A New Method of Live Tracking of Process Memory

In most profiles, while memory forensics analysis has been used to detect and defend attacks successfully, there are still many attacks that we can't discover in time. Therefore, the live tracking of process memory has been an important research subject for a long time. For this reason, we propose a new method of tracking process memory called MRB-PTE (Marking Reserved Bit of Page Table Entry). It sets one of reserved bits of target process memory page table PTE to capture memory behavior of the target process, which enables us to track target process memory, and it's featured with real time, lightweight overhead and flexibility. The experiment shows that, the MRB-PTE can not only dynamically reflect the memory behavior of the target process, but also the performance overhead to target process is very small. When the amount of process memory page is 10, the performance overhead is the smallest, only 7.9% with consuming less system resources. Traditional memory forensics tools with MRB-PTE could improve the sensitivity of detecting attacks.

[1]  Nethanel Gelernter,et al.  The Password Reset MitM Attack , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[2]  Zheng Wei,et al.  LazyTainter: Memory-Efficient Taint Tracking in Managed Runtimes , 2014, SPSM@CCS.

[3]  Osman S. Unsal,et al.  Redundant Memory Mappings for fast access to large memories , 2015, 2015 ACM/IEEE 42nd Annual International Symposium on Computer Architecture (ISCA).

[4]  William A. Arbaugh,et al.  FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory , 2006, Digit. Investig..

[5]  Brian Walters,et al.  VMware Virtual Platform , 1999 .

[6]  Michael M. Swift,et al.  BadgerTrap: a tool to instrument x86-64 TLB misses , 2014, CARN.

[7]  Bill Blunden The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System , 2009 .

[8]  Abraham Silberschatz,et al.  Operating System Concepts , 1983 .

[9]  Hanspeter Mössenböck,et al.  Efficient Memory Traces with Full Pointer Information , 2016, PPPJ '16.

[10]  Irfan Habib,et al.  Virtualization with KVM , 2008 .

[11]  Abhishek Bhattacharjee,et al.  Large-reach memory management unit caches , 2013, MICRO.

[12]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[13]  Sang-Heon Lee,et al.  Dirty-Block Tracking in a Direct-Mapped DRAM Cache with Self-Balancing Dispatch , 2017, ACM Trans. Archit. Code Optim..

[14]  Seung-Hyun Kim,et al.  A comparative study of cyberattacks , 2012, Commun. ACM.

[15]  Peter B. Galvin,et al.  Operating System Concepts, 4th Ed. , 1993 .

[16]  Li Liu,et al.  HMTT: a platform independent full-system memory trace monitoring system , 2008, SIGMETRICS '08.

[17]  Hong Hua,et al.  A widget framework for augmented interaction in SCAPE , 2003, UIST '03.

[18]  Rachid Guerraoui,et al.  The collective memory of amnesic processes , 2008, TALG.

[19]  Hanspeter Mössenböck,et al.  Accurate and Efficient Object Tracing for Java Applications , 2015, ICPE.

[20]  No License,et al.  Intel ® 64 and IA-32 Architectures Software Developer ’ s Manual Volume 3 A : System Programming Guide , Part 1 , 2006 .

[21]  Christopher Leckie,et al.  Using Virtual Machine Allocation Policies to Defend against Co-Resident Attacks in Cloud Computing , 2017, IEEE Transactions on Dependable and Secure Computing.