Abstract
Memory forensic analysis collects evidence for digital crimes and malware attacks from the memory of a live system. It is increasingly valuable, especially in cloud computing. However, memory analysis on on commodity operating systems (such as Microsoft Windows) faces the following key challenges: (1) a partial knowledge of kernel data structures; (2) difficulty in handling ambiguous pointers; and (3) lack of robustness by relying on soft constraints that can be easily violated by kernel attacks. To address these challenges, we present MACE, a memory analysis system that can extract a more complete view of the kernel data structures for closed-source operating systems and significantly improve the robustness by only leveraging pointer constraints (which are hard to manipulate) and evaluating these constraint globally (to even tolerate certain amount of pointer attacks). We have evaluated MACE on 100 memory images for Windows XP SP3 and Windows 7 SP0. Overall, MACE can construct a kernel object graph from a memory image in just a few minutes, and achieves over 95% recall and over 96% precision. Our experiments on real-world rootkit samples and synthetic attacks further demonstrate that MACE outperforms other external memory analysis tools with respect to wider coverage and better robustness.
Original language | English (US) |
---|---|
Pages | 196-205 |
Number of pages | 10 |
DOIs | |
State | Published - Dec 8 2014 |
Event | 30th Annual Computer Security Applications Conference, ACSAC 2014 - New Orleans, United States Duration: Dec 8 2014 → Dec 12 2014 |
Other
Other | 30th Annual Computer Security Applications Conference, ACSAC 2014 |
---|---|
Country/Territory | United States |
City | New Orleans |
Period | 12/8/14 → 12/12/14 |
Keywords
- Memory Analysis
- Random Surfer
- Rootkit Detection
ASJC Scopus subject areas
- Software
- Human-Computer Interaction
- Computer Vision and Pattern Recognition
- Computer Networks and Communications