Simulating Windows-Based Cyber Attacks Using Live Virtual Machine Introspection

Static memory analysis has been proven a valuable technique for digital forensics. However, the memory capture technique halts the system causing the loss of important dynamic system data. As a result, live analysis techniques have emerged to complement static analysis. In this paper, a compiled memory analysis tool for virtualization (CMAT-V) is presented as a virtual machine introspection (VMI) utility to conduct live analysis during simulated cyber attacks. CMAT-V leverages static memory dump analysis techniques to provide live system state awareness. CMAT-V parses an arbitrary memory dump from a simulated guest operating system (OS) to extract user information, network usage, active process information and registry files. Unlike some VMI applications, CMAT-V bridges the semantic gap using derivation techniques. This provides increased operating system compatibility for current and future operating systems. This research demonstrates the usefulness of CMAT-V as a situational awareness tool during simulated cyber attacks and measures the overall performance of CMAT-V

Extracting Forensic Artifacts from Windows O/S Memory

Memory analysis is a rapidly growing area in both digital forensics and cyber situational awareness (SA). Memory provides the most accurate snapshot of what is occurring on a computer at a moment in time. By combining it with event and network logs as well as the files present on the filesystem, an analyst can re-create much of what has occurred and is occuring on a computer. The Compiled Memory Analysis Tool (CMAT) takes either a disk image of memory from a Windows operating system or an interface into a virtual machine running a Windows operating system and extracts forensic artifacts including general system information, loaded system modules, the active processes, the files and registry keys accessed by those processes, the network connections established by the processes, the dynamic link libraries loaded by the processes, and the contents of the Windows clipboard. Operators and investigators can either take these artifacts and analyze them directly or use them as input into more complex cyber SA and digital forensics analysis tools

Cyber Situational Awareness Using Live Hypervisor-Based Virtual Machine Introspection

In this research, a compiled memory analysis tool for virtualization (CMAT-V) is developed as a virtual machine introspection (VMI) utility to conduct live analysis during cyber attacks. CMAT-V leverages static memory dump analysis techniques to provide live dynamic system state data. Unlike some VMI applications, CMAT-V bridges the semantic gap using derivation techniques. CMAT-V detects Windows-based operating systems and uses the Microsoft Symbol Server to provide this context to the user. This research demonstrates the usefulness of CMAT-V as a situational awareness tool during cyber attacks, tests the detection of CMAT-V from the guest system level and measures its impact on host performance. During experimental testing, live system state information was successfully extracted from two simultaneously executing virtual machines (VM’s) under four rootkit-based malware attack scenarios. For each malware attack scenario, CMAT-V was able to provide evidence of the attack. Furthermore, data from CMAT-V detection testing did not confirm detection of the presence of CMAT-V’s live memory analysis from the VM itself. This supports the conclusion that CMAT-V does not create uniquely identifiable interference in the VM. Finally, three different benchmark tests reveal an 8% to 12% decrease in the host VM performance while CMAT-V is executing

Eliminating stack overflow by abstract interpretation

ManuscriptAn important correctness criterion for software running on embedded microcontrollers is stack safety: a guarantee that the call stack does not overflow. Our first contribution is a method for statically guaranteeing stack safety of interrupt-driven embedded software using an approach based on context-sensitive dataflow analysis of object code. We have implemented a prototype stack analysis tool that targets software for Atmel AVR microcontrollers and tested it on embedded applications compiled from up to 30,000 lines of C. We experimentally validate the accuracy of the tool, which runs in under 10 sec on the largest programs that we tested. The second contribution of this paper is the development of two novel ways to reduce stack memory requirements of embedded software

Automated Instruction Stream Throughput Prediction for Intel and AMD Microarchitectures

An accurate prediction of scheduling and execution of instruction streams is a necessary prerequisite for predicting the in-core performance behavior of throughput-bound loop kernels on out-of-order processor architectures. Such predictions are an indispensable component of analytical performance models, such as the Roofline and the Execution-Cache-Memory (ECM) model, and allow a deep understanding of the performance-relevant interactions between hardware architecture and loop code. We present the Open Source Architecture Code Analyzer (OSACA), a static analysis tool for predicting the execution time of sequential loops comprising x86 instructions under the assumption of an infinite first-level cache and perfect out-of-order scheduling. We show the process of building a machine model from available documentation and semi-automatic benchmarking, and carry it out for the latest Intel Skylake and AMD Zen micro-architectures. To validate the constructed models, we apply them to several assembly kernels and compare runtime predictions with actual measurements. Finally we give an outlook on how the method may be generalized to new architectures.Comment: 11 pages, 4 figures, 7 table

Strategies for protecting intellectual property when using CUDA applications on graphics processing units

Recent advances in the massively parallel computational abilities of graphical processing units (GPUs) have increased their use for general purpose computation, as companies look to take advantage of big data processing techniques. This has given rise to the potential for malicious software targeting GPUs, which is of interest to forensic investigators examining the operation of software. The ability to carry out reverse-engineