• DocumentCode
    738910
  • Title

    On the Trustworthiness of Memory Analysis—An Empirical Study from the Perspective of Binary Execution

  • Author

    Prakash, Aravind ; Venkataramani, Eknath ; Yin, Heng ; Lin, Zhiqiang

  • Author_Institution
    Department of Electrical Engineering and Computer Science, Syracuse University, Syracuse, NY
  • Volume
    12
  • Issue
    5
  • fYear
    2015
  • Firstpage
    557
  • Lastpage
    570
  • Abstract
    Memory analysis serves as a foundation for many security applications such as memory forensics, virtual machine introspection and malware investigation. However, malware, or more specifically a kernel rootkit, can often tamper with kernel memory data, putting the trustworthiness of memory analysis under question. With the rapid deployment of cloud computing and increase of cyber attacks, there is a pressing need to systematically study and understand the problem of memory analysis. In particular, without ground truth, the quality of the memory analysis tools widely used for analyzing closed-source operating systems (like Windows) has not been thoroughly studied. Moreover, while it is widely accepted that value manipulation attacks pose a threat to memory analysis, its severity has not been explored and well understood. To answer these questions, we have devised a number of novel analysis techniques including (1) binary level ground-truth collection, and (2) value equivalence set directed field mutation. Our experimental results demonstrate not only that the existing tools are inaccurate even under a non-malicious context, but also that value manipulation attacks are practical and severe. Finally, we show that exploiting information redundancy can be a viable direction to mitigate value manipulation attacks, but checking information equivalence alone is not an ultimate solution.
  • Keywords
    Context; Data structures; Kernel; Robustness; Security; Semantics; Virtual machining; DKOM; Invasive Software; Kernel Rootkit; Memory Forensics; Memory forensics; Operating Systems Security; Virtual Machine Introspection; invasive software; kernel rootkit; operating systems security; virtual machine introspection;
  • fLanguage
    English
  • Journal_Title
    Dependable and Secure Computing, IEEE Transactions on
  • Publisher
    ieee
  • ISSN
    1545-5971
  • Type

    jour

  • DOI
    10.1109/TDSC.2014.2366464
  • Filename
    6942280