Asynchronous Pseudo Physical Memory Snapshot and Forensics on Paravirtualized VMM Using Split Kernel Module
نویسندگان
چکیده
VMM (virtual machine monitor) based system provides the useful inspection and interposition of guest OS. With proper modification of guest OS, we can obtain event-driven memory snapshot for malicious code forensics. In this paper we propose an asynchronous memory snapshot and forensics using split kernel module. Our split kernel module works for virtualized interruption handling, which notifies malicious fault, illegal system call and file access. On frontend, we insert virtualized interruption into source code of MAC (mandatory access control) module, fault handler and gcc-extension. Then, Backend kernel module receives the asynchronous incident notification. In experiment, we take RAM snapshot of LKM-rootkit installation using system call extension. Frequently appeared n-grams is extracted by weighted resolution in order to find memory blocks which is used by LKM-rootkit. Proposed system can detect unknown malware (malicious software) of which name is not matched by signature. Also, it is showed that we can find evidence of malware from memory snapshot by linear extraction algorithm.
منابع مشابه
Guarded Modules: Adaptively Extending the VMM’s Privileges Into the Guest
Executing VMM-provided code with privileged access to specific hardware and VMM resources within an untrusted guest operating system can enable new mechanisms to enhance functionality, performance, and adaptability. We present a software technique, guarded execution of privileged code in the guest, that allows the VMM to provide this capability, as well as an implementation for Linux guests in ...
متن کاملGuarded Modules: Adaptively Extending the VMM's Privilege Into the Guest
When a virtual machine monitor (VMM) provides code that executes in the context of a guest operating system, allowing that code to have privileged access to specific hardware and VMM resources can enable new mechanisms to enhance functionality, performance, and adaptability. We present a software technique, guarded execution of privileged code in the guest, that allows the VMM to provide this c...
متن کاملAn adaptive approach for Linux memory analysis based on kernel code reconstruction
Memory forensics plays an important role in security and forensic investigations. Hence, numerous studies have investigated Windows memory forensics, and considerable progress has been made. In contrast, research on Linux memory forensics is relatively sparse, and the current knowledge does not meet the requirements of forensic investigators. Existing solutions are not especially sophisticated,...
متن کاملOn the Viability of Memory Forensics in Compromised Environments
Memory forensics has become a powerful tool for the detection and analysis of malicious software. It provides investigators with an impartial view of a system, exposing hidden processes, threads, and network connections, by acquiring and analyzing physical memory. Because malicious software must be at least partially resident in memory in order to execute, it cannot remove all its traces from R...
متن کاملGuest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing
Kernel rootkits pose a significant threat to computer systems as they run at the highest privilege level and have unrestricted access to the resources of their victims. Many current efforts in kernel rootkit defense focus on the detection of kernel rootkits – after a rootkit attack has taken place, while the smaller number of efforts in kernel rootkit prevention exhibit limitations in their cap...
متن کامل