TY - GEN
T1 - Trace-free memory data structure forensics via past inference and future speculations
AU - Sun, Pengfei
AU - Han, Rui
AU - Zhang, Mingbo
AU - Zonouz, Saman
PY - 2016/12/5
Y1 - 2016/12/5
N2 - A yet-to-be-solved but very vital problem in forensics analysis is accurate memory dump data type reverse engineering where the target process is not a priori specified and could be any of the running processes within the system. We present REVIVER, a lightweight system-wide solution that extracts data type information from the memory dump without its past execution traces. REVIVER constructs the dump's accurate data structure layout through collection of statistical information about possible past traces, forensics inspection of the present memory dump, and speculative investigation of potential future executions of the suspended process. First, REVIVER analyzes a heavily instrumented set of execution paths of the same executable that end in the same state of the memory dump (the eip and call stack), and collects statistical information the potential data structure instances on the captured dump. Second, REVIVER uses the statistical information and performs a word-byword data type forensics inspection of the captured memory dump. Finally, REVIVER revives the dump's execution and explores its potential future execution paths symbolically. REVIVER traces the executions including library/system calls for their known argument/ return data types, and performs backward taint analysis to mark the dump bytes with relevant data type information. REVIVER's experimental results on real-world applications are very promising (98.1%), and show that REVIVER improves the accuracy of the past trace-free memory forensics solutions significantly while maintaining a negligible runtime performance overhead (1.8%).
AB - A yet-to-be-solved but very vital problem in forensics analysis is accurate memory dump data type reverse engineering where the target process is not a priori specified and could be any of the running processes within the system. We present REVIVER, a lightweight system-wide solution that extracts data type information from the memory dump without its past execution traces. REVIVER constructs the dump's accurate data structure layout through collection of statistical information about possible past traces, forensics inspection of the present memory dump, and speculative investigation of potential future executions of the suspended process. First, REVIVER analyzes a heavily instrumented set of execution paths of the same executable that end in the same state of the memory dump (the eip and call stack), and collects statistical information the potential data structure instances on the captured dump. Second, REVIVER uses the statistical information and performs a word-byword data type forensics inspection of the captured memory dump. Finally, REVIVER revives the dump's execution and explores its potential future execution paths symbolically. REVIVER traces the executions including library/system calls for their known argument/ return data types, and performs backward taint analysis to mark the dump bytes with relevant data type information. REVIVER's experimental results on real-world applications are very promising (98.1%), and show that REVIVER improves the accuracy of the past trace-free memory forensics solutions significantly while maintaining a negligible runtime performance overhead (1.8%).
UR - http://www.scopus.com/inward/record.url?scp=85007566484&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85007566484&partnerID=8YFLogxK
U2 - 10.1145/2991079.2991118
DO - 10.1145/2991079.2991118
M3 - Conference contribution
AN - SCOPUS:85007566484
T3 - ACM International Conference Proceeding Series
SP - 570
EP - 582
BT - Proceedings - 32nd Annual Computer Security Applications Conference, ACSAC 2016
PB - Association for Computing Machinery
T2 - 32nd Annual Computer Security Applications Conference, ACSAC 2016
Y2 - 5 December 2016 through 9 December 2016
ER -