PMCAP: A Threat Model of Process Memory Data on the Windows Operating System

Research on endpoint security involves both traditional PC platform and prevalent mobile platform, among which the analysis of software vulnerability and malware is one of the important contents. For researchers, it is necessary to carry out nonstop exploration of the insecure factors in order to better protect the endpoints. Driven by this motivation, we propose a new threat model named Process Memory Captor (PMCAP) on the Windows operating system which threatens the live process volatile memory data. Compared with other threats, PMCAP aims at dynamic data in the process memory and uses a noninvasive approach for data extraction. In this paper we describe and analyze the model and then give a detailed implementation taking four popular web browsers IE, Edge, Chrome, and Firefox as examples. Finally, the model is verified through real experiments and case studies. Compared with existing technologies, PMCAP can extract valuable data at a lower cost; some techniques in the model are also suitable for memory forensics and malware analysis.

[1]  Xi Chen,et al.  A Tough Call: Mitigating Advanced Code-Reuse Attacks at the Binary Level , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[2]  Golden G. Richard,et al.  Pool tag quick scanning for windows memory analysis , 2016 .

[3]  Zhongshu Gu,et al.  DSCRETE: Automatic Rendering of Forensic Information from Memory Images via Application Logic Reuse , 2014, USENIX Security Symposium.

[4]  Bo Li,et al.  WebCapsule: Towards a Lightweight Forensic Engine for Web Browsers , 2015, CCS.

[5]  Michael I. Cohen,et al.  Characterization of the windows kernel version variability for accurate memory analysis , 2015, Digit. Investig..

[6]  Ahmad-Reza Sadeghi,et al.  Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications , 2015, 2015 IEEE Symposium on Security and Privacy.

[7]  Kevin Leach,et al.  LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis , 2016, NDSS.

[8]  Zhenkai Liang,et al.  "The Web/Local" Boundary Is Fuzzy: A Security Study of Chrome's Process-based Sandboxing , 2016, CCS.

[9]  John D. Valois Implementing Lock-Free Queues , 1994 .

[10]  Xin Wang,et al.  Growing Grapes in Your Computer to Defend Against Malware , 2014, IEEE Transactions on Information Forensics and Security.

[11]  X. Du,et al.  Data correlation-based analysis methods for automatic memory forensic , 2015, Secur. Commun. Networks.

[12]  Christopher James Hargreaves,et al.  Recovery of Encryption Keys from Memory Using a Linear Scan , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[13]  Zhenkai Liang,et al.  Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[14]  Adrian Colesa,et al.  U-HIPE: hypervisor-based protection of user-mode processes in Windows , 2015, Journal of Computer Virology and Hacking Techniques.

[15]  Fenlin Liu,et al.  Random table and hash coding-based binary code obfuscation against stack trace analysis , 2016, IET Inf. Secur..

[16]  Long Lu,et al.  Shreds: Fine-Grained Execution Units with Private Memory , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[17]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[18]  Felix C. Freiling,et al.  A survey of main memory acquisition and analysis techniques for the windows operating system , 2011, Digit. Investig..

[19]  Herbert Bos,et al.  MemPick: High-level data structure detection in C/C++ binaries , 2013, 2013 20th Working Conference on Reverse Engineering (WCRE).

[20]  Meng Zhang,et al.  A defense framework against malware and vulnerability exploits , 2014, International Journal of Information Security.

[21]  R. Sekar,et al.  Provenance-based Integrity Protection for Windows , 2015, ACSAC.

[22]  Hans P. Reiser,et al.  TLSkex: Harnessing virtual machine introspection for decrypting TLS communication , 2016 .

[23]  Elisa Bertino,et al.  Marlin: Mitigating Code Reuse Attacks Using Code Randomization , 2015, IEEE Transactions on Dependable and Secure Computing.

[24]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.