Hypervisor Memory Forensics

Graziano, Mariano; Lanzi, Andrea; Balzarotti, Davide

doi:10.1007/978-3-642-41284-4_2

Cited by 38 publications

(13 citation statements)

References 17 publications

(11 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Memory analysis came into limelight after 2004 work by Carrier et al [5]. There exist plenty of open-source and commodity memory analysis tools [2, 6, 9, 10, 19, 23-25, 27, 28, 30, 32].The memory analysis is also extended to the analysis of hypervisors and virtual machine [15].…”

Section: Related Workmentioning

confidence: 97%

Mace

Qian

Prakash

Yin

et al. 2014

Proceedings of the 30th Annual Computer Security Applications Conference

View full text Add to dashboard Cite

Memory forensic analysis collects evidence for digital crimes and malware attacks from the memory of a live system. It is increasingly valuable, especially in cloud computing. However, memory analysis on on commodity operating systems (such as Microsoft Windows) faces the following key challenges: (1) a partial knowledge of kernel data structures; (2) difficulty in handling ambiguous pointers; and (3) lack of robustness by relying on soft constraints that can be easily violated by kernel attacks. To address these challenges, we present MACE, a memory analysis system that can extract a more complete view of the kernel data structures for closed-source operating systems and significantly improve the robustness by only leveraging pointer constraints (which are hard to manipulate) and evaluating these constraint globally (to even tolerate certain amount of pointer attacks). We have evaluated MACE on 100 memory images for Windows XP SP3 and Windows 7 SP0. Overall, MACE can construct a kernel object graph from a memory image in just a few minutes, and achieves over 95% recall and over 96% precision. Our experiments on real-world rootkit samples and synthetic attacks further demonstrate that MACE outperforms other external memory analysis tools with respect to wider coverage and better robustness.

show abstract

Section: Related Workmentioning

confidence: 97%

Mace

Qian

Prakash

Yin

et al. 2014

Proceedings of the 30th Annual Computer Security Applications Conference

View full text Add to dashboard Cite

show abstract

“…Other technologies required by RO-IoT are secure network bootloader [6,46,84], live memory forensics [43,52,86,96,102,107], PKI [31,35,44], and TEE (e.g., ARM TrustZone) [15,16,28,40,50,78,82,85].…”

Section: Related Work and Backgroundmentioning

confidence: 99%

Reboot-Oriented IoT: Life Cycle Management in Trusted Execution Environment for Disposable IoT devices

Suzaki

Tsukamoto

Green³

et al. 2020

Annual Computer Security Applications Conference

View full text Add to dashboard Cite

“…Actaeon [83], a plugin to the Volatility framework to analyze volatile memory containing type 1 and/or type 2 hypervisors. When using a hardware device to perform volatile memory acquisition, the memory dump might contain a hypervisor.…”

Section: Tracingmentioning

confidence: 99%

Untitled

Mademlis¹,

Messina²,

Wagner³

et al. 2019

CSUR

View full text Add to dashboard Cite

ORI OR-MEIR, NIR NISSIM, YUVAL ELOVICI, and LIOR ROKACH, Ben-Gurion University of the Negev, Beer-Sheva, IsraelAlthough malicious software (malware) has been around since the early days of computers, the sophistication and innovation of malware has increased over the years. In particular, the latest crop of ransomware has drawn attention to the dangers of malicious software, which can cause harm to private users as well as corporations, public services (hospitals and transportation systems), governments, and security institutions. To protect these institutions and the public from malware attacks, malicious activity must be detected as early as possible, preferably before it conducts its harmful acts. However, it is not always easy to know what to look for-especially when dealing with new and unknown malware that has never been seen. Analyzing a suspicious file by static or dynamic analysis methods can provide relevant and valuable information regarding a file's impact on the hosting system and help determine whether the file is malicious or not, based on the method's predefined rules. While various techniques (e.g., code obfuscation, dynamic code loading, encryption, and packing) can be used by malware writers to evade static analysis (including signature-based antivirus tools), dynamic analysis is robust to these techniques and can provide greater understanding regarding the analyzed file and consequently can lead to better detection capabilities. Although dynamic analysis is more robust than static analysis, existing dynamic analysis tools and techniques are imperfect, and there is no single tool that can cover all aspects of malware behavior. The most recent comprehensive survey performed in this area was published in 2012. Since that time, the computing environment has changed dramatically with new types of malware (ransomware, cryptominers), new analysis methods (volatile memory forensics, side-channel analysis), new computing environments (cloud computing, IoT devices), new machine-learning algorithms, and more. The goal of this survey is to provide a comprehensive and up-to-date overview of existing methods used to dynamically analyze malware, which includes a description of each method, its strengths and weaknesses, and its resilience against malware evasion techniques. In addition, we include an overview of prominent studies presenting the usage of machine-learning methods to enhance dynamic malware analysis capabilities aimed at detection, classification, and categorization.

show abstract

Hypervisor Memory Forensics

Cited by 38 publications

References 17 publications

Mace

Mace

Reboot-Oriented IoT: Life Cycle Management in Trusted Execution Environment for Disposable IoT devices

Untitled

Contact Info

Product

Resources

About