research-article

When hardware meets software: a bulletproof solution to forensic memory acquisition

Authors:

Alessandro Reina,

Aristide Fattori,

Lorenzo Cavallaro,

Danilo BruschiAuthors Info & Claims

ACSAC '12: Proceedings of the 28th Annual Computer Security Applications Conference

Pages 79 - 88

https://doi.org/10.1145/2420950.2420962

Published: 03 December 2012 Publication History

Abstract

The acquisition of volatile memory of running systems has become a prominent and essential procedure in digital forensic analysis and incident responses. In fact, unencrypted passwords, cryptographic material, text fragments and latest-generation malware may easily be protected as encrypted blobs on persistent storage, while living seamlessly in the volatile memory of a running system. Likewise, systems' run-time information, such as open network connections, open files and running processes, are by definition live entities that can only be observed by examining the volatile memory of a running system. In this context, tampering of volatile data while an acquisition is in progress or during transfer to an external trusted entity is an ongoing issue as it may irremediably invalidate the collected evidence.

To overcome such issues, we present SMMDumper, a novel technique to perform atomic acquisitions of volatile memory of running systems. SMMDumper is implemented as an x86 firmware, which leverages the System Management Mode of Intel CPUs to create a complete and reliable snapshot of the state of the system that, with a minimal hardware support, is resilient to malware attacks. To the best of our knowledge, SMMDumper is the first technique that is able to atomically acquire the whole volatile memory, overcoming the SMM-imposed 4GB barrier while providing integrity guarantees and running on commodity systems.

Experimental results show that the time SMMDumper requires to acquire and transfer 6GB of physical memory of a running system is reasonable to allow for a real-world adoption in digital forensic analyses and incident responses.

References

[1]

F. Bellard. QEMU, a fast and portable dynamic translator. In Proceedings of the USENIX Annual Technical Conference, FREENIX Track, pages 41--46, 2005.

Digital Library

[2]

B. D. Carrier and J. Grand. A hardware-based memory acquisition procedure for digital investigations. Digital Investigation, 1(1): 50--60, 2004.

Digital Library

[3]

S. Embleton, S. Sparks, and C. Zou. SMM rootkits: a new breed of OS independent malware. In Proceedings of the 4th International Conference on Security and Privacy in Communication Netowrks, page 11. ACM, 2008.

Digital Library

[4]

Intel. Intel Software Network. http://software.intel.com/en-us/forums/showthread.php?t=63946.

[5]

Intel. Intel I/O Controller Hub 10 (ICH10) Family, 2008.

[6]

Intel Corporation. Preboot Execution Environment (PXE) Specification, 1999.

[7]

Intel Corporation. Intel 64 and IA-32 Architectures Software Developer's Manual - Volume 3A, May 2012.

[8]

Intel Corporation. Intel 64 and IA-32 Architectures Software Developer's Manual - Volume 3B, May 2012.

[9]

F. Z. Kun Sun, Jiang Wang and A. Stavrou. SecureSwitch: BIOS-Assisted Isolation and Switch between Trusted and Untrusted Commodity OSes. In Proceedings of the 19^th Annual Network and Distributed System Security Symposium (NDSS), San Diego, California, USA, February 2012.

[10]

E. Libster and J. Kornblum. A Proposal for an Integrated Memory Acquisition Mechanism. ACM SIGOPS Operating Systems Review, 42(3): 14--20, 2008.

Digital Library

[11]

L. Martignoni, A. Fattori, R. Paleari, and L. Cavallaro. Live and Trustworthy Forensic Analysis of Commodity Production Systems. In Proceedings of the 13th International Symposium on Recent Advances in Intrusion Detection (RAID), September 2010.

Digital Library

[12]

A. Martin. FireWire memory dump of a Windows XP computer: a forensic approach. http://www.friendsglobal.com/papers/FireWire%20Memory%20Dump%20of%20Windows%20XP.pdf.

