context)
In this white paper, we discuss how the Forensic Analysis ToolKit (FATKit) can facilitate the process of enumerating suspicious artifacts manifested as a result of remote library injection. We discuss a number of techniques that have proven effective at elucidating artifacts that are by-products of advanced exploitation methods frequently characterized as anti-forensic or stealthy. One significant differentiator from the majority of previous work is the fact that we do not rely on the integrity of the potentially compromised operating system, but instead perform our analysis offline on a trusted capture of volatile memory (RAM) [10, 22, 7] 1. While many of the previously published techniques have focused on detecting attacks in real time, we are focused on facilitating the forensic analyst’s ability to extract memory-resident evidence from the information system under investigation. 1 FATKit: Forensic Analysis ToolKit The Forensic Analysis ToolKit (FATKit) is a cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory [20, 19]. This modularity was designed to support multiple operating systems, but also with the goal of being able to support various hardware architectures as well. For example, we currently have profiles for Windows 2000, Windows XP, Windows Server 2003, Windows
Firmware-assisted Memory Acquisition and Analysis Tools for Digital Forensics
"... Abstract—Being able to inspect and analyze the operational state of commodity machines is crucial for modern digital forensics. Indeed, volatile system state including memory data and CPU registers contain information that cannot be directly inferred or reconstructed by acquiring the contents of the ..."
Abstract
-
Cited by 5 (3 self)
- Add to MetaCart
(Show Context)
Abstract—Being able to inspect and analyze the operational state of commodity machines is crucial for modern digital forensics. Indeed, volatile system state including memory data and CPU registers contain information that cannot be directly inferred or reconstructed by acquiring the contents of the nonvolatile storage. Unfortunately, it still remains an open problem how to reliably and consistently retrieve the volatile machine state without disrupting its operation. In this paper, we propose to leverage commercial PCI network cards and the current x86 implementation of System Management Mode to reliably replicate the physical memory and critical CPU registers from commodity hardware. Furthermore, we demonstrate how remote state replication can be used for semantic reconstruction, where the analysis of memory structures enables us to interactively perform forensic analysis of the machine’s memory content.
Automatically Bridging the Semantic Gap using C Interpreter
"... Abstract—We describe min-c, a C interpreter that solves the generalized problem of the “semantic gap”. The semantic gap exists in virtual machine introspection (VMI) and in volatile memory forensics because there is not a native hardware environment. For example, a pointer in a data structure in a p ..."
Abstract
-
Cited by 2 (0 self)
- Add to MetaCart
(Show Context)
Abstract—We describe min-c, a C interpreter that solves the generalized problem of the “semantic gap”. The semantic gap exists in virtual machine introspection (VMI) and in volatile memory forensics because there is not a native hardware environment. For example, a pointer in a data structure in a process cannot be used without translation to a physical address, a function of the native hardware and operating system. The usual solution is to build an OS interface library to provide the necessary translations. This is brittle as it must constantly track OS versions. Min-c solves this problem by enabling automatic generation of the OS interface library using native OS code itself, or debugging symbols when source is not available. We describe the design of min-c and our method for automatically building the semantic interface database required for type interpretation for both Linux and Windows OSs.
