Monitoring Access to Shared Memory-Mapped Files

Similar documents
Monitoring Access to Shared Memory-Mapped Files

Categories of Digital Investigation Analysis Techniques Based On The Computer History Model

System for the Proactive, Continuous, and Efficient Collection of Digital Forensic Evidence

Unification of Digital Evidence from Disparate Sources

Developing a New Digital Forensics Curriculum

A Correlation Method for Establishing Provenance of Timestamps in Digital Evidence

Extracting Hidden Messages in Steganographic Images

File Classification Using Sub-Sequence Kernels

Can Digital Evidence Endure the Test of Time?

Rapid Forensic Imaging of Large Disks with Sifting Collectors

File Fragment Encoding Classification: An Empirical Approach

Privacy-Preserving Forensics

Design Tradeoffs for Developing Fragmented Video Carving Tools

Fast Indexing Strategies for Robust Image Hashes

An Evaluation Platform for Forensic Memory Acquisition Software

A Functional Reference Model of Passive Network Origin Identification

The Normalized Compression Distance as a File Fragment Classifier

Breaking the Performance Wall: The Case for Distributed Digital Forensics

A Study of User Data Integrity During Acquisition of Android Devices

Ranking Algorithms For Digital Forensic String Search Hits

Automated Identification of Installed Malicious Android Applications

Virtual to physical address translation

SHARED ADDRESS TRANSLATION REVISITED

CAT Detect: A Tool for Detecting Inconsistency in Computer Activity Timelines

CS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2018 Lecture 23

Chapter 11: File System Implementation. Objectives

The cow and Zaphod... Virtual Memory #2 Feb. 21, 2007

Multidimensional Investigation of Source Port 0 Probing

CS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2015 Lecture 23

Multi-level Page Tables & Paging+ segmentation combined

Introduction to OpenCL!

Android Forensics: Automated Data Collection And Reporting From A Mobile Device

On Criteria for Evaluating Similarity Digest Schemes

Address spaces and memory management

A Framework for Attack Patterns Discovery in Honeynet Data

Honeynets and Digital Forensics

Operating Systems Design Exam 2 Review: Spring 2011

CS 416: Opera-ng Systems Design March 23, 2012

Hash Based Disk Imaging Using AFF4

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Processes. Process Management Chapter 3. When does a process gets created? When does a process gets terminated?

Memory Management. Goals of Memory Management. Mechanism. Policies

More on Synchronization and Deadlock

Paging. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Question Points Score Total 100

Chapter 11: Implementing File Systems. Operating System Concepts 8 th Edition,

Multi-Process Systems: Memory (2) Memory & paging structures: free frames. Memory & paging structures. Physical memory

File-System Structure. Allocation Methods. Free-Space Management. Directory Implementation. Efficiency and Performance. Recovery

Process size is independent of the main memory present in the system.

(b) External fragmentation can happen in a virtual memory paging system.

Linux Physical Memory Analysis

Linux Memory Management

FILE SYSTEMS. CS124 Operating Systems Winter , Lecture 23

Memory Management Topics. CS 537 Lecture 11 Memory. Virtualizing Resources

CS140 Project 3: Virtual Memory. TA: Diveesh Singh

Carnegie Mellon. Bryant and O Hallaron, Computer Systems: A Programmer s Perspective, Third Edition

Address Translation. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

CSE 451: Operating Systems Winter Page Table Management, TLBs and Other Pragmatics. Gary Kimura

Operating System Design and Implementation Memory Management Part III

Chapter 11: File System Implementation

Chapter 14: File-System Implementation

Chapter 11: File System Implementation

Computer Systems. Virtual Memory. Han, Hwansoo

File System Internals. Jo, Heeseung

Virtual Memory Outline

Multi-version Data recovery for Cluster Identifier Forensics Filesystem with Identifier Integrity

ECE 598 Advanced Operating Systems Lecture 10

Paging. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

CSE 120 Principles of Operating Systems

A Novel Approach of Mining Write-Prints for Authorship Attribution in Forensics

FILE SYSTEMS, PART 2. CS124 Operating Systems Fall , Lecture 24

Chapter 11: Implementing File Systems

Virtual Memory. Daniel Sanchez Computer Science & Artificial Intelligence Lab M.I.T. November 15, MIT Fall 2018 L20-1