[13]

R. Minnich. coreboot. http://www.coreboot.org/.

[14]

A. Ornaghi and M. Valleri. Man in the middle attacks demos. Blackhat {Online Document}, 2003.

[15]

Phoenix. BIOS Undercover: Writing A Software SMI Handler, 2008. http://blogs.phoenix.com/phoenix_technologies_bios/2008/12/bios-undercover-writing-a-software-smi-handler.html.

[16]

J. Rutkowska. Beyond the CPU: Defeating hardware based RAM acquisition tools, 2007. http://invisiblethings.org/papers/cheating-hardware-memory-acquisition-updated.ppt.

[17]

T. Schluessler and P. Rajagopal. OS Independent Run-Time System Integrity Services. Research Paper, IT Innovation and Research, Intel Corporation, 2005.

[18]

S. Sokolov. 8042 keyboard controller. http://stanislavs.org/helppc/8042.html.

[19]

T. Vidas. Acquisition and Forensic Analysis of Volatile Data Stores. PhD thesis, University of Nebraska at Omaha, 2006.

[20]

R. Wagner. Address resolution protocol spoofing and man-in-the-middle attacks. The SANS Institute, 2001.

[21]

J. Wang, A. Stavrou, and A. Ghosh. Hypercheck: A hardware-assisted integrity monitor. In Proceedings of the 13^th International Symposium on Recent Advances in Intrusion Detection (RAID), September 2010.

Digital Library

[22]

J. Wang, K. Sun, and A. Stavrou. An Analysis of System Management Mode (SMM)-based Integrity Checking Systems and Evasion Attacks. Technical report, George Mason University, 2011.

[23]

J. Wang, F. Zhang, K. Sun, and A. Stavrou. Firmware-assisted Memory Acquisition and Analysis Tools for Digital Forensics. In Proceedings of the 6^th International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE), Oakland, California, USA, May 2011.

Digital Library

[24]

R. Wojtczuk. Subverting the Xen hypervisor. Black Hat USA, 2008, 2008.

[25]

R. Wojtczuk and J. Rutkowska. Attacking SMM memory via Intel CPU cache poisoning. Invisible Things Lab, 2009.

Cited By

Kirmani MBanday M(2024)Enhancing Reliability During Physical Memory Forensics: Strategies and PracticesSN Computer Science10.1007/s42979-023-02553-y5:1Online publication date: 8-Jan-2024
https://dl.acm.org/doi/10.1007/s42979-023-02553-y
Sha ZZhang CWang HGao ZZhang BLan YShu H(2024)PromeTrans: Bootstrap binary functionality classification with knowledge transferred from pre-trained modelsEmpirical Software Engineering10.1007/s10664-024-10593-y30:1Online publication date: 27-Nov-2024
https://doi.org/10.1007/s10664-024-10593-y
Zhou LDing XZhang F(2022)Smile: Secure Memory Introspection for Live Enclave2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833714(386-401)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833714
Show More Cited By

Index Terms

When hardware meets software: a bulletproof solution to forensic memory acquisition
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

Hardware-Software Co-design to Mitigate DRAM Refresh Overheads: A Case for Refresh-Aware Process Scheduling
ASPLOS '17

DRAM cells need periodic refresh to maintain data integrity. With high capacity DRAMs, DRAM refresh poses a significant performance bottleneck as the number of rows to be refreshed (and hence the refresh cycle time, tRFC) with each refresh command ...
Hardware-Software Co-design to Mitigate DRAM Refresh Overheads: A Case for Refresh-Aware Process Scheduling
Asplos'17

DRAM cells need periodic refresh to maintain data integrity. With high capacity DRAMs, DRAM refresh poses a significant performance bottleneck as the number of rows to be refreshed (and hence the refresh cycle time, tRFC) with each refresh command ...
Hardware-Software Co-design to Mitigate DRAM Refresh Overheads: A Case for Refresh-Aware Process Scheduling
ASPLOS '17: Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating Systems

DRAM cells need periodic refresh to maintain data integrity. With high capacity DRAMs, DRAM refresh poses a significant performance bottleneck as the number of rows to be refreshed (and hence the refresh cycle time, tRFC) with each refresh command ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '12: Proceedings of the 28th Annual Computer Security Applications Conference

December 2012

464 pages

ISBN:9781450313124

DOI:10.1145/2420950

Conference Chair:
Robert H'obbes' Zakon
Zakon Group LLC

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 December 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ACSAC '12

Sponsor:

ACSA

ACSAC '12: Annual Computer Security Applications Conference

December 3 - 7, 2012

Florida, Orlando, USA

Acceptance Rates

ACSAC '12 Paper Acceptance Rate 44 of 231 submissions, 19%;

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

25
Total Citations
View Citations
419
Total Downloads

Downloads (Last 12 months)16
Downloads (Last 6 weeks)0

Reflects downloads up to 16 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kirmani MBanday M(2024)Enhancing Reliability During Physical Memory Forensics: Strategies and PracticesSN Computer Science10.1007/s42979-023-02553-y5:1Online publication date: 8-Jan-2024
https://dl.acm.org/doi/10.1007/s42979-023-02553-y
Sha ZZhang CWang HGao ZZhang BLan YShu H(2024)PromeTrans: Bootstrap binary functionality classification with knowledge transferred from pre-trained modelsEmpirical Software Engineering10.1007/s10664-024-10593-y30:1Online publication date: 27-Nov-2024
https://doi.org/10.1007/s10664-024-10593-y
Zhou LDing XZhang F(2022)Smile: Secure Memory Introspection for Live Enclave2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833714(386-401)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833714
Parida TNath KDas S(2022)SAM: A Mechanism to Facilitate Smear-Aware Forensic Analysis of Volatile System MemoryJournal of Applied Security Research10.1080/19361610.2022.216197219:2(300-329)Online publication date: 30-Dec-2022
https://doi.org/10.1080/19361610.2022.2161972
Zhang ZYe YYou WTao GLee WKwon YAafer YZhang X(2021)OSPREY: Recovery of Variable and Data Structure via Probabilistic Analysis for Stripped Binary2021 IEEE Symposium on Security and Privacy (SP)10.1109/SP40001.2021.00051(813-832)Online publication date: May-2021
https://doi.org/10.1109/SP40001.2021.00051
Suzaki KTsukamoto AGreen AMannan M(2020)Reboot-Oriented IoT: Life Cycle Management in Trusted Execution Environment for Disposable IoT devicesProceedings of the 36th Annual Computer Security Applications Conference10.1145/3427228.3427293(428-441)Online publication date: 7-Dec-2020
https://dl.acm.org/doi/10.1145/3427228.3427293
Zaidenberg NKiperberg MYehuda RLeon RAlgawi AResh A(2020)Hypervisor Memory Introspection and Hypervisor Based Malware HoneypotInformation Systems Security and Privacy10.1007/978-3-030-49443-8_15(317-334)Online publication date: 28-Jun-2020
https://doi.org/10.1007/978-3-030-49443-8_15
Or-Meir ONissim NElovici YRokach L(2019)Dynamic Malware Analysis in the Modern Era—A State of the Art SurveyACM Computing Surveys10.1145/332978652:5(1-48)Online publication date: 13-Sep-2019
https://dl.acm.org/doi/10.1145/3329786
Pagani FFedorov OBalzarotti D(2019)Introducing the Temporal Dimension to Memory ForensicsACM Transactions on Privacy and Security10.1145/331035522:2(1-21)Online publication date: 18-Mar-2019
https://dl.acm.org/doi/10.1145/3310355
Suzaki KHori YKobara KMannan M(2019)DeviceVeil: Robust Authentication for Individual USB Devices Using Physical Unclonable Functions2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN.2019.00041(302-314)Online publication date: Jun-2019
https://doi.org/10.1109/DSN.2019.00041
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents