Article

Hypervisor Memory Forensics

Authors:

Mariano Graziano,

Davide BalzarottiAuthors Info & Claims

RAID 2013: Proceedings of the 16th International Symposium on Research in Attacks, Intrusions, and Defenses - Volume 8145

Pages 21 - 40

https://doi.org/10.1007/978-3-642-41284-4_2

Published: 23 October 2013 Publication History

Abstract

Memory forensics is the branch of computer forensics that aims at extracting artifacts from memory snapshots taken from a running system. Even though it is a relatively recent field, it is rapidly growing and it is attracting considerable attention from both industrial and academic researchers.

In this paper, we present a set of techniques to extend the field of memory forensics toward the analysis of hypervisors and virtual machines. With the increasing adoption of virtualization techniques both as part of the cloud and in normal desktop environments, we believe that memory forensics will soon play a very important role in many investigations that involve virtual environments.

Our approach, implemented in an open source tool as an extension of the Volatility framework, is designed to detect both the existence and the characteristics of any hypervisor that uses the Intel VT-x technology. It also supports the analysis of nested virtualization and it is able to infer the hierarchy of multiple hypervisors and virtual machines. Finally, by exploiting the techniques presented in this paper, our tool can reconstruct the address space of a virtual machine in order to transparently support any existing Volatility plugin - allowing analysts to reuse their code for the analysis of virtual environments.

References

[1]

Amd's market share drops, http://www.cpu-wars.com/2012/11/amds-market-share-drops-below-17-due-to.html

[2]

Documentation/dma-mapping.txt

[3]

Elcomsoft forensic disk decryptor, http://www.elcomsoft.com/edff.html

[4]

Inception memory acquisition tool, http://www.breaknenter.org/projects/inception/

[5]

Nehalem architecture, http://www.intel.com/pressroom/archive/reference/whitepaper_Nehalem.pdf

[6]

Volatility framework: Volatile memory artifact extraction utility framework, https://www.volatilesystems.com/default/volatility

[7]

Agesen, O., Mattson, J., Rugina, R., Sheldon, J.: Software techniques for avoiding hardware virtualization exits. In: Proceedings of the 2012 USENIX Conference on Annual Technical Conference, USENIX ATC 2012, pp. 35---35. USENIX Association, Berkeley 2012

Digital Library

[8]

Arasteh, A.R., Debbabi, M.: Forensic memory analysis: From stack and code to execution history. Digit. Investig. 4, 114---125 2007

Digital Library

[9]

Ben-Yehuda, M., Day, M.D., Dubitzky, Z., Factor, M., Har'El, N., Gordon, A., Liguori, A., Wasserman, O., Yassour, B.-A.: The turtles project: design and implementation of nested virtualization. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, OSDI 2010, pp. 1---6. USENIX Association, Berkeley 2010

Digital Library

[10]

Betz, C.: Memparser, http://www.dfrws.org/2005/challenge/memparser.shtml

[11]

Cozzie, A., Stratton, F., Xue, H., King, S.T.: Digging for data structures. In: Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation, OSDI 2008, pp. 255---266. USENIX Association, Berkeley 2008

Digital Library

[12]

Desnos, A., Filiol, E., Lefou, I.: Detecting and creating! a hvm rootkit aka bluepill-like. Journal in Computer Virology 71, 23---49 2011

Digital Library

[13]

Dolan-Gavitt, B.: The vad tree: A process-eye view of physical memory. Digit. Investig. 4, 62---64 2007

Digital Library

[14]

Dolan-Gavitt, B., Srivastava, A., Traynor, P., Giffin, J.: Robust signatures for kernel data structures. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009, pp. 566---577. ACM, New York 2009

Digital Library

[15]

Fattori, A., Paleari, R., Martignoni, L., Monga, M.: Dynamic and transparent analysis of commodity production systems. In: Proceedings of the 25th International Conference on Automated Software Engineering ASE, pp. 417---426 September 2010

Digital Library

[16]

Goldberg, R.P.: Architecture of virtual machines. In: Proceedings of the workshop on virtual computer systems, pp. 74---112. ACM, New York 1973

Digital Library

[17]

Alex Halderman, J., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest we remember: cold-boot attacks on encryption keys. Commun. ACM 525, 91---98 2009

