2016 International Conference on Electronic Information Technology and Intellectualization (ICEITI 2016) ISBN: 978-1-60595-364-9
VMMF: Virtual Machine Memory Forensics
Based on Event Trigger Mechanism
Yong Gang Li, Chao Yuan Cui, Yun Wu and Bing Yu Sun
ABSTRACT
Virtualization is increasing rapidly recent years. Virtual machines have become not only attack objects but also criminal tools for computer crimes. Memory forensics technology can collect the evidence of virtual machine crimes effectively. Traditional memory forensics tools are deployed into the host where attackers always try to hide or delete the data generated during attack process. As a result, they can be bypassed or cheated in virtual machines. Besides, to get the complete information traditional tools always expand the forensics scale leading to massive redundant information. For the sake of these problems, we propose a new method of virtual machine memory forensics based on event trigger mechanism named VMMF. The experiment results show that the new method can get the code section, data section, kernel stack content, dynamic-link library file, and execution path of the suspicious process in Linux. It just focuses on the suspicious process content reducing redundant information.
INTRODUCTION
In recent years, with virtualization developing the security issue of virtual machine (VM) [1]has been paid more and more attention. Various viruses have been
_______________________
Yong Gang Li, Chao Yuan Cui, Bing Yu Sun, Hefei Institute of Intelligent Machine, Hefei Institutes of Physical science, Chinese Academy of Sciences, 230031
Yong Gang Li, School of Information Science and Technology, University of Science and Technology of China, 230027
spreading from physical machines to virtual machines. Attackers regard the VM not only an attack object but also an attack tool. Memory forensics [2] technology can get the evidence about attack activity and provides it to judicial authority, which helps supporting against the computer crimes.
To prevent computer crimes, scientists have done a lot of researches about memory forensics technology. According to the survey of Zhang Yu [2], all the methods can be classified into two categories: based on hardware and based on software. Alessandro proposed a method called SMM Dumper [3] based on system management mode (SMM) of PCI to get the content of physical memory and CPU registers. Štefan [4] can get the physical memory by the aid of network driver interface specification (NIDS). Dolan - Gavitt developed VAD Tools [5]that can enumerate all the process and thread information by analyzing VAD tree structure. Wang et al. [6] proposed a model based on the physical memory or memory image/dump. It breaks the work procedure into four stages: gathering evidence, examining it, analyzing it and finally generating a report. The volatile memory technique was proposed by Aljaedi et al. [7] in 2011. This technique can collect the live processes information and the finished or cache processes information.
All the above techniques can be used in VM memory forensics. However, they must be deployed into the target VM which may have been compromised. As a result what the forensics tools get is untrusted. Another problem is that most of the above techniques get too much redundancy information making analysis difficult. To solve these problems, we propose VMMF based on event trigger mechanism. We put forensics tool outside the target VM. It assures that the tool can’t be cheated or bypassed because of the isolation between VM and forensics tool. Through judging the suspicious activity of processes we select which process to capture. Compared with the most existing solutions we only get the memory content of suspicious process generating the least redundancy information.
DESIGN
A process is an instance of a computer program that is being executed. Every process in operating system (OS) is described by a process control block (PCB) defined as a data structure called task struct [8].All the running processes are linked by a doubly linked list which is implemented as a member of the task_struct. VMMF can traverse the entire process list through the doubly linked list and get all the information about process outside VM. It mainly focuses on getting the suspicious process content in Linux.
We deploy VMMF on Xen [9] platform to get the information of process. Xen consists of Xen Hypervisor and domains including the only privileged domain named dom0 and unprivileged domains named domU. Through Xen we can get virtual CPU (VCPU) context [10] and the content of process of domU.
including memory forensics module, secure view module, and messenger sender. Back-end modules reside in domU including guest view module and message receiver.
First, message sender generates two signals: one transferred to secure view module and another to domU through Xen store. When message receiver receives the signal transferred from dom0, it forwards the signal to guest view module immediately. After receiving signal, secure view module and guest view module generates semantic views (guest view and secure view)synchronously. Then the two views will be transferred to judge module for judging according to judge algorithm. If there exist hidden processes between two views, judge module will generate an exception that is a trigger event waking up memory forensics module. After being waken up, memory forensics module captures the suspicious process content.
Dom0 DomU
Xen Hypervisor Virtual
Memory Xenstore Judge Module
Message Sender Message
Receiver Secure View
Module Guest View
Module
secure view guest view
Hardware (Physical CPU, Physical Memory, Disk, etc.)
Processes
...
ps
Memory Mapping
Memory Forensics Module
trigger event VMI
process content process
[image:3.612.131.480.285.557.2]content
Figure 1. Architecture of VMMF.
Getting Semantic Views Synchronously
badly. The message passing mechanism based on Xen store is designed for synchronization in getting semantic views procedure
The semantic views include guest view and secure view. We execute “ps -aux” in domU to get guest view. Different with guest view, secure view is the process list of domU captured in dom0. First we get the VCPU context of domU that contains some registers (others are stored in kernel stack) including esp. To get starting address of kernel stack of current process, we execute as this: esp&~ (THREAD SIZE - 1). The executing result is the starting address of thread info whose first entry points to the task struct of current process. Then we can traverse all the processes through doubly linked list. While all the above operation about reading memory must be processed through memory mapping described in section 2.3.
Judge Algorithm
Define the secure view as ࣰ࣭and the guest view as ࣰ࣡. Define the exception as ε. Define the process name as ξ and process id as θ. The algorithm is shown as Algorithm 1. If there is hidden process, the judge module will generate an exception.
① ࣰ࣭ = {(1,1), (2,2), …, (m, m) | executed outside VM}
② ࣰ࣡ = {(1,1), (2,2), …, (n, n) | executed in VM}
③ ε = ࣰ࣭–ࣰ࣡ = {(i, i), (i1, i1), …, (j, j)} ④ if (ε≠Φ)
⑤ then generate exception ⑥ else keep silence
Algorithm 1: Judge Algorithm
Memory Forensics
After being waken up, memory forensics module will pause domU and get the suspicious process content including code section, data section, stack content, dynamic-link library files, and execution path through reading memory outside domU. However, we can’t read the memory directly because of the isolation between VMs. Every operation about reading VM memory outside must be handled by the function map page() which calls xc_map foreign range() and xc_translate foreign address() provided by the library libxc. The way reading memory is memory mapping that must be combined with VMI [11] tools for bridging the semantic gap [12]. The VMI tool we use is a semantic library containing some crucial semantic information of kernel such as the offset and date type of pid, a member in task struct. In the library the offsets and data types of data structure entries are important for memory mapping. The offset is used to locate the suspicious process content accurately in memory. The data type determines how many bits to read and which type to be restored in dom0.
respectively points to the starting address and ending address of code section in memory. Reading the memory between the starting address and ending address, we can get the binary code of suspicious process. Similar with getting code section, we just need read the memory between start_date and end_data in mm_struct.
In general, a complete Linux system is composed of a large number of files. Meanwhile, these files are organized in the form of tree. In addition to the leaf nodes representing files, every node of the tree represents a directory. The virtual file system uses a data structure defined as dentry to describe the directories and files. In dentry, the entry d_parent points to the current file’s parent and the d_iname points to file name. VMMF traverses up along d_parent until getting the root directory“/”. During the procedures every dentry is a directory and the reverse order of all directories is a file path. To access the starting dentry, six data structures including task_struct, mm_struct, vm_area_struct, file, path, and dentry should be traversed. The traversal sequence is task_struct > mm >mmap >vm_file >f_path > path ->dentry. The first file path we get is execution path and others whose name postfix is “.so” are dynamic-link library files of the suspicious process.
EXPERIMENTS AND RESULTS
We implement VMMF on Xen 4.1.2. Dom0 is Ubuntu12.04-64 desktop with kernel 3.2.0-23, 3.2GHz CPU, 4 cores, and 4G memory. DomU is Ubuntu12.04-64 server with kernel 3.2.16, 2.2GHz CPU, 1 core, and 1G memory.
In domU, we apply f00lkit, a kernel module rootkit that can hide processes and files from detection, to hide a process that steals input of number keyboard. Figure 2 shows the semantic views captured in and out douU. The process “shiyan” is hidden in domU, while it is detected outside (in red circle). So judge module will generate an exception waking up forensics module.
Figure 3 shows the code section captured by VMMF is accurate. In this picture, the left part is the code section we get outside domU, and the right part is the code generated by disassembling executable file. There is no difference between the left part with black ground and the right part turn out what we get is exactly accurate.
Figure 4 shows the dynamic-link library in which the first (in the red box) is execution path respectively captured in dom0 (the left part) and in domU (the right part). There is an only difference between two VMs: “stack”. It’s in domU while not in dom0. The reason is that “stack” is a process stack not a dynamic-link file. The reverse order of file path and the file offset in dom0 are completely consistent with the execution results of “pmap 1594” in domU.
CONCLUSIONS
between secure view and guest view, VMMF generates an exception that is a trigger event. Through passing information to dom0 and domU at a same time point, VMMF can reduce the inconsistency of VM state getting a more accurate result. It can capture all the content of suspicious process. VMMF just focuses on the suspicious process avoiding too much redundancy information.
Figure 2. Secure View and Guest View.
Figure 3. Code Section.
[image:6.612.100.516.527.662.2]ACKNOWLEDGEMENTS
This paper is supported by the National Science-technology Support Plan Projects of China (No. 2014BAD10B08) and National Natural Science Foundation of
China (31371340)
REFERENCES
1. Rehman A., Alqahtani S., Altameem A., et al. Virtual machine security challenges: case studies[J]. International Journal of Machine Learning & Cybernetics, 2014, 5(5): 729-742. 2. Zhang Yu, Liu Qing-Zhong, Li Tao, al. Research and Development of Memory Forensics
[J]. Journal of Software, 2015(5):1151-1172.
3. Reina A., Fattori A., Pagani F., Cavallaro L., Bruschi D. When hardware meets software: A bulletproof solution to forensic memory acquisition. In: Proc. of the ACSAC 2012. 2012. [doi: 10.1145/2420950.2420962].
4. Balogh Š. Memory acquisition by using network card. Journal of Cyber Security, 2014, 3(1): 65-76. [doi: 10.13052/jcsm2245-1439.314].
5. Virtual Address Descriptor Tools. 2014. http://vadtools.sourceforge.net/.
6. L. Wang, R. Zhang., and S. Zhang, “A model of computer live forensics based on physical memory analysis,” In IEEE Information Science and Engineering (ICISE), 2009 1st International Conference on, (2009), December, pp. 4647-4649.
7. Aljaedi A., Lindskog D., Zavarsky P., et al. Comparative Analysis of Volatile Memory Forensics: Live Response vs. Memory Imaging. [C]// Privacy, Security, Risk and Trust (PASSAT) and 2011 IEEE Third International Conference on Social Computing (Social Com), 2011: 1253-1258. 8. Shahzad F., Shahzad M., Farooq M. In-execution dynamic malware analysis and detection by
mining information in process control blocks of Linux OS [J]. Information Sciences, 2013, 231(9): 45–63.
9. B.D. Payne, M. Carbone, M. Sharif, W. Lee, Lares: an architecture for secure active monitoring using virtualization, the 2008 IEEE Symposium on Security and Privacy, (2008) 233-247.
10. Zhang X., Yin D.S. Real-time improvement of VCPU scheduling algorithm on Xen [C]// International Conference on Computer Science and Service System. IEEE, 2011: 1506-1509. 11. Dolan-Gavitt B., Leek T., Zhivich M., et al. Virtuoso: Narrowing the Semantic Gap in Virtual
Machine Introspection [C]// Security and Privacy (SP), 2011 IEEE Symposium, 2011: 297-312.
