Hypervisor-assisted Atomic Memory Acquisition in Modern Systems
Kiperberg, M., Leon, R., Resh, A., Algawi, A., & Zaidenberg, N. (2019). Hypervisor-assisted Atomic Memory Acquisition in Modern Systems. In P. Mori, S. Furnell, & O. Camp (Eds.), ICISSP 2019 : Proceedings of the 5th International Conference on Information Systems Security and Privacy, Volume 1 (pp. 155-162). SCITEPRESS Science And Technology Publications. https://doi.org/10.5220/0007566101550162
Päivämäärä
2019Tekijänoikeudet
© 5th International Conference on Information Systems Security and Privacy by SCITEPRESS
Reliable memory acquisition is essential to forensic analysis of a cyber-crime. Various methods of memory acquisition have been proposed, ranging from tools based on a dedicated hardware to software only solutions. Recently, a hypervisor-based method for memory acquisition was proposed (Qi et al., 2017; Martignoni et al., 2010). This method obtains a reliable (atomic) memory image of a running system. The method achieves this by making all memory pages non-writable until they are copied to the memory image, thus preventing uncontrolled modification of these pages. Unfortunately, the proposed method has two deficiencies: (1) the method does not support multiprocessing and (2) the method does not support modern operating systems featuring address space layout randomization (ASLR). We describe a hypervisor-based memory acquisition method that solves the two aforementioned deficiencies. We analyze the memory usage and performance of the proposed method.
Julkaisija
SCITEPRESS Science And Technology PublicationsEmojulkaisun ISBN
978-989-758-359-9Konferenssi
International Conference on Information Systems Security and PrivacyKuuluu julkaisuun
ICISSP 2019 : Proceedings of the 5th International Conference on Information Systems Security and Privacy, Volume 1Asiasanat
Julkaisu tutkimustietojärjestelmässä
https://converis.jyu.fi/converis/portal/detail/Publication/30725172
Metadata
Näytä kaikki kuvailutiedotKokoelmat
Lisenssi
Samankaltainen aineisto
Näytetään aineistoja, joilla on samankaltainen nimeke tai asiasanat.
-
H-KPP : Hypervisor-Assisted Kernel Patch Protection
Kiperberg, Michael; Zaidenberg, Nezer Jacob (MDPI AG, 2022)We present H-KPP, hypervisor-based protection for kernel code and data structures. H-KPP prevents the execution of unauthorized code in kernel mode. In addition, H-KPP protects certain object fields from malicious ... -
Hypervisor memory acquisition for ARM
Ben Yehuda, Raz; Shlingbaum, Erez; Gershfeld, Yuval; Tayouri, Shaked; Zaidenberg, Nezer Jacob (Elsevier, 2021)Cyber forensics use memory acquisition in advanced forensics and malware analysis. We propose a hypervisor based memory acquisition tool. Our implementation extends the volatility memory forensics framework by reducing the ... -
Hypervisor-assisted dynamic malware analysis
Leon, Roee S.; Kiperberg, Michael; Zabag, Anat Anatey Leon; Zaidenberg, Nezer Jacob (Springer, 2021)Malware analysis is a task of utmost importance in cyber-security. Two approaches exist for malware analysis: static and dynamic. Modern malware uses an abundance of techniques to evade both dynamic and static analysis ... -
Creating modern blue pills and red pills
Algawi, Asaf; Kiperberg, Michael; Leon, Roee; Resh, Amit; Zaidenberg, Nezer (Academic Conferences International, 2019)The blue pill is a malicious stealthy hypervisor-based rootkit. The red pill is a software package that is designed to detect such blue pills. Since the blue pill was originally proposed there has been an ongoing arms race ... -
Hypervisor-Based White Listing of Executables
Leon, Roee S; Kiperberg, Michael; Zabag, Anat Anatey Leon; Resh, Amit; Algawi, Asaf; Zaidenberg, Nezer J. (IEEE Computer Society Press, 2019)We describe an efficient system for ensuring code integrity of an operating system (OS), both its own code and application code. The proposed system can protect from an attacker who has full control over the OS kernel. An ...
Ellei toisin mainittu, julkisesti saatavilla olevia JYX-metatietoja (poislukien tiivistelmät) saa vapaasti uudelleenkäyttää CC0-lisenssillä.