Now You See Me: Hide and Seek in Physical Address Space

With the growing complexity of computing systems, memory based forensic techniques are becoming instrumental in digital investigations. Digital forensic examiners can unravel what happened on a system by acquiring and inspecting in-memory data. Meanwhile, attackers have developed numerous anti-forensic mechanisms to defeat existing memory forensic techniques by manipulation of system software such as OS kernel. To counter anti-forensic techniques, some recent researches suggest that memory acquisition process can be trusted if the acquisition module has not been tampered with and all the operations are performed without relying on any untrusted software including the operating system. However, in this paper, we show that it is possible for malware to bypass the current state-of-art trusted memory acquisition module by manipulating the physical address space layout, which is shared between physical memory and I/O devices on x86 platforms. This fundamental design on x86 platform enables an attacker to build an OS agnostic anti-forensic system. Base on this finding, we propose Hidden in I/O Space (HIveS) which manipulates CPU registers to alter such physical address layout. The system uses a novel I/O Shadowing technique to lock a memory region named HIveS memory into I/O address space, so all operation requests to the HIveS memory will be redirected to the I/O bus instead of the memory controller. To access the HIveS memory, the attacker unlocks the memory by mapping it back into the memory address space. Two novel techniques, Blackbox Write and TLB Camouflage, are developed to further protect the unlocked HIveS memory against memory forensics while allowing attackers to access it. A HIveS prototype is built and tested against a set of memory acquisition tools for both Windows and Linux running on x86 platform. Lastly, we propose potential countermeasures to detect and mitigate HIveS.

[1]  Joe Grand,et al.  A hardware-based memory acquisition procedure for digital investigations , 2004, Digit. Investig..

[2]  Aristide Fattori,et al.  When hardware meets software: a bulletproof solution to forensic memory acquisition , 2012, ACSAC '12.

[3]  Patrick Simmons,et al.  Security through amnesia: a software-based solution to the cold boot attack on disk encryption , 2011, ACSAC '11.

[4]  Lorenzo Martignoni,et al.  Live and Trustworthy Forensic Analysis of Commodity Production Systems , 2010, RAID.

[5]  Roy H. Campbell,et al.  Forenscope: a framework for live forensics , 2010, ACSAC '10.

[6]  Nicole Beebe,et al.  Digital Forensic Research: The Good, the Bad and the Unaddressed , 2009, IFIP Int. Conf. Digital Forensics.

[7]  Chris Palmer,et al.  Breaking Forensics Software: Weaknesses in Critical Evidence Collection , 2007 .

[8]  Felix C. Freiling,et al.  A survey of main memory acquisition and analysis techniques for the windows operating system , 2011, Digit. Investig..

[9]  No License,et al.  Intel ® 64 and IA-32 Architectures Software Developer ’ s Manual Volume 3 A : System Programming Guide , Part 1 , 2006 .

[10]  Andreas Dewald,et al.  TRESOR Runs Encryption Securely Outside RAM , 2011, USENIX Security Symposium.

[11]  Eugene Libster,et al.  A proposal for an integrated memory acquisition mechanism , 2008, OPSR.

[12]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[13]  Bradley L. Schatz,et al.  BodySnatcher: Towards reliable volatile memory acquisition by software , 2007, Digit. Investig..

[14]  William A. Arbaugh,et al.  Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor , 2004, USENIX Security Symposium.

[15]  Dan Farmer,et al.  Forensic Discovery , 2004 .

[16]  Simson L. Garfinkel,et al.  Digital forensics research: The next 10 years , 2010, Digit. Investig..

[17]  Michael Cohen,et al.  Anti-forensic resilient memory acquisition , 2013 .

[18]  Miao Yu,et al.  Vis: virtualization enhanced live acquisition for native system , 2011, APSys.

[19]  Law. Policy Executive Summary of the National Academies of Science Reports, Strengthening Forensic Science in the United States: A Path Forward , 2009 .

[20]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[21]  C. Barden,et al.  Proficiency Testing Trends Following the 2009 National Academy of Sciences Report, “Strengthening Forensic Science in the United States: A Path Forward” , 2016 .

[22]  Daniel Pierre Bovet,et al.  Understanding the Linux Kernel , 2000 .

[23]  Germano Caronni,et al.  Distributed forensics and incident response in the enterprise , 2011 .

[24]  Ryan Harris,et al.  Arriving at an anti-forensics consensus: Examining how to define and control the anti-forensics problem , 2006, Digit. Investig..

[25]  Jiang Wang,et al.  Firmware-assisted Memory Acquisition and Analysis tools for Digital Forensics , 2011, 2011 Sixth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering.

[26]  Jingqiang Lin,et al.  Copker: Computing with Private Keys without RAM , 2014, NDSS.

[27]  Jiang Wang,et al.  Autonomic Recovery: HyperCheck: A Hardware-Assisted Integrity Monitor , 2013 .