skip to main content
10.1145/2714576.2714600acmconferencesArticle/Chapter ViewAbstractPublication Pagesasia-ccsConference Proceedingsconference-collections
research-article

Now You See Me: Hide and Seek in Physical Address Space

Published: 14 April 2015 Publication History

Abstract

With the growing complexity of computing systems, memory based forensic techniques are becoming instrumental in digital investigations. Digital forensic examiners can unravel what happened on a system by acquiring and inspecting in-memory data. Meanwhile, attackers have developed numerous anti-forensic mechanisms to defeat existing memory forensic techniques by manipulation of system software such as OS kernel. To counter anti-forensic techniques, some recent researches suggest that memory acquisition process can be trusted if the acquisition module has not been tampered with and all the operations are performed without relying on any untrusted software including the operating system.
However, in this paper, we show that it is possible for malware to bypass the current state-of-art trusted memory acquisition module by manipulating the physical address space layout, which is shared between physical memory and I/O devices on x86 platforms. This fundamental design on x86 platform enables an attacker to build an OS agnostic anti-forensic system. Base on this finding, we propose Hidden in I/O Space (HIveS) which manipulates CPU registers to alter such physical address layout. The system uses a novel I/O Shadowing technique to lock a memory region named HIveS memory into I/O address space, so all operation requests to the HIveS memory will be redirected to the I/O bus instead of the memory controller. To access the HIveS memory, the attacker unlocks the memory by mapping it back into the memory address space. Two novel techniques, Blackbox Write and TLB Camouflage, are developed to further protect the unlocked HIveS memory against memory forensics while allowing attackers to access it. A HIveS prototype is built and tested against a set of memory acquisition tools for both Windows and Linux running on x86 platform. Lastly, we propose potential countermeasures to detect and mitigate HIveS.

References

[1]
Intel Chipset 4 GB System Memory Support. Feb 2005.
[2]
Advanced Micro Devices. Amd64 Architecture Programmer's Manual. Vol. 2, may 2013.
[3]
Intel 64 and IA-32 Architectures Software Developer's Manual. sep 2013.
[4]
Advanced Micro Devices, Inc. BIOS and Kernel Developer's Guide (BKDG) For AMD Family 15h Processors, Rev 3.23.
[5]
R. BBN. Fred: Forensic ram extraction device. http://www.digitalintelligence.com/products/fred/.
[6]
M. Becher, M. Dornseif, and C. N. Klein. FireWire All Your Memory are Belong to us. Proceedings of CanSecWest, 2005.
[7]
N. Beebe. Digital forensic research: The good, the bad and the unaddressed. In Advances in digital forensics V, pages 17--36. Springer, 2009.
[8]
D. Bilby. Low down and dirty: Anti-forensic rootkits. BlackHat Japan, 2006.
[9]
D. Bovet and M. Cesati. Understanding the Linux kernel. O'reilly, 2007.
[10]
B. D. Carrier and J. Grand. A hardware-based memory acquisition procedure for digital investigations. Digital Investigation, 1(1):50--60, 2004.
[11]
E. Chan, S. Venkataraman, F. David, A. Chaugule, and R. Campbell. Forenscope: A framework for live forensics. In Proceedings of the 26th Annual Computer Security Applications Conference, pages 307--316. ACM, 2010.
[12]
M. Cohen, D. Bilby, and G. Caronni. Distributed forensics and incident response in the enterprise. digital investigation, 8:S101--S110, 2011.
[13]
N. R. Council. Strengthening Forensic Science in the United States: A Path Forward. https://www.ncjrs.gov/pdffiles1/nij/grants/228091.pdf, 2009.
[14]
D. Farmer and W. Venema. Forensic discovery, volume 18. Addison-Wesley Reading, 2005.
[15]
E. Florio. When malware meets rootkits. Virus Bulletin, 2005.
[16]
S. L. Garfinkel. Digital forensics research: The next 10 years. Digital Investigation, 7:S64--S73, 2010.
[17]
L. Guan, J. L. amd Bo Luo, and J. Jing. Copker: Computing with Private Keys without RAM. In In Network and Distributed System Security Symposium (NDSS), 2014.
[18]
J. A. Halderman, S. D. Schoen, N. Heninger, W. Clarkson, W. Paul, J. A. Calandrino, A. J. Feldman, J. Appelbaum, and E. W. Felten. Lest we remember: cold-boot attacks on encryption keys. Communications of the ACM, 52(5):91--98, 2009.
[19]
R. Harris. Arriving at an anti-forensics consensus: Examining how to define and control the anti-forensics problem. digital investigation, 3:44--49, 2006.
[20]
T. Haruyama and H. Suzuki. One-byte modifications for breaking memory forensic analysis. Black Hat Europe, 2012.
[21]
E. Libster and J. D. Kornblum. A proposal for an integrated memory acquisition mechanism. SIGOPS Oper. Syst. Rev., 42(3):14--20, Apr. 2008.
[22]
Y. Lu, L. Lo, G. Watson, and R. Minnich. CAR: Using Cache as RAM in LinuxBIOS. http://rere.qmqm.pl/mirq/cache_as_ram_lb_09142006.pdf.
[23]
L. Martignoni, A. Fattori, R. Paleari, and L. Cavallaro. Live and trustworthy forensic analysis of commodity production systems. In Recent Advances in Intrusion Detection, pages 297--316. Springer, 2010.
[24]
T. Müller, F. C. Freiling, and A. Dewald. Tresor runs encryption securely outside ram. In USENIX Security Symposium, 2011.
[25]
T. Newsham, C. Palmer, A. Stamos, and J. Burns. Breaking forensics software: Weaknesses in critical evidence collection. In Proceedings of the 2007 Black Hat Conference, 2007.
[26]
J. Pabel. Frozencache: Mitigating cold-boot attacks for full-disk-encryption software. In 27th Chaos Communication Congress, 2010.
[27]
N. L. Petroni Jr, T. Fraser, J. Molina, and W. A. Arbaugh. Copilot-a coprocessor-based kernel runtime integrity monitor. In USENIX Security Symposium, pages 179--194, 2004.
[28]
A. Reina, A. Fattori, F. Pagani, L. Cavallaro, and D. Bruschi. When hardware meets software: A bulletproof solution to forensic memory acquisition. In Proceedings of the 28th Annual Computer Security Applications Conference, ACSAC '12, pages 79--88, New York, NY, USA, 2012. ACM.
[29]
J. Rutkowska. Subverting vistatm kernel for fun and profit. Black Hat Briefings, 2006.
[30]
J. Rutkowska. Beyond the CPU: Defeating hardware based RAM acquisition. Proceedings of BlackHat DC 2007, 2007.
[31]
B. Schatz. Bodysnatcher: Towards reliable volatile memory acquisition by software. digital investigation, 4:126--134, 2007.
[32]
D. Sd. Linux on-the-fly kernel patching without lkm. Volume 0x0b, Issue 0x3a, Phile# 0x07 of 0x0e-Phrack Magazine - http://www.phrack-dont-give-a-shit-about-dmca.org/show.php, 2001.
[33]
P. Simmons. Security through amnesia: a software-based solution to the cold boot attack on disk encryption. In Proceedings of the 27th Annual Computer Security Applications Conference, pages 73--82. ACM, 2011.
[34]
S. Sparks and J. Butler. Shadow walker: Raising the bar for rootkit detection. Black Hat Japan, pages 504--533, 2005.
[35]
J. Stüttgen and M. Cohen. Anti-forensic resilient memory acquisition. Digital Investigation, 10:S105--S115, 2013.
[36]
J. Sylve. Lime-linux memory extractor. ShmooCon'12, 2012.
[37]
S. Vömel and F. C. Freiling. A survey of main memory acquisition and analysis techniques for the windows operating system. Digital Investigation, 8(1):3--22, 2011.
[38]
J. Wang, A. Stavrou, and A. K. Ghosh. Hypercheck: A hardware-assisted integrity monitor. In RAID, pages 158--177, 2010.
[39]
J. Wang, F. Zhang, K. Sun, and A. Stavrou. Firmware-assisted memory acquisition and analysis tools for digital forensics. In Systematic Approaches to Digital Forensic Engineering (SADFE), 2011 IEEE Sixth International Workshop on, pages 1--5. IEEE, 2011.
[40]
M. Yu, Q. Lin, B. Li, Z. Qi, and H. Guan. Vis: virtualization enhanced live acquisition for native system. In Proceedings of the Second Asia-Pacific Workshop on Systems, page 13. ACM, 2011.

Cited By

View all
  • (2018)Memory Forensic Challenges Under Misused Architectural FeaturesIEEE Transactions on Information Forensics and Security10.1109/TIFS.2018.281911913:9(2345-2358)Online publication date: 1-Sep-2018
  • (2018)Analyzing Detection Avoidance of Malware by Process Hiding2018 3rd International Conference on Contemporary Computing and Informatics (IC3I)10.1109/IC3I44769.2018.9007293(293-297)Online publication date: Oct-2018
  • (2017)Secure In-Cache ExecutionResearch in Attacks, Intrusions, and Defenses10.1007/978-3-319-66332-6_17(381-402)Online publication date: 12-Oct-2017
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security
April 2015
698 pages
ISBN:9781450332453
DOI:10.1145/2714576
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 April 2015

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. digital forensics
  2. memory acquisition
  3. rootkits
  4. system security

Qualifiers

  • Research-article

Funding Sources

  • U.S. Office of Naval Research
  • US National Science Foundation
  • U.S. Army Research Office

Conference

ASIA CCS '15
Sponsor:
ASIA CCS '15: 10th ACM Symposium on Information, Computer and Communications Security
April 14 - March 17, 2015
Singapore, Republic of Singapore

Acceptance Rates

ASIA CCS '15 Paper Acceptance Rate 48 of 269 submissions, 18%;
Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)13
  • Downloads (Last 6 weeks)1
Reflects downloads up to 15 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2018)Memory Forensic Challenges Under Misused Architectural FeaturesIEEE Transactions on Information Forensics and Security10.1109/TIFS.2018.281911913:9(2345-2358)Online publication date: 1-Sep-2018
  • (2018)Analyzing Detection Avoidance of Malware by Process Hiding2018 3rd International Conference on Contemporary Computing and Informatics (IC3I)10.1109/IC3I44769.2018.9007293(293-297)Online publication date: Oct-2018
  • (2017)Secure In-Cache ExecutionResearch in Attacks, Intrusions, and Defenses10.1007/978-3-319-66332-6_17(381-402)Online publication date: 12-Oct-2017
  • (2017)HyBIS: Advanced Introspection for Effective Windows Guest ProtectionICT Systems Security and Privacy Protection10.1007/978-3-319-58469-0_13(189-204)Online publication date: 4-May-2017
  • (2016)A flexible framework for mobile device forensics based on cold boot attacksEURASIP Journal on Information Security10.1186/s13635-016-0041-42016:1(1-13)Online publication date: 1-Dec-2016
  • (2016)CacheKit: Evading Memory Introspection Using Cache Incoherence2016 IEEE European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP.2016.34(337-352)Online publication date: Mar-2016
  • (2016)A Software Detection Mechanism Based on SMM in Network ComputingSecurity, Privacy and Anonymity in Computation, Communication and Storage10.1007/978-3-319-49145-5_14(134-143)Online publication date: 10-Nov-2016

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media