skip to main content
research-article

In the Land of MMUs: Multiarchitecture OS-Agnostic Virtual Memory Forensics

Published:09 July 2022Publication History
Skip Abstract Section

Abstract

The first step required to perform any analysis of a physical memory image is the reconstruction of the virtual address spaces, which allows translating virtual addresses to their corresponding physical offsets. However, this phase is often overlooked, and the challenges related to it are rarely discussed in the literature. Practical tools solve the problem by using a set of custom heuristics tailored on a very small number of well-known operating systems (OSs) running on few architectures.

In this article, we look for the first time at all the different ways the virtual to physical translation can be operated in 10 different CPU architectures. In each case, we study the inviolable constraints imposed by the memory management unit that can be used to build signatures to recover the required data structures from memory without any knowledge about the running OS. We build a proof-of-concept tool to experiment with the extraction of virtual address spaces showing the challenges of performing an OS-agnostic virtual to physical address translation in real-world scenarios. We conduct experiments on a large set of 26 different OSs and a use case on a real hardware device. Finally, we show a possible usage of our technique to retrieve information about user space processes running on an unknown OS without any knowledge of its internals.

REFERENCES

  1. [1] Arasteh Ali Reza and Debbabi Mourad. 2007. Forensic memory analysis: From stack and code to execution history. Digital Investigation 4 (2007), 114125.Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. [2] Cellbrite. https://cellebrite.com/en/home/.Google ScholarGoogle Scholar
  3. [3] Association Buildroot. 2022. Home Page. Retrieved April 2, 2022 from https://buildroot.org/.Google ScholarGoogle Scholar
  4. [4] Inc Apple. 2022. Darwin OS. Retrieved April 2, 2022 from https://github.com/apple/darwin-xnu.Google ScholarGoogle Scholar
  5. [5] Embox Developers, Embox OS. https://github.com/embox/embox.Google ScholarGoogle Scholar
  6. [6] Labs Genode. 2022. Home Page. Retrieved April 2, 2022 from https://genode.org/.Google ScholarGoogle Scholar
  7. [7] Inc Haiku. 2022. Home Page. Retrieved April 2, 2022 from https://www.haiku-os.org/.Google ScholarGoogle Scholar
  8. [8] Community HelenOS. 2022. Home Page. Retrieved April 2, 2022 from http://www.helenos.org/.Google ScholarGoogle Scholar
  9. [9] University VU. 2022. MINIX3 OS. Retrieved April 2, 2022 from https://www.minix3.org/.Google ScholarGoogle Scholar
  10. [10] Team MorphOS Development. 2022. Home Page. Retrieved April 2, 2022 from https://www.morphos-team.net/.Google ScholarGoogle Scholar
  11. [11] Ltd BlackBerry. 2022. Blackberry QNX. Retrieved April 2, 2022 from https://www.qnx.com.Google ScholarGoogle Scholar
  12. [12] Foundation RaspberryPI. 2022. Home Page. Retrieved April 2, 2022 from https://www.raspberrypi.org/.Google ScholarGoogle Scholar
  13. [13] Developers rCore. 2022. rCore. Retrieved April 2, 2022 from https://github.com/rcore-os/rCore.Google ScholarGoogle Scholar
  14. [14] Contributors ReactOS Team and. 2022. Home Page. Retrieved April 2, 2022 from https://reactos.org/.Google ScholarGoogle Scholar
  15. [15] Developers Redox. 2022. Home Page. Retrieved April 2, 2022 from https://www.redox-os.org/.Google ScholarGoogle Scholar
  16. [16] Ltd RISC OS Open. 2022. Home Page. Retrieved April 2, 2022 from https://www.riscosopen.org.Google ScholarGoogle Scholar
  17. [17] Zurich ETH. 2022. The Barrelfish Operating System. Retrieved April 2, 2022 from http://www.barrelfish.org/.Google ScholarGoogle Scholar
  18. [18] Micro Trend. 2022. TLSH—Trend Micro Locality Sensitive Hash. Retrieved April 2, 2022 from https://github.com/trendmicro/tlsh.Google ScholarGoogle Scholar
  19. [19] Systems Wind River. 2022. VxWorks. Retrieved April 2, 2022 from https://www.windriver.com/products/vxworks/.Google ScholarGoogle Scholar
  20. [20] Technology Massachusetts Institute of. 2022. XV6. Retrieved April 2, 2022 from https://github.com/mit-pdos/xv6-riscv.Google ScholarGoogle Scholar
  21. [21] Burt Jeffrey. 2020. Alibaba on the bleeding edge of RISC-V with XT910. The Next Platform. Retrieved April 2, 2022 from https://www.nextplatform.com/2020/08/21/alibaba-on-the-bleeding-edge-of-risc-v-with-xt910/.Google ScholarGoogle Scholar
  22. [22] Case Andrew, Maggio Ryan D., Manna Modhuparna, and III Golden G. Richard. 2020. Memory analysis of macOS page queues. Forensic Science International: Digital Investigation 33 (2020), 301004.Google ScholarGoogle ScholarCross RefCross Ref
  23. [23] Cohen Michael. 2014. Rekall Memory Forensic Framework. Retrieved April 2, 2022 from http://www.rekall-forensic.com/.Google ScholarGoogle Scholar
  24. [24] Community 9Front. 2022. 9Front OS. Retrieved April 2, 2022 from http://9front.org/.Google ScholarGoogle Scholar
  25. [25] Cozzi Emanuele, Graziano Mariano, Fratantonio Yanick, and Balzarotti Davide. 2018. Understanding Linux malware. In Proceedings of the 2018 IEEE Symposium on Security and Privacy (SP’18). IEEE, Los Alamitos, CA, 161175.Google ScholarGoogle ScholarCross RefCross Ref
  26. [26] Cozzie Anthony, Stratton Frank, Xue Hui, and King Samuel T.. 2008. Digging for data structures. In Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation (OSDI’08). 255266.Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. [27] Dolan-Gavitt Brendan, Leek Tim, Zhivich Michael, Giffin Jonathon, and Lee Wenke. 2011. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Proceedings of the 2011 IEEE Symposium on Security and Privacy (SP’11). IEEE, Los Alamitos, CA, 297312. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. [28] Dolan-Gavitt Brendan, Srivastava Abhinav, Traynor Patrick, and Giffin Jonathon. 2009. Robust signatures for kernel data structures. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS’09). ACM, New York, NY, 566577. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. [29] Edition OmniOS Community. 2022. Home Page. Retrieved April 2, 2022 from https://omniosce.org/.Google ScholarGoogle Scholar
  30. [30] QEMU.2022. Home Page. Retrieved April 2, 2022 from https://www.qemu.org/.Google ScholarGoogle Scholar
  31. [31] Desclaux. Fabrice2022. Miasm. Retrieved April 2, 2022 from https://github.com/cea-sec/miasm.Google ScholarGoogle Scholar
  32. [32] Community. Radare22022. Home Page. Retrieved April 2, 2022 from https://rada.re/n/.Google ScholarGoogle Scholar
  33. [33] Feng Qian, Prakash Aravind, Yin Heng, and Lin Zhiqiang. 2014. Mace: High-coverage and robust memory analysis for commodity operating systems. In Proceedings of the 30th Annual Computer Security Applications Conference. ACM, New York, NY, 196205.Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. [34] FreeScale. 2005. Programming Environments Manual for 32-Bit Implementations of the PowerPC Architecture. FreeScale.Google ScholarGoogle Scholar
  35. [35] Fu Yangchun and Lin Zhiqiang. 2012. Space traveling across VM: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In Proceedings of the IEEE Symposium on Security and Privacy (SP’12). IEEE, Los Alamitos, CA, 586600. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. [36] Graziano Mariano, Lanzi Andrea, and Balzarotti Davide. 2013. Hypervisor memory forensics. In Research in Attacks, Intrusions, and Defenses, Stolfo Salvatore J., Stavrou Angelos, and Wright Charles V. (Eds.). Springer, Berlin, Germany, 2140.Google ScholarGoogle Scholar
  37. [37] Gu Yufei, Fu Yangchun, Prakash Aravind, Lin Zhiqiang, and Yin Heng. 2014. Multi-aspect, robust, and memory exclusive guest OS fingerprinting. IEEE Transactions on Cloud Computing 2, 4 (2014), 380394.Google ScholarGoogle ScholarCross RefCross Ref
  38. [38] Heffner Craig. 2022. ReFirmLabs/Binwalk. Retrieved April 2, 2022 from https://github.com/ReFirmLabs/binwalk.Google ScholarGoogle Scholar
  39. [39] Holdings ARM. 2018. ARM Architecture Reference Manual, ARMv7-A and ARMv7-R edition. ARM Holdings.Google ScholarGoogle Scholar
  40. [40] Holdings ARM. 2020. ARM Architecture Reference Manual, ARMv8, for ARMv8-A Architecture Profile. ARM Holdings.Google ScholarGoogle Scholar
  41. [41] IBM. 2017. Power ISA. Version 3.0B. IBM.Google ScholarGoogle Scholar
  42. [42] Intel. 2020. Intel 64 and IA-32 Architectures—Software Developer’s Manual—Volume 3 (3A, 3B, 3C & 3D): System Programming Guide. Intel Corporation.Google ScholarGoogle Scholar
  43. [43] Kornblum Jesse D.. 2007. Using every part of the buffalo in windows memory analysis. Digital Investigation 4, 1 (2007), 2429.Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. [44] Krewell Kevin. 2017. Western Digital gives a billion unit boost to open source RISC-V CPU. Forbes. Retrieved April 2, 2022 from https://www.forbes.com/sites/tiriasresearch/2017/12/06/western-digital-gives-a-billion-unit-boost-to-open-source-risc-v-cpu/.Google ScholarGoogle Scholar
  45. [45] Levy Jamie. 2015. Using PROT_NONE on Linux. Volatility Labs. Retrieved April 2, 2022 from https://volatility-labs.blogspot.com/2015/05/using-mprotect-protnone-on-linux.html.Google ScholarGoogle Scholar
  46. [46] Lin Zhiqiang, Rhee Junghwan, Wu Chao, Zhang Xiangyu, and Xu Dongyan. 2012. Discovering semantic data of interest from un-mappable with confidence. In Proceedings of the 19th Network and Distributed System Security Symposium (NDSS’12).Google ScholarGoogle Scholar
  47. [47] Lin Zhiqiang, Rhee Junghwan, Zhang Xiangyu, Xu Dongyan, and Jiang Xuxian. 2011. SigGraph: Brute force scanning of kernel data structure instances using graph-based signatures. In Proceedings of the Network and Distributed System Security Symposium (NDSS’11). https://www.ndss-symposium.org/ndss2011/siggraph-brute-force-scanning-of-kernel-data-structure-instances-using-graph-based-signatures.Google ScholarGoogle Scholar
  48. [48] Lin Zhiqiang, Zhang Xiangyu, and Xu Dongyan. 2010. Automatic reverse engineering of data structures from binary execution. In Proceedings of the 11th Annual Information Security Symposium. 118.Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. [49] Mercier Daniel, Chawdhary Aziem, and Jones Richard. 2017. dynStruct: An automatic reverse engineering tool for structure recovery and memory use analysis. In Proceedings of the 2017 IEEE 24th International Conference on Software Analysis, Evolution, and Reengineering (SANER’17). IEEE, Los Alamitos, CA, 497501.Google ScholarGoogle ScholarCross RefCross Ref
  50. [50] MIPS. 2015. MIPS Architecture for Programmers Vol. III: MIPS32/microMIPS32 Privileged Resource Architecture. Imagination Technologies.Google ScholarGoogle Scholar
  51. [51] Oliveri Andrea. 2022. Eurecom-s3/MMUShell. Retrieved April 2, 2022 from https://github.com/eurecom-s3/mmushell.Google ScholarGoogle Scholar
  52. [52] Pagani Fabio, Dell’Amico Matteo, and Balzarotti Davide. 2018. Beyond precision and recall: Understanding uses (and misuses) of similarity hashes in binary analysis. In Proceedings of the 8th ACM Conference on Data and Application Security and Privacy (CODASPY’18). ACM, New York, NY, 354365. Google ScholarGoogle ScholarDigital LibraryDigital Library
  53. [53] Pagani Fabio, Fedorov Oleksii, and Balzarotti Davide. 2019. Introducing the temporal dimension to memory forensics. ACM Transactions on Privacy and Security 22, 2 (2019), 121.Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. [54] III Golden G. Richard and Case Andrew. 2014. In lieu of swap: Analyzing compressed RAM in Mac OS X and Linux. Digital Investigation 11 (2014), S3–S12.Google ScholarGoogle Scholar
  55. [55] Sardar O. and Andonov D.. 2019. White Paper: Finding Evil in Windows 10 Compressed Memory. Technical Report. FireEye. https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/finding-evil-in-windows-10-compressed-mem-ory-wp.pdf.Google ScholarGoogle Scholar
  56. [56] Saur Karla and Grizzard Julian B.. 2010. Locating x86 paging structures in memory images. Digital Investigation 7, 1–2 (Oct. 2010), 2837. Google ScholarGoogle ScholarDigital LibraryDigital Library
  57. [57] Slowinska Asia, Stancescu Traian, and Bos Herbert. 2010. DDE: Dynamic data structure excavation. In Proceedings of the 1st ACM Asia-Pacific Workshop on Systems. 1318.Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. [58] Slowinska Asia, Stancescu Traian, and Bos Herbert. 2011. Howard: A dynamic excavator for reverse engineering data structures. In Proceedings of the Network and Distributed System Security Symposium (NDSS’11).Google ScholarGoogle Scholar
  59. [59] Song Wei, Yin Heng, Liu Chang, and Song Dawn. 2018. DeepMem: Learning graph neural network models for fast and robust memory forensic analysis. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS’18). ACM, New York, NY, 606618. Google ScholarGoogle ScholarDigital LibraryDigital Library
  60. [60] Troshina Katerina, Derevenets Yegor, and Chernov Alexander. 2010. Reconstruction of composite types for decompilation. In Proceedings of the 2010 10th IEEE Working Conference on Source Code Analysis and Manipulation. IEEE, Los Alamitos, CA, 179188.Google ScholarGoogle ScholarDigital LibraryDigital Library
  61. [61] Urbina David, Gu Yufei, Caballero Juan, and Lin Zhiqiang. 2014. SigPath: A memory graph based approach for program data introspection and modification. In Proceedings of the European Symposium on Research in Computer Security. 237256.Google ScholarGoogle ScholarDigital LibraryDigital Library
  62. [62] Vogl Sebastian and Stancill Blaine. 2019. Rekall support for Windows 10 memory compression. FireEye. Retrieved April 2, 2022 from https://github.com/mandiant/win10_rekall/blob/win10_compressed_memory/rekall-core/rekall/plugins/windows/win10_memcompression.py.Google ScholarGoogle Scholar
  63. [63] Volexity. 2022. Home Page. Retrieved April 2, 2022 from https://www.volexity.com/.Google ScholarGoogle Scholar
  64. [64] Walker Aaron. 2017. Volatility framework: Volatile memory artifact extraction utility framework. https://www.volatilityfoundation.org/.Google ScholarGoogle Scholar
  65. [65] A. Asanovic K. Waterman (Ed.). 2019. The RISC-V Instruction Set Manual, Volume II: Privileged Architecture, Document Version 20190608-Priv-MSU-Ratified. RISC-V Foundation.Google ScholarGoogle Scholar
  66. [66] Wong William G.. 2020. Ada and RISC-V secure Nvidia’s future. Endeavour Business Media. https://www.electronicdesign.com/markets/automotive/article/21121197/ada-and-riscv-secure-nvidias-future.Google ScholarGoogle Scholar
  67. [67] Xiong Haiquan, Liu Zhiyong, Xu Weizhi, and Jiao Shuai. 2012. Libvmi: A library for bridging the semantic gap between guest OS and VMM. In Proceedings of the 2012 IEEE 12th International Conference on Computer and Information Technology (CIT’12). IEEE, Los Alamitos, CA, 549556. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. In the Land of MMUs: Multiarchitecture OS-Agnostic Virtual Memory Forensics

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      • Published in

        cover image ACM Transactions on Privacy and Security
        ACM Transactions on Privacy and Security  Volume 25, Issue 4
        November 2022
        330 pages
        ISSN:2471-2566
        EISSN:2471-2574
        DOI:10.1145/3544004
        Issue’s Table of Contents

        Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 9 July 2022
        • Online AM: 30 March 2022
        • Accepted: 1 March 2022
        • Revised: 1 January 2022
        • Received: 1 August 2021
        Published in tops Volume 25, Issue 4

        Permissions

        Request permissions about this article.

        Request Permissions

        Check for updates

        Qualifiers

        • research-article
        • Refereed
      • Article Metrics

        • Downloads (Last 12 months)259
        • Downloads (Last 6 weeks)22

        Other Metrics

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Full Text

      View this article in Full Text.

      View Full Text

      HTML Format

      View this article in HTML Format .

      View HTML Format
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!