File-System Structure

Operating System Design Issues. I/O Management

Chapter 8 Virtual Memory

2 nd Half. Memory management Disk management Network and Security Virtual machine

Processes and Virtual Memory Concepts

COMP SCI 3SH3: Operating System Concepts (Term 2 Winter 2006) Test 2 February 27, 2006; Time: 50 Minutes ;. Questions Instructor: Dr.

Lecture 19: Virtual Memory: Concepts

Information Assurance In A Distributed Forensic Cluster

Guerrilla 7: Virtual Memory, ECC, IO

Memory: Page Table Structure. CSSE 332 Operating Systems Rose-Hulman Institute of Technology

What is a file system

Archival Science, Digital Forensics and New Media Art

Leveraging CybOX to Standardize Representation and Exchange of Digital Forensic Information

OPERATING SYSTEMS ASSIGNMENT 3 MEMORY MANAGEMENT

Machine-Independent Virtual Memory Management for Paged June Uniprocessor 1st, 2010and Multiproce 1 / 15

CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring Lecture 13: Address Translation

HSA QUEUEING HOT CHIPS TUTORIAL - AUGUST 2013 IAN BRATT PRINCIPAL ENGINEER ARM

The Virtual Memory Abstraction. Memory Management. Address spaces: Physical and Virtual. Address Translation

Virtual Memory. Computer Systems Principles

Virtual Memory. Chapter 8

Virtual Memory. Chapter 8

ECE 7650 Scalable and Secure Internet Services and Architecture ---- A Systems Perspective. Part I: Operating system overview: Memory Management

A Strategy for Testing Hardware Write Block Devices

! What is main memory? ! What is static and dynamic allocation? ! What is segmentation? Maria Hybinette, UGA. High Address (0x7fffffff) !

Operating Systems (1DT020 & 1TT802)

Operating Systems. Designed and Presented by Dr. Ayman Elshenawy Elsefy

King Fahd University of Petroleum and Minerals. Write clearly, precisely, and briefly!!

Transcription:

DIGITAL FORENSIC RESEARCH CONFERENCE Monitoring Access to Shared Memory-Mapped Files By Christian Sarmoria, Steve Chapin Presented At The Digital Forensic Research Conference DFRWS 2005 USA New Orleans, LA (Aug 17 th - 19 th ) DFRWS is dedicated to the sharing of knowledge and ideas about digital forensics research. Ever since it organized the first open workshop devoted to digital forensics in 2001, DFRWS continues to bring academics and practitioners together in an informal environment. As a non-profit, volunteer organization, DFRWS sponsors technical working groups, annual conferences and challenges to help drive the direction of research and development. http:/dfrws.org

Monitoring Access to Shared Memory-Mapped Files Christian G. Sarmoria,, Steve J. Chapin {cgsarmor, chapin} } @ecs.syr.edu@ Electrical Engineering and Computer Science Dept. Syracuse University NY, 13210 August 18, 2005

Overview Introduction Reconstruction of sequences of events Shared memory Granularity Page-level monitor Conclusions Q & A

Evidence Gathering Post-mortem Filesystem Memory dump Available logs Realtime System, application, and network logs Record system objects and their interactions Evidence is potential

Framework for Reconstructing Sequences of Events Monitor system objects and events Gather potential evidence at runtime Detection point signaled by an IDS Build dependency graph Backtrack from detection point back to entry point of the attack

Framework for Reconstructing Sequences of Events System objects: Process, file, and filename. Event: : Read, write, rename, create process, share memory, etc. Role of an object in an event: cause or effect Objects dependencies: Process-Process: create, signal, share memory Process-file: read, write, change attributes Process-filename: rename, link, remove, etc.

