ORIGEN: Automatic extraction of offset-revealing instructions for cross-version memory analysis

Qian Feng, Aravind Prakash, Minghua Wang, Curtis Carmony, Heng Yin

Research output: Chapter in Book/Entry/PoemConference contribution

10 Scopus citations

Abstract

Semantic gap is a prominent problem in raw memory analysis, especially in Virtual Machine Introspection (VMI) and memory forensics. For COTS software, common memory forensics and VMI tools rely on the so-called "data structure profiles" - a mapping between the semantic variables and their relative offsets within the structure in the binary. Construction of such profiles requires the expert knowledge about the internal working of a specified software version. At most time, it requires considerable manual efforts, which often turns out to be a cumbersome process. In this paper, we propose a notion named "cross-version memory analysis", wherein our goal is to alleviate the process of profile construction for new versions of a software by transferring the knowledge from the model that has already been trained on its old version. To this end, we first identify such Offset Revealing Instructions (ORI) in a given software and then leverage the code search techniques to label ORIs in an unknown version of the same software. With labeled ORIs, we can localize the profile for the new version. We provide a proof-of-concept implementation called ORIGEN. The efficacy and efficiency of ORIGEN have been empirically verified by a number of softwares. The experimental results show that by conducting the ORI search within Windows XP SP0 and Linux 3.5.0, we can successfully recover data structure profiles for Windows XP SP2, Vista, Win 7, and Linux 2.6.32, 3.8.0, 3.13.0, respectively. The systematical evaluation on 40 versions of OpenSSH demonstrates ORIGEN can achieve a precision of more than 90%. As a case study, we integrate ORIGEN into a VMI tool to automatically extract semantic information required for VMI. We develop two plugins to the Volatility memory forensic frame-work, one for OpenSSH session key extraction, the other for encrypted filesystem key extraction. Both of them can achieve the cross-version analysis by ORIGEN.

Original languageEnglish (US)
Title of host publicationASIA CCS 2016 - Proceedings of the 11th ACM Asia Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery, Inc
Pages11-22
Number of pages12
ISBN (Electronic)9781450342339
DOIs
StatePublished - May 30 2016
Event11th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2016 - Xi'an, China
Duration: May 30 2016Jun 3 2016

Publication series

NameASIA CCS 2016 - Proceedings of the 11th ACM Asia Conference on Computer and Communications Security

Other

Other11th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2016
Country/TerritoryChina
CityXi'an
Period5/30/166/3/16

ASJC Scopus subject areas

  • Computer Science Applications
  • Software
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'ORIGEN: Automatic extraction of offset-revealing instructions for cross-version memory analysis'. Together they form a unique fingerprint.

Cite this