Abstract
The first step required to perform any analysis of a physical memory image is the reconstruction of the virtual address spaces, which allows translating virtual addresses to their corresponding physical offsets. However, this phase is often overlooked, and the challenges related to it are rarely discussed in the literature. Practical tools solve the problem by using a set of custom heuristics tailored on a very small number of well-known operating systems (OSs) running on few architectures.
In this article, we look for the first time at all the different ways the virtual to physical translation can be operated in 10 different CPU architectures. In each case, we study the inviolable constraints imposed by the memory management unit that can be used to build signatures to recover the required data structures from memory without any knowledge about the running OS. We build a proof-of-concept tool to experiment with the extraction of virtual address spaces showing the challenges of performing an OS-agnostic virtual to physical address translation in real-world scenarios. We conduct experiments on a large set of 26 different OSs and a use case on a real hardware device. Finally, we show a possible usage of our technique to retrieve information about user space processes running on an unknown OS without any knowledge of its internals.
- [1] . 2007. Forensic memory analysis: From stack and code to execution history. Digital Investigation 4 (2007), 114–125.Google Scholar
Digital Library
- [2] Cellbrite. https://cellebrite.com/en/home/.Google Scholar
- [3] . 2022. Home Page. Retrieved April 2, 2022 from https://buildroot.org/.Google Scholar
- [4] . 2022. Darwin OS. Retrieved April 2, 2022 from https://github.com/apple/darwin-xnu.Google Scholar
- [5] Embox Developers, Embox OS. https://github.com/embox/embox.Google Scholar
- [6] . 2022. Home Page. Retrieved April 2, 2022 from https://genode.org/.Google Scholar
- [7] . 2022. Home Page. Retrieved April 2, 2022 from https://www.haiku-os.org/.Google Scholar
- [8] . 2022. Home Page. Retrieved April 2, 2022 from http://www.helenos.org/.Google Scholar
- [9] . 2022. MINIX3 OS. Retrieved April 2, 2022 from https://www.minix3.org/.Google Scholar
- [10] . 2022. Home Page. Retrieved April 2, 2022 from https://www.morphos-team.net/.Google Scholar
- [11] . 2022. Blackberry QNX. Retrieved April 2, 2022 from https://www.qnx.com.Google Scholar
- [12] . 2022. Home Page. Retrieved April 2, 2022 from https://www.raspberrypi.org/.Google Scholar
- [13] . 2022. rCore. Retrieved April 2, 2022 from https://github.com/rcore-os/rCore.Google Scholar
- [14] . 2022. Home Page. Retrieved April 2, 2022 from https://reactos.org/.Google Scholar
- [15] . 2022. Home Page. Retrieved April 2, 2022 from https://www.redox-os.org/.Google Scholar
- [16] . 2022. Home Page. Retrieved April 2, 2022 from https://www.riscosopen.org.Google Scholar
- [17] . 2022. The Barrelfish Operating System. Retrieved April 2, 2022 from http://www.barrelfish.org/.Google Scholar
- [18] . 2022. TLSH—Trend Micro Locality Sensitive Hash. Retrieved April 2, 2022 from https://github.com/trendmicro/tlsh.Google Scholar
- [19] . 2022. VxWorks. Retrieved April 2, 2022 from https://www.windriver.com/products/vxworks/.Google Scholar
- [20] . 2022. XV6. Retrieved April 2, 2022 from https://github.com/mit-pdos/xv6-riscv.Google Scholar
- [21] . 2020. Alibaba on the bleeding edge of RISC-V with XT910. The Next Platform. Retrieved April 2, 2022 from https://www.nextplatform.com/2020/08/21/alibaba-on-the-bleeding-edge-of-risc-v-with-xt910/.Google Scholar
- [22] . 2020. Memory analysis of macOS page queues. Forensic Science International: Digital Investigation 33 (2020), 301004.Google Scholar
Cross Ref
- [23] . 2014. Rekall Memory Forensic Framework. Retrieved April 2, 2022 from http://www.rekall-forensic.com/.Google Scholar
- [24] . 2022. 9Front OS. Retrieved April 2, 2022 from http://9front.org/.Google Scholar
- [25] . 2018. Understanding Linux malware. In Proceedings of the 2018 IEEE Symposium on Security and Privacy (SP’18). IEEE, Los Alamitos, CA, 161–175.Google Scholar
Cross Ref
- [26] . 2008. Digging for data structures. In Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation (OSDI’08). 255–266.Google Scholar
Digital Library
- [27] . 2011. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Proceedings of the 2011 IEEE Symposium on Security and Privacy (SP’11). IEEE, Los Alamitos, CA, 297–312. Google Scholar
Digital Library
- [28] . 2009. Robust signatures for kernel data structures. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS’09). ACM, New York, NY, 566–577. Google Scholar
Digital Library
- [29] . 2022. Home Page. Retrieved April 2, 2022 from https://omniosce.org/.Google Scholar
- [30] 2022. Home Page. Retrieved April 2, 2022 from https://www.qemu.org/.Google Scholar
- [31] 2022. Miasm. Retrieved April 2, 2022 from https://github.com/cea-sec/miasm.Google Scholar
- [32] 2022. Home Page. Retrieved April 2, 2022 from https://rada.re/n/.Google Scholar
- [33] . 2014. Mace: High-coverage and robust memory analysis for commodity operating systems. In Proceedings of the 30th Annual Computer Security Applications Conference. ACM, New York, NY, 196–205.Google Scholar
Digital Library
- [34] . 2005. Programming Environments Manual for 32-Bit Implementations of the PowerPC Architecture. FreeScale.Google Scholar
- [35] . 2012. Space traveling across VM: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In Proceedings of the IEEE Symposium on Security and Privacy (SP’12). IEEE, Los Alamitos, CA, 586–600. Google Scholar
Digital Library
- [36] . 2013. Hypervisor memory forensics. In Research in Attacks, Intrusions, and Defenses, , , and (Eds.). Springer, Berlin, Germany, 21–40.Google Scholar
- [37] . 2014. Multi-aspect, robust, and memory exclusive guest OS fingerprinting. IEEE Transactions on Cloud Computing 2, 4 (2014), 380–394.Google Scholar
Cross Ref
- [38] . 2022. ReFirmLabs/Binwalk. Retrieved April 2, 2022 from https://github.com/ReFirmLabs/binwalk.Google Scholar
- [39] . 2018. ARM Architecture Reference Manual, ARMv7-A and ARMv7-R edition. ARM Holdings.Google Scholar
- [40] . 2020. ARM Architecture Reference Manual, ARMv8, for ARMv8-A Architecture Profile. ARM Holdings.Google Scholar
- [41] . 2017. Power ISA. Version 3.0B. IBM.Google Scholar
- [42] . 2020. Intel 64 and IA-32 Architectures—Software Developer’s Manual—Volume 3 (3A, 3B, 3C & 3D): System Programming Guide. Intel Corporation.Google Scholar
- [43] . 2007. Using every part of the buffalo in windows memory analysis. Digital Investigation 4, 1 (2007), 24–29.Google Scholar
Digital Library
- [44] . 2017. Western Digital gives a billion unit boost to open source RISC-V CPU. Forbes. Retrieved April 2, 2022 from https://www.forbes.com/sites/tiriasresearch/2017/12/06/western-digital-gives-a-billion-unit-boost-to-open-source-risc-v-cpu/.Google Scholar
- [45] . 2015. Using PROT_NONE on Linux. Volatility Labs. Retrieved April 2, 2022 from https://volatility-labs.blogspot.com/2015/05/using-mprotect-protnone-on-linux.html.Google Scholar
- [46] . 2012. Discovering semantic data of interest from un-mappable with confidence. In Proceedings of the 19th Network and Distributed System Security Symposium (NDSS’12).Google Scholar
- [47] . 2011. SigGraph: Brute force scanning of kernel data structure instances using graph-based signatures. In Proceedings of the Network and Distributed System Security Symposium (NDSS’11). https://www.ndss-symposium.org/ndss2011/siggraph-brute-force-scanning-of-kernel-data-structure-instances-using-graph-based-signatures.Google Scholar
- [48] . 2010. Automatic reverse engineering of data structures from binary execution. In Proceedings of the 11th Annual Information Security Symposium. 1–18.Google Scholar
Digital Library
- [49] . 2017. dynStruct: An automatic reverse engineering tool for structure recovery and memory use analysis. In Proceedings of the 2017 IEEE 24th International Conference on Software Analysis, Evolution, and Reengineering (SANER’17). IEEE, Los Alamitos, CA, 497–501.Google Scholar
Cross Ref
- [50] . 2015. MIPS Architecture for Programmers Vol. III: MIPS32/microMIPS32 Privileged Resource Architecture. Imagination Technologies.Google Scholar
- [51] . 2022. Eurecom-s3/MMUShell. Retrieved April 2, 2022 from https://github.com/eurecom-s3/mmushell.Google Scholar
- [52] . 2018. Beyond precision and recall: Understanding uses (and misuses) of similarity hashes in binary analysis. In Proceedings of the 8th ACM Conference on Data and Application Security and Privacy (CODASPY’18). ACM, New York, NY, 354–365. Google Scholar
Digital Library
- [53] . 2019. Introducing the temporal dimension to memory forensics. ACM Transactions on Privacy and Security 22, 2 (2019), 1–21.Google Scholar
Digital Library
- [54] . 2014. In lieu of swap: Analyzing compressed RAM in Mac OS X and Linux. Digital Investigation 11 (2014), S3–S12.Google Scholar
- [55] . 2019. White Paper: Finding Evil in Windows 10 Compressed Memory.
Technical Report . FireEye. https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/finding-evil-in-windows-10-compressed-mem-ory-wp.pdf.Google Scholar - [56] . 2010. Locating x86 paging structures in memory images. Digital Investigation 7, 1–2 (Oct. 2010), 28–37. Google Scholar
Digital Library
- [57] . 2010. DDE: Dynamic data structure excavation. In Proceedings of the 1st ACM Asia-Pacific Workshop on Systems. 13–18.Google Scholar
Digital Library
- [58] . 2011. Howard: A dynamic excavator for reverse engineering data structures. In Proceedings of the Network and Distributed System Security Symposium (NDSS’11).Google Scholar
- [59] . 2018. DeepMem: Learning graph neural network models for fast and robust memory forensic analysis. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS’18). ACM, New York, NY, 606–618. Google Scholar
Digital Library
- [60] . 2010. Reconstruction of composite types for decompilation. In Proceedings of the 2010 10th IEEE Working Conference on Source Code Analysis and Manipulation. IEEE, Los Alamitos, CA, 179–188.Google Scholar
Digital Library
- [61] . 2014. SigPath: A memory graph based approach for program data introspection and modification. In Proceedings of the European Symposium on Research in Computer Security. 237–256.Google Scholar
Digital Library
- [62] . 2019. Rekall support for Windows 10 memory compression. FireEye. Retrieved April 2, 2022 from https://github.com/mandiant/win10_rekall/blob/win10_compressed_memory/rekall-core/rekall/plugins/windows/win10_memcompression.py.Google Scholar
- [63] . 2022. Home Page. Retrieved April 2, 2022 from https://www.volexity.com/.Google Scholar
- [64] . 2017. Volatility framework: Volatile memory artifact extraction utility framework. https://www.volatilityfoundation.org/.Google Scholar
- [65] (Ed.). 2019. The RISC-V Instruction Set Manual, Volume II: Privileged Architecture, Document Version 20190608-Priv-MSU-Ratified. RISC-V Foundation.Google Scholar
- [66] . 2020. Ada and RISC-V secure Nvidia’s future. Endeavour Business Media. https://www.electronicdesign.com/markets/automotive/article/21121197/ada-and-riscv-secure-nvidias-future.Google Scholar
- [67] . 2012. Libvmi: A library for bridging the semantic gap between guest OS and VMM. In Proceedings of the 2012 IEEE 12th International Conference on Computer and Information Technology (CIT’12). IEEE, Los Alamitos, CA, 549–556. Google Scholar
Digital Library
Index Terms
In the Land of MMUs: Multiarchitecture OS-Agnostic Virtual Memory Forensics
Recommendations
Write-aware memory management for hybrid SLC-MLC PCM memory systems
In recent years, phase-change memory (PCM) has generated a great deal of interest because of its byte addressability and non-volatility properties. It is regarded as a good alternative storage medium that can reduce the performance gap between the main ...
Cooperating Write Buffer Cache and Virtual Memory Management for Flash Memory Based Systems
RTAS '11: Proceedings of the 2011 17th IEEE Real-Time and Embedded Technology and Applications SymposiumFlash memory is becoming the storage media of choice for mobile devices and embedded systems. The performance of flash memory is impacted by the asymmetric speed of read and write operations, limited number of erase times and the absence of in-place ...
Redesign the Memory Allocator for Non-Volatile Main Memory
Special Issue on Hardware and Algorithms for Learning On-a-chip and Special Issue on Alternative Computing SystemsThe non-volatile memory (NVM) has the merits of byte-addressability, fast speed, persistency and low power consumption, which make it attractive to be used as main memory. Commonly, user process dynamically acquires memory through memory allocators. ...






Comments