Framework for Reconstructing Sequences of Events T0: : process 1 creates process 2 file A T1: : process 2 writes file B T2: : process 2 writes file C T3: : process 1 reads file A T4: : process 1 creates process 3 0 3 process 1 8 T5: : process 3 reads file B process 2 4 process 4 T6: : process 3 writes file X T7: : process 3 reads file C T8: : process 1 creates process 4 file B 1 2 file C 9 file D T9: : process 4 writes file D 5 7 process 3 6 Detection point signaled by IDS file x

Reconstruction of Sequences of Events Current Systems SNARE (2003) Backtracker (2003) Forensix (2003) CIDS (2004) Improved Backtracker (2005) System calls monitoring Shared memory? System call event only (mmap/munmap( mmap/munmap) Aggregation and coarse granularity False dependencies Overlooked events

File access Current systems: read and write system calls Works for access to the file in the file system Once a file is memory-mapped we lose system calls support Process accesses a memory-mapped file through direct address space manipulation (pointers) We need to monitor memory read and write instructions

Shared-Memory Object (SMO) An SMO is a portion of memory address space allocated to a process and shared with other processes Roles: Cause Effect Process-SMO dependencies: Process SMO SMO Process

Granularity SMO composed by constituent parts A part is a section of the address space occupied by the SMO Constituent Parts Object Memory Region (VMA) Page Minipage The whole SMO Size Runtime-OS-Defined set of contiguous memory frames As defined in the OS, usually 4KB 1 byte minipage < page

Granularity SMO SMO VMA SMO Page SMO Minipage

Granularity SMO 1 p 1 p 2 p 3 VMA 1 SMO 2 VMA 1 Memory p n VMA 2 p 1 VMA 2 p n mp 1 mp 2 mp 3 mp 4 mp 5 mp 6 VMA 3 mp n-1 mp n VMA n

Granularity: Properties Monitoring constituent parts eliminates a number of Process-Process false dependencies The larger the SMO the greater the benefit of applying granularity Monitoring at the minipage level has to deal with loss of paging hardware support Overhead

Technique Linux Kernel 2.4 on x86 architecture Does not require processes source code Accesses to shared memory-mapped files at the page level of granularity Runtime SMO registration by intercepting mmap system call Monitor implemented in page fault handler and CPU scheduler Event logs saved in circular buffer in kernel space

Technique Memory pages where the SMO resides are set protected and read-only through Page Table Entry (PTE) Page fault alerts the monitor of SMO access event Race condition: Time of page serviced and ready to use is no guarantee of read/write event at present time CPU scheduler confirms event is effective

Page Fault Handler Page Fault Handler with Page-Level Monitoring Page Fault Monitored VMA? yes Page already in Page Table (PT)? yes Restore PTE bits Issue event ticket no no Handle page fault regularly.. Allocate frame Save PTE pointer in task structure Turn on in task structure Process in ready queue

CPU Scheduler CPU Scheduler with Page-Level Monitoring Previous process has event flag on? yes Protect PTE saved in the previous process task structure no Clear PTE pointer saved in previous process task structure Turn off event flag in previous process task structure Next process has event flag on? yes Stamp next process event ticket Execute next process no

Synchronization Race condition: P 1 and P 2 share a page P 1 page faults on it Page fault handler serves the page for P 1 Monitor logs the event P 1 ready for execution, waiting for CPU P 2 page faults on same page Page fault handler serves the page for P 2 Monitor logs event P 2 ready for execution P 2 gets CPU before P 1

Results Established Process-SMO dependencies for shared memory- mapped files x86 limitation: a read after a write in the same page during the same CPU time slice

Results Overhead: One page fault for any number of consecutive reads in the same page during the same CPU time slice One page fault for any number of consecutive writes in the same page during the same CPU time slice Two page faults for any number of consecutive reads followed by any number of consecutive writes in the same page during the same CPU time slice

Conclusions Shared memory is a source of objects of different types which participate in events the same way as other objects do OS system call level limitation to monitor shared memory produces false dependencies and overlooked events in current reconstruction systems Monitoring SMOs can eliminate a number of false dependencies and reveal others Granularity provides a framework to trade off between accuracy and overhead

Questions

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback