research-article

MACE: high-coverage and robust memory analysis for commodity operating systems

Authors:

Aravind Prakash,

Zhiqiang LinAuthors Info & Claims

ACSAC '14: Proceedings of the 30th Annual Computer Security Applications Conference

Pages 196 - 205

https://doi.org/10.1145/2664243.2664248

Published: 08 December 2014 Publication History

Abstract

Memory forensic analysis collects evidence for digital crimes and malware attacks from the memory of a live system. It is increasingly valuable, especially in cloud computing. However, memory analysis on on commodity operating systems (such as Microsoft Windows) faces the following key challenges: (1) a partial knowledge of kernel data structures; (2) difficulty in handling ambiguous pointers; and (3) lack of robustness by relying on soft constraints that can be easily violated by kernel attacks. To address these challenges, we present MACE, a memory analysis system that can extract a more complete view of the kernel data structures for closed-source operating systems and significantly improve the robustness by only leveraging pointer constraints (which are hard to manipulate) and evaluating these constraint globally (to even tolerate certain amount of pointer attacks). We have evaluated MACE on 100 memory images for Windows XP SP3 and Windows 7 SP0. Overall, MACE can construct a kernel object graph from a memory image in just a few minutes, and achieves over 95% recall and over 96% precision. Our experiments on real-world rootkit samples and synthetic attacks further demonstrate that MACE outperforms other external memory analysis tools with respect to wider coverage and better robustness.

References

[1]

LMBench -- Tools for Performance Analysis. http://www.bitmover.com/lmbench.

[2]

N. Beebe. Digital forensic research: The good, the bad and the unaddressed. In Advances in Digital Forensics V. 2009.

[3]

A. Bianchi, Y. Shoshitaishvili, C. Kruegel, and G. Vigna. Blacksheep: Detecting compromised hosts in homogeneous crowds. In Proceedings of the 2012 ACM conference on Computer and communications security (CCS'12), 2012.

Digital Library

[4]

M. Carbone, W. Cui, L. Lu, W. Lee, M. Peinado, and X. Jiang. Mapping kernel objects to enable systematic integrity checking. In Proceedings of the 16th ACMConference on Computer and Communication Security (CCS'09), 2009.

Digital Library

[5]

B. D. Carrier and J. Grand. A hardware-based memory acquisition procedure for digital investigations. Digital Investigation, 1(1):50--60, 2004.

Digital Library

[6]

A. Case, L. Marziale, and G. G. Richard, III. Dynamic recreation of kernel data structures for live forensics. Digital Investigation, 7:S32--S40, 2010.

Digital Library

[7]

A. Cozzie, F. Stratton, H. Xue, and S. T. King. Digging for data structures. In Proceedings of the 8th USENIX Symposium on Operating Systems Design and Implementation (OSDI'08), 2008.

Digital Library

[8]

W. Cui, M. Peinado, Z. Xu, and E. Chan. Tracking rootkit footprints with a practical memory analysis system. In Proceedings of USENIX Security Symposium, 2012.

Digital Library

[9]

B. Dolan-Gavitt. The vad tree: A process-eye view of physical memory. Digital Investigation, 4:62--64, 2007.

Digital Library

[10]

B. Dolan-Gavitt. Forensic analysis of the windows registry in memory. Digital Investigation, 5:S26--S32, 2008.

Digital Library

[11]

B. Dolan-Gavitt, A. Srivastava, P. Traynor, and J. Giffin. Robust signatures for kernel data structures. In Proceedings of the 16th ACM Conference on Computer and Communications Security(CCS'09), 2009.

Digital Library

[12]

A. Farahat, T. LoFaro, J. C. Miller, G. Rae, and L. A. Ward. Authority rankings from hits, pagerank, and salsa: Existence, uniqueness, and effect of initialization. SIAM Journal on Scientific Computing, 27(4):1181--1201, 2006.

Digital Library

[13]

Q. Feng, A. Prakash, H. Yin, and Z. Lin. Mace: High-coverage and robust memory analysis for commodity operating systems. Technical Report SYR-EECS-2014-05, Syracuse University, 2014.

[14]

FU Rootkit. http://www.rootkit.com~/project.php?id=12, 2005.

[15]

M. Graziano, A. Lanzi, and D. Balzarotti. Hypervisor memory forensics. In Proceedings of Symposium on Research in Attacks, Intrusion, and Defenses (RAID'13), 2013.

Digital Library

[16]

T. H. Haveliwala. Topic-sensitive pagerank: A context-sensitive ranking algorithm for web search. IEEE Transactions on Knowledge and Data Engineering, 15(4):784--796, 2003.

Digital Library

[17]

A. Henderson, A. Prakash, L. K. Yan, et al. make it work, make it right, make it fast. In Proceedings of the International Symposium on Software Testing and Analysis (ISSTA' 14), 2014.

Digital Library

[18]

The IDA Pro Disassembler and Debugger. http://www.datarescue.com/idabase/.

[19]

J. D. Kornblum. Using every part of the buffalo in windows memory analysis. Digital Investigation, 4(1):24--29, 2007.

Digital Library

[20]

Z. Lin, J. Rhee, C. Wu, X. Zhang, and D. Xu. Dimsum: Discovering semantic data of interest from un-mappable memory with confidence. In Proceedings of the 19th ISOC Network and Distributed System Security Symposium (NDSS'12), 2012.

[21]

Z. Lin, J. Rhee, X. Zhang, D. Xu, and X. Jiang. Siggraph: Brute force scanning of kernel data structure instances using graph-based signatures. In Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS'11), 2011.

[22]

Z. Lin, X. Zhang, and D. Xu. Automatic reverse engineering of data structures from binary execution. In Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS'10), 2010.

[23]

MANDIANT Memoryze. http://www.mandiant.com/resources/download/memoryze.

[24]

S. Mrdovic, A. Huseinovic, and E. Zajko. Combining static and live digital forensic analysis in virtual environment. In Proceedings of XXII International Symposium on Information, Communication and Automation Technologies, 2009.

[25]

N. L. Petroni, Jr., A. Walters, T. Fraser, and W. A. Arbaugh. FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory. Digital Investigation, 3(4):197--210, 2006.

Digital Library

[26]

A. Prakash, E. Venkataramani, H. Yin, and Z. Lin. Manipulating semantic values in kernel data structures: Attack assessments and implications. In Proceedings of 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'13), 2013.

Digital Library

[27]

A. Schuster. Searching for processes and threads in microsoft windows memory dumps. Digital Investigation, 3:10--16, 2006.

Digital Library

[28]

A. Schuster. The impact of Microsoft Windows pool allocation strategies on memory forensics. Digital Investigation, 5:S58--S64, 2008.

Digital Library

[29]

A. Slowinska, T. Stancescu, and H. Bos. Howard: a dynamic excavator for reverse engineering data structures. In Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS'11), 2011.

[30]

Volatility: Memory Forencis System. https://www.volatilesystems.com/default/volatility/.

[31]

K. Wagstaff, C. Cardie, S. Rogers, and S. Schrödl. Constrained k-means clustering with background knowledge. In Proceedings of the Eighteenth International Conference on Machine Learning (ICML'01), 2001.

Digital Library

[32]

R. Zhang, L. Wang, and S. Zhang. Windows memory analysis based on kpcr. In Proceedings of the Fifth International Conference on Information Assurance and Security (IAS'09), 2009.

Digital Library

Cited By

Oliveri ABalzarotti D(2022)In the Land of MMUs: Multiarchitecture OS-Agnostic Virtual Memory ForensicsACM Transactions on Privacy and Security10.1145/352810225:4(1-32)Online publication date: 9-Jul-2022
https://dl.acm.org/doi/10.1145/3528102
Jiang MXu TZhou YHu YZhong MWu LLuo XRen KFalsafi BFerdman MLu SWenisch T(2022)EXAMINER: automatically locating inconsistent instructions between real devices and CPU emulators for ARMProceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3503222.3507736(846-858)Online publication date: 28-Feb-2022
https://dl.acm.org/doi/10.1145/3503222.3507736
Tran ANguyen QNguyen ATran M(2022)MemInspect2: OS-Independent Memory Forensics for IoT Devices in Cybercrime Investigations2022 IEEE/ACIS 22nd International Conference on Computer and Information Science (ICIS)10.1109/ICIS54925.2022.9882517(162-169)Online publication date: 26-Jun-2022
https://doi.org/10.1109/ICIS54925.2022.9882517
Show More Cited By

Index Terms

MACE: high-coverage and robust memory analysis for commodity operating systems
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

In lieu of swap

The forensics community is increasingly embracing the use of memory analysis to enhance traditional storage-based forensics techniques, because memory analysis yields a wealth of information not available on non-volatile storage. Memory analysis ...
Using memory profile analysis for automatic synthesis of pointers code

One of the main advantages of high-level synthesis (HLS) is the ability to synthesize circuits that can access multiple memory banks in parallel. Current HLS systems synthesize parallel memory references based on explicit array declarations in the ...
Scanning memory with Yara

Memory analysis has been successfully utilized to detect malware in many high profile cases. The use of signature scanning to detect malicious tools is becoming an effective triaging and first response technique. In particular, the Yara library and ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '14: Proceedings of the 30th Annual Computer Security Applications Conference

December 2014

492 pages

ISBN:9781450330053

DOI:10.1145/2664243

Conference Chairs:
Charles N. Payne
Adventium Labs
,
Adam Hahn
Washington State University
,
Program Chairs:
Kevin Butler
University of Florida
,
Micah Sherr
Georgetown University

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 December 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

ACSAC '14

Sponsor:

ACSA

ACSAC '14: Annual Computer Security Applications Conference

December 8 - 12, 2014

Louisiana, New Orleans, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

15
Total Citations
View Citations
273
Total Downloads

Downloads (Last 12 months)6
Downloads (Last 6 weeks)1

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Oliveri ABalzarotti D(2022)In the Land of MMUs: Multiarchitecture OS-Agnostic Virtual Memory ForensicsACM Transactions on Privacy and Security10.1145/352810225:4(1-32)Online publication date: 9-Jul-2022
https://dl.acm.org/doi/10.1145/3528102
Jiang MXu TZhou YHu YZhong MWu LLuo XRen KFalsafi BFerdman MLu SWenisch T(2022)EXAMINER: automatically locating inconsistent instructions between real devices and CPU emulators for ARMProceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3503222.3507736(846-858)Online publication date: 28-Feb-2022
https://dl.acm.org/doi/10.1145/3503222.3507736
Tran ANguyen QNguyen ATran M(2022)MemInspect2: OS-Independent Memory Forensics for IoT Devices in Cybercrime Investigations2022 IEEE/ACIS 22nd International Conference on Computer and Information Science (ICIS)10.1109/ICIS54925.2022.9882517(162-169)Online publication date: 26-Jun-2022
https://doi.org/10.1109/ICIS54925.2022.9882517
Pagani FBalzarotti D(2021)AutoProfile: Towards Automated Profile Generation for Memory AnalysisACM Transactions on Privacy and Security10.1145/348547125:1(1-26)Online publication date: 23-Nov-2021
https://dl.acm.org/doi/10.1145/3485471
Roney JAppel TPinisetti PMickens J(2021)Identifying Valuable Pointers in Heap Data2021 IEEE Security and Privacy Workshops (SPW)10.1109/SPW53761.2021.00057(373-382)Online publication date: May-2021
https://doi.org/10.1109/SPW53761.2021.00057
Pagani FBalzarotti DHeninger NTraynor P(2019)Back to the whiteboardProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361460(1751-1768)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361460
Pagani FFedorov OBalzarotti D(2019)Introducing the Temporal Dimension to Memory ForensicsACM Transactions on Privacy and Security10.1145/331035522:2(1-21)Online publication date: 18-Mar-2019
https://dl.acm.org/doi/10.1145/3310355
Song WYin HLiu CSong DLie DMannan MBackes MWang X(2018)DeepMemProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243813(606-618)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3243813
Michalas AMurray RYou IBertino E(2017)MemTriProceedings of the 2017 International Workshop on Managing Insider Security Threats10.1145/3139923.3139926(57-66)Online publication date: 30-Oct-2017
https://dl.acm.org/doi/10.1145/3139923.3139926
Henderson AYan LHu XPrakash AYin HMcCamant S(2017)DECAFIEEE Transactions on Software Engineering10.1109/TSE.2016.258924243:2(164-184)Online publication date: 1-Feb-2017
https://dl.acm.org/doi/10.1109/TSE.2016.2589242
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents