[go: up one dir, main page]
Skip to main content
SpringerLink
Log in

PageDumper: a mechanism to collect page table manipulation information at run-time

  • regular contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

The state-of-the-art contributions in the area of memory forensics are centered around uncovering potentially hidden processes, control flow and code pointer integrity manipulations and detecting malicious code injections done by attackers. At the same time, deployment of memory protection mechanisms like control flow integrity, data execution prevention/no-execute, address space layout randomization and kernel address space layout randomization, have obviated the use of such attack vectors for sensitive information disclosure. Thus, attackers are now adopting various techniques to elude memory protection using memory corruption or memory disclosure attacks inside the operating system (OS). The heavy-dependence of all such advanced prevention and defense mechanisms on memory protection/memory safety attributes are luring attackers to conduct sophisticated data attacks against the OS that leaves no traces in the file system. In this paper, while assessing the security implications of such attack vectors, we propose a mechanism to capture such memory-protection-manipulation-based attack footprints at run time in the form of a utility called PageDumper. While parsing the system virtual address space and page table entries(for the process and kernel address space), it collects the in-memory data attack footprints at run time. Thus, PageDumper can supplement information(s) for the postmortem analysis of run time process and the kernel address space environment, when used in conjunction with memory snapshots taken through memory acquisition tools for a more practical and in-depth memory analysis.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

Notes

  1. Arjan v.d. Ven’s [62] patch prints the kernel page tables through the debugfs and helps in efficient debugging of memory attribute corruption related bugs.

References

  1. Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: Control-flow integrity principles, implementations, and applications. ACM Trans. Inf. Syst. Secur. (TISSEC) 13(1), 4 (2009)

    Article  Google Scholar 

  2. Anderson, D.: Crash (2008). https://people.redhat.com/anderson/crash_whitepaper/. Accessed 26 Nov 2019

  3. Betz, C.: Memparser (2005). http://www.dfrws.org/2005/challenge/memparser.shtml

  4. Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: Proceedings of the 6th ACM symposium on information, computer and communications security, pp. 30–40. ACM (2011)

  5. Block, F., Dewald, A.: Linux memory forensics: dissecting the user space process heap. Digit. Investig. 22, S66–S75 (2017)

    Article  Google Scholar 

  6. Block, F., Dewald, A.: Windows memory forensics: detecting (un) intentionally hidden injected code by examining page table entries. Digit. Investig. 29, S3–S12 (2019)

    Article  Google Scholar 

  7. Bovet, D.P., Cesati, M.: Understanding the Linux Kernel: From I/O Ports to Process Management. O’Reilly Media Inc., Newton (2005)

    Google Scholar 

  8. Burdach, M.: Digital Forensics of the Physical Memory. Warsaw University, Warszawa (2005)

    Google Scholar 

  9. Case, A., Marziale, L., Richard III, G.G.: Dynamic recreation of kernel data structures for live forensics. Digit. Investig. 7, S32–S40 (2010)

    Article  Google Scholar 

  10. Case, A., Richard III, G.G.: Detecting objective-c malware through memory forensics. Digit. Investigat. 18, S3–S10 (2016)

    Article  Google Scholar 

  11. Castro, M., Costa, M., Martin, J.P., Peinado, M., Akritidis, P., Donnelly, A., Barham, P., Black, R.: Fast byte-granularity software fault isolation. In: Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles, pp. 45–58. ACM (2009)

  12. Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 559–572. ACM (2010)

  13. Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. USENIX Secur. Symp. 5, 177–192 (2005)

    Google Scholar 

  14. Crane, S., Liebchen, C., Homescu, A., Davi, L., Larsen, P., Sadeghi, A.R., Brunthaler, S., Franz, M.: Readactor: practical code randomization resilient to memory disclosure. In: 2015 IEEE Symposium on Security and Privacy, pp. 763–780. IEEE (2015)

  15. Davi, L., Gens, D., Liebchen, C., Sadeghi, A.R.: Pt-rand: Practical mitigation of data-only attacks against page tables. In: NDSS (2017)

  16. Dolan-Gavitt, B., Srivastava, A., Traynor, P., Giffin, J.: Robust signatures for kernel data structures. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 566–577. ACM (2009)

  17. Economou, N.A., Nissim, E.E.: Getting physical extreme abuse of Intel based paging systems (2016)

  18. Edge, J.: Kernel address space layout randomization. (2013) https://lwn.net/Articles/569635/. Accessed 26 Nov 2019

  19. Edge, J.: Randomizing the kernel. (2013) https://lwn.net/Articles/546686/. Accessed 26 Nov 2019

  20. Evtyushkin, D., Ponomarev, D., Abu-Ghazaleh, N.: Jump over ASLR: attacking branch predictors to bypass ASLR. In: The 49th Annual IEEE/ACM International Symposium on Microarchitecture, p. 40. IEEE Press (2016)

  21. F-response Team: A utility to conduct live forensics (2019). https://f-response.com/. Accessed 26 Nov 2019

  22. Gisbert, H.M., Ripoll, I.: On the effectiveness of NX, SSP, RENEWSSP, and ASLR against stack buffer overflows. In: 2014 IEEE 13th International Symposium on Network Computing and Applications, pp. 145–152. IEEE (2014)

  23. Google Inc: Rekall’s malfind plugin (2019).https://github.com/google/rekall/blob/master/rekall-core/rekall/plugins/windows/malware/malfind.py. Accessed 26 Nov 2019

  24. Gorman, M.: Understanding the Linux Virtual Memory Manager. Prentice Hall, Upper Saddle River (2004)

    Google Scholar 

  25. Gravani, S., Hedayati, M., Criswell, J., Scott, M.L.: Iskios: lightweight defense against kernel-level code-reuse attacks. arXiv preprint arXiv:1903.04654 (2019)

  26. Gruss, D., Lipp, M., Schwarz, M., Fellner, R., Maurice, C., Mangard, S.: KASLR is dead: long live KASLR. In: International Symposium on Engineering Secure Software and Systems, pp. 161–176. Springer (2017)

  27. Hansen, D.: Kaiser: unmap most of the kernel from userspace page tables (2017). https://lwn.net/Articles/738997/. Accessed 26 Nov 2019

  28. Hu, H., Shinde, S., Adrian, S., Chua, Z.L., Saxena, P., Liang, Z.: Data-oriented programming: on the expressiveness of non-control data attacks. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 969–986. IEEE (2016)

  29. Intel 34 and ia-32 architectures software developer’s manual. https://software.intel.com/en-us/articles/intel-sdm. Accessed 26 Nov 2019

  30. Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H., et al.: Antfarm: tracking processes in a virtual machine environment. In: USENIX Annual Technical Conference, General Track, pp. 1–14 (2006)

  31. Keong, T.C.: Dynamic forking of win32 exe (2004). https://web.archive.org/web/20070808231220/http://www.security.org.sg/code/loadexe.html. Accessed 26 Nov 2019

  32. Kim, T., Shin, Y.: High efficiency, low-noise meltdown attack by using a return stack buffer. In: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security, pp. 688–690. ACM (2019)

  33. Kiriansky, V., Waldspurger, C.: Speculative buffer overflows: attacks and defenses. arXiv preprint arXiv:1807.03757 (2018)

  34. Kleen, A.: Complete virtual memory map for \(\times 86\_64\) architecture (2004). https://elixir.bootlin.com/linux/v4.14/source/Documentation/x86/x86_64/mm.txt. Accessed 26 Nov 2019

  35. Kocher, P., Genkin, D., Gruss, D., Haas, W., Hamburg, M., Lipp, M., Mangard, S., Prescher, T., Schwarz, M., Yarom, Y.: Spectre attacks: exploiting speculative execution. arXiv preprint arXiv:1801.01203 (2018)

  36. Koruyeh, E.M., Khasawneh, K.N., Song, C., Abu-Ghazaleh, N.: Spectre returns! speculation attacks using the return stack buffer. In: 12th \(\{\)USENIX\(\}\) Workshop on Offensive Technologies (\(\{\)WOOT\(\}\) 18) (2018)

  37. Kroah-Hartman, G.: UDEV—a userspace implementation of DEVFS. In: Proceedings Linux Symposium, pp. 263–271. Citeseer (2003)

  38. KSL group: Threadmap documentation (2017). https://github.com/kslgroup/threadmap/blob/master/threadmap documentation.pdf. Accessed 26 Nov 2019

  39. Kuznetsov, V., Szekeres, L., Payer, M., Candea, G., Sekar, R., Song, D.: Code-pointer integrity. In: 11th \(\{\)USENIX\(\}\) Symposium on Operating Systems Design and Implementation (\(\{\)OSDI\(\}\) 14), pp. 147–163 (2014)

  40. Larsen, P., Homescu, A., Brunthaler, S., Franz, M.: Sok: Automated software diversity. In: 2014 IEEE Symposium on Security and Privacy, pp. 276–291. IEEE (2014)

  41. Lee, J., Ham, H., Kim, I., Song, J.: Poster: page table manipulation attack. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1644–1646. ACM (2015)

  42. Li, J., Tong, X., Zhang, F., Ma, J.: Fine-cfi: fine-grained control-flow integrity for operating system kernels. IEEE Trans. Inf. Forensics Secur. 13(6), 1535–1550 (2018)

    Article  Google Scholar 

  43. Lin, Z., Rhee, J., Zhang, X., Xu, D., Jiang, X.: Siggraph: Brute force scanning of kernel data structure instances using graph-based signatures. In: NDSS (2011)

  44. Lipp, M., Schwarz, M., Gruss, D., Prescher, T., Haas, W., Mangard, S., Kocher, P., Genkin, D., Yarom, Y., Hamburg, M.: Meltdown. arXiv preprint arXiv:1801.01207 (2018)

  45. Maisuradze, G., Rossow, C.: ret2spec: Speculative execution using return stack buffers. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 2109–2122. ACM (2018)

  46. Michael Cohen: The pmem memory acquisition suite (2015). https://github.com/google/rekall/tree/master/tools/windows/winpmem. Accessed 26 Nov 2019

  47. Minkin, M., Moghimi, D., Lipp, M., Schwarz, M., Van Bulck, J., Genkin, D., Gruss, D., Piessens, F., Sunar, B., Yarom, Y.: Fallout: reading kernel writes from user space. arXiv preprint arXiv:1905.12701 (2019)

  48. Monnappa, K.A.: Detecting malicious processes using psinfo volatility plugin (2016). https://cysinfo.com/detecting-malicious-processes-psinfo. Accessed 26 Nov 2019

  49. Monnappa, K.A.: Detecting deceptive process hollowing techniques using hollowfind volatility plugin (2017). https://cysinfo.com/detecting-deceptive-hollowing-techniques/. Accessed 26 Nov 2019

  50. Movall, P., Nelson, W., Wetzstein, S.: Linux physical memory analysis. In: USENIX Annual Technical Conference, FREENIX Track, pp. 23–32 (2005)

  51. Müller, L.: KPTI a mitigation method against meltdown. In: Advanced Microkernel Operating Systems p. 41 (2018)

  52. Otsuki, Y., Kawakoya, Y., Iwamura, M., Miyoshi, J., Ohkubo, K.: Building stack traces from memory dump of windows x64. Digit. Investig. 24, S101–S110 (2018)

    Article  Google Scholar 

  53. PaX Team: Pax address space layout randomization (ASLR) (2003). https://pax.grsecurity.net/docs/aslr.txt. Accessed 26 Nov 2019

  54. Petroni Jr., N.L., Walters, A., Fraser, T., Arbaugh, W.A.: Fatkit: a framework for the extraction and analysis of digital forensic data from volatile system memory. Digit. Investig. 3(4), 197–210 (2006)

    Article  Google Scholar 

  55. Qiang, W., Yang, J., Jin, H., Shi, X.: Privguard: protecting sensitive kernel data from privilege escalation attacks. IEEE Access 6, 46584–46594 (2018)

    Article  Google Scholar 

  56. Rekall: The Rekall memory forensic framework (2013). http://www.rekall-forensic.com. Accessed 26 Nov 2019

  57. Sadeghi, A.A., Aminmansour, F., Shahriari, H.R.: Tazhi: A novel technique for hunting trampoline gadgets of jump oriented programming (a class of code reuse attacks). In: 2014 11th International ISC Conference on Information Security and Cryptology, pp. 21–26. IEEE (2014)

  58. Saur, K., Grizzard, J.B.: Locating \(\times 86\) paging structures in memory images. Digit. Investig. 7(1–2), 28–37 (2010)

    Article  Google Scholar 

  59. Schuster, A.: Searching for processes and threads in microsoft windows memory dumps. Digit. Investig. 3, 10–16 (2006)

    Article  Google Scholar 

  60. Sehr, D., Muth, R., Biffle, C.L., Khimenko, V., Pasko, E., Yee, B., Schimpf, K., Chen, B.: Adapting software fault isolation to contemporary CPU architectures (2010)

  61. The Volatility Foundation: Volatility’s malfind plugin (2016). https://github.com/volatilityfoundation/volatility/blob/master/volatility/plugins/malware/malfind.py. Accessed 26 Nov 2019

  62. Ven, v.d.A.: x86: add code to dump the (kernel) page tables for visual inspection (2008). https://lwn.net/Articles/267837/. Accessed 26 Nov 2019

  63. Walters, A.: The volatility framework (version 2.6): volatile memory artifact extraction utility framework (2007). https://www.volatilityfoundation.org/26. Accessed 26 Nov 2019

  64. Walters, A., Petroni, N.L.: Volatools: Integrating volatile memory into the digital investigation process. Black Hat DC 2007, 1–18 (2007)

    Google Scholar 

  65. White, A., Schatz, B., Foo, E.: Integrity verification of user space code. Digit. Investig. 10, S59–S68 (2013)

    Article  Google Scholar 

  66. Xiao, J., Huang, H., Wang, H.: Kernel data attack is a realistic security threat. In: International Conference on Security and Privacy in Communication Systems, pp. 135–154. Springer (2015)

  67. Zhang, S., Meng, X., Wang, L.: An adaptive approach for linux memory analysis based on kernel code reconstruction. EURASIP J. Inf. Secur. 2016(1), 14 (2016)

    Article  Google Scholar 

Download references

Funding

No funding was received for the work reported in this paper.

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, National Institute of Technology, Durgapur, West Bengal, 713209, India

    Trushna Parida & Suvrojit Das

Authors
  1. Trushna Parida
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Suvrojit Das
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Trushna Parida.

Ethics declarations

Conflict of interest

The Authors, Trushna Parida and Suvrojit Das declare that they have no conflict of interest. (The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.)

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Parida, T., Das, S. PageDumper: a mechanism to collect page table manipulation information at run-time. Int. J. Inf. Secur. 20, 603–619 (2021). https://doi.org/10.1007/s10207-020-00520-9

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-020-00520-9

Keywords

Search

Navigation