Digital Library

[18]

Intel. Intel® 64 and IA-32 Architectures Software Developer's Manual - Combined Volumes: 1, 2A, 2B, 2C, 3A, 3B and 3C August 2012

[19]

King, S.T., Chen, P.M., Wang, Y.-M., Verbowski, C., Wang, H.J., Lorch, J.R.: Subvirt: Implementing malware with virtual machines. In: IEEE Symposium on Security and Privacy, pp. 314---327 2006

Digital Library

[20]

Liang, B., You, W., Shi, W., Liang, Z.: Detecting stealthy malware with inter-structure and imported signatures. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011, pp. 217---227. ACM, New York 2011

Digital Library

[21]

Lin, Z., Rhee, J., Zhang, X., Xu, D., Jiang, X.: Siggraph: Brute force scanning of kernel data structure instances using graph-based signatures. In: NDSS 2011

[22]

Martignoni, L., Fattori, A., Paleari, R., Cavallaro, L.: Live and Trustworthy Forensic Analysis of Commodity Production Systems. In: Jha, S., Sommer, R., Kreibich, C. eds. RAID 2010. LNCS, vol. 6307, pp. 297---316. Springer, Heidelberg 2010

Digital Library

[23]

Stewin, P., Bystrov, I.: Understanding DMA malware. In: Flegel, U., Markatos, E., Robertson, W. eds. DIMVA 2012. LNCS, vol. 7591, pp. 21---41. Springer, Heidelberg 2013

Digital Library

[24]

Popek, G.J., Goldberg, R.P.: Formal requirements for virtualizable third generation architectures. Commun. ACM 177, 412---421 1974

Digital Library

[25]

Reina, A., Fattori, A., Pagani, F., Cavallaro, L., Bruschi, D.: When Hardware Meets Software: a Bulletproof Solution to Forensic Memory Acquisition. In: Proceedings of the 28th Annual Computer Security Applications Conference ACSAC, Orlando, Florida December 2012

Digital Library

[26]

Rutkowska, J.: Subverting Vista Kernel for Fun and Profit. Black Hat USA August 2006

[27]

Rutkowska, J.: Beyond The CPU: Defeating Hardware Based RAM acquisition. Black Hat USA 2007

[28]

Seshadri, A., Luk, M., Qu, N., Perrig, A.: Secvisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In: Proceedings of Twenty-first ACM SIGOPS Symposium on Operating Systems Principles, SOSP 2007, pp. 335---350. ACM, New York 2007

Digital Library

[29]

Shinagawa, T., Eiraku, H., Tanimoto, K., Omote, K., Hasegawa, S., Horie, T., Hirano, M., Kourai, K., Oyama, Y., Kawai, E., Kono, K., Chiba, S., Shinjo, Y., Kato, K.: Bitvisor: a thin hypervisor for enforcing i/o device security. In: Proceedings of the 2009 ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, VEE 2009, pp. 121---130. ACM, New York 2009

Digital Library

[30]

Smith, J., Nair, R.: Virtual Machines: Versatile Platforms for Systems and Processes The Morgan Kaufmann Series in Computer Architecture and Design. Morgan Kaufmann Publishers Inc., San Francisco 2005

Digital Library

[31]

Zhang, X., Dong, E.: Nested Virtualization Update from Intel. Xen Summit 2012

[32]

Lin, Z., Rhee, J., Wu, C., Zhang, X., Xu, D.: Discovering semantic data of interest from un-mappable memory with confidence. In: Proceedings of the 19th Network and Distributed System Security Symposium, NDSS 2012 2012

[33]

Dai Zovi, D.A.: Hardware Virtualization Rootkits. Black Hat USA August 2006

Cited By

Boigner PLuh R(2022)WSL2 Forensics: Detection, Analysis & RevirtualizationProceedings of the 17th International Conference on Availability, Reliability and Security10.1145/3538969.3544439(1-7)Online publication date: 23-Aug-2022
https://dl.acm.org/doi/10.1145/3538969.3544439
Sierra-Arriaga FBranco RLee B(2020)Security Issues and Challenges for Virtualization TechnologiesACM Computing Surveys10.1145/338219053:2(1-37)Online publication date: 19-May-2020
https://dl.acm.org/doi/10.1145/3382190
Or-Meir ONissim NElovici YRokach L(2019)Dynamic Malware Analysis in the Modern Era—A State of the Art SurveyACM Computing Surveys10.1145/332978652:5(1-48)Online publication date: 13-Sep-2019
https://dl.acm.org/doi/10.1145/3329786
Show More Cited By

Recommendations

A KVM Virtual Machine Memory Forensics Method Based on VMCS
CIS '14: Proceedings of the 2014 Tenth International Conference on Computational Intelligence and Security

As the use of virtual machine environments increases, virtual machines forensics is becoming more and more important and emergent. Current forensics solutions to virtualized environments mainly focus on static data analysis, which cannot provide a ...
Fast and live hypervisor replacement
VEE 2019: Proceedings of the 15th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments

Hypervisors are increasingly complex and must be often updated for applying security patches, bug fixes, and feature upgrades. However, in a virtualized cloud infrastructure, updates to an operational hypervisor can be highly disruptive. Before being ...
Embedded Hypervisor Xvisor: A Comparative Analysis
PDP '15: Proceedings of the 2015 23rd Euromicro International Conference on Parallel, Distributed, and Network-Based Processing

Virtualization technology has shown immense popularity within embedded systems due to its direct relationship with cost reduction, better resource utilization, and higher performance measures. Efficient hypervisors are required to achieve such high ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings

RAID 2013: Proceedings of the 16th International Symposium on Research in Attacks, Intrusions, and Defenses - Volume 8145

October 2013

451 pages

ISBN:9783642412837

Editors:
Salvatore Stolfo
Department of Computer Science, Columbia University, USA
,
Angelos Stavrou
Department of Computer Science, George Mason University, Fairfax, USA
,
Charles Wright
Department of Computer Science, Portland State University, Portland, USA

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 23 October 2013

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 16 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Boigner PLuh R(2022)WSL2 Forensics: Detection, Analysis & RevirtualizationProceedings of the 17th International Conference on Availability, Reliability and Security10.1145/3538969.3544439(1-7)Online publication date: 23-Aug-2022
https://dl.acm.org/doi/10.1145/3538969.3544439
Sierra-Arriaga FBranco RLee B(2020)Security Issues and Challenges for Virtualization TechnologiesACM Computing Surveys10.1145/338219053:2(1-37)Online publication date: 19-May-2020
https://dl.acm.org/doi/10.1145/3382190
Or-Meir ONissim NElovici YRokach L(2019)Dynamic Malware Analysis in the Modern Era—A State of the Art SurveyACM Computing Surveys10.1145/332978652:5(1-48)Online publication date: 13-Sep-2019
https://dl.acm.org/doi/10.1145/3329786
Pagani FFedorov OBalzarotti D(2019)Introducing the Temporal Dimension to Memory ForensicsACM Transactions on Privacy and Security10.1145/331035522:2(1-21)Online publication date: 18-Mar-2019
https://dl.acm.org/doi/10.1145/3310355
Nemati HSharma SDagenais M(2017)Fine-grained Nested Virtual Machine Performance Analysis Through First Level Hypervisor TracingProceedings of the 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing10.1109/CCGRID.2017.20(84-89)Online publication date: 14-May-2017
https://dl.acm.org/doi/10.1109/CCGRID.2017.20
Graziano MBalzarotti DZidouemba AChen XWang XHuang X(2016)ROPMEMUProceedings of the 11th ACM on Asia Conference on Computer and Communications Security10.1145/2897845.2897894(47-58)Online publication date: 30-May-2016
https://dl.acm.org/doi/10.1145/2897845.2897894
Feng QPrakash AYin HLin ZPayne CHahn AButler KSherr M(2014)MACEProceedings of the 30th Annual Computer Security Applications Conference10.1145/2664243.2664248(196-205)Online publication date: 8-Dec-2014
https://dl.acm.org/doi/10.1145/2664243.2664248
Zhu MTu BYou RLi YMeng D(2014)DATAEvictorRevised Selected Papers of the 6th International Conference on Trusted Systems - Volume 947310.1007/978-3-319-27998-5_21(328-345)Online publication date: 16-Dec-2014
https://dl.acm.org/doi/10.1007/978-3-319-27998-5_21

View Options

View options

Media

Figures

Other

Tables

View Table of Contents