TY - JOUR
T1 - On the Trustworthiness of Memory Analysis-An Empirical Study from the Perspective of Binary Execution
AU - Prakash, Aravind
AU - Venkataramani, Eknath
AU - Yin, Heng
AU - Lin, Zhiqiang
N1 - Funding Information:
The authors would like to thank anonymous reviewers for their comments. This research was supported in part by NSF grant #1018217, NSF grant #1054605, AFOSR grant #FA9550-12-1-0077 and #FA9550-14-1-0119, McAfee Inc, and VMware Inc.
Publisher Copyright:
© 2014 IEEE.
PY - 2015/9/1
Y1 - 2015/9/1
N2 - Memory analysis serves as a foundation for many security applications such as memory forensics, virtual machine introspection and malware investigation. However, malware, or more specifically a kernel rootkit, can often tamper with kernel memory data, putting the trustworthiness of memory analysis under question. With the rapid deployment of cloud computing and increase of cyber attacks, there is a pressing need to systematically study and understand the problem of memory analysis. In particular, without ground truth, the quality of the memory analysis tools widely used for analyzing closed-source operating systems (like Windows) has not been thoroughly studied. Moreover, while it is widely accepted that value manipulation attacks pose a threat to memory analysis, its severity has not been explored and well understood. To answer these questions, we have devised a number of novel analysis techniques including (1) binary level ground-truth collection, and (2) value equivalence set directed field mutation. Our experimental results demonstrate not only that the existing tools are inaccurate even under a non-malicious context, but also that value manipulation attacks are practical and severe. Finally, we show that exploiting information redundancy can be a viable direction to mitigate value manipulation attacks, but checking information equivalence alone is not an ultimate solution.
AB - Memory analysis serves as a foundation for many security applications such as memory forensics, virtual machine introspection and malware investigation. However, malware, or more specifically a kernel rootkit, can often tamper with kernel memory data, putting the trustworthiness of memory analysis under question. With the rapid deployment of cloud computing and increase of cyber attacks, there is a pressing need to systematically study and understand the problem of memory analysis. In particular, without ground truth, the quality of the memory analysis tools widely used for analyzing closed-source operating systems (like Windows) has not been thoroughly studied. Moreover, while it is widely accepted that value manipulation attacks pose a threat to memory analysis, its severity has not been explored and well understood. To answer these questions, we have devised a number of novel analysis techniques including (1) binary level ground-truth collection, and (2) value equivalence set directed field mutation. Our experimental results demonstrate not only that the existing tools are inaccurate even under a non-malicious context, but also that value manipulation attacks are practical and severe. Finally, we show that exploiting information redundancy can be a viable direction to mitigate value manipulation attacks, but checking information equivalence alone is not an ultimate solution.
KW - DKOM
KW - Invasive Software
KW - Kernel Rootkit
KW - Memory Forensics
KW - Operating Systems Security
KW - Virtual Machine Introspection
UR - http://www.scopus.com/inward/record.url?scp=84962010502&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84962010502&partnerID=8YFLogxK
U2 - 10.1109/TDSC.2014.2366464
DO - 10.1109/TDSC.2014.2366464
M3 - Article
AN - SCOPUS:84962010502
SN - 1545-5971
VL - 12
SP - 557
EP - 570
JO - IEEE Transactions on Dependable and Secure Computing
JF - IEEE Transactions on Dependable and Secure Computing
IS - 5
M1 - 6942280
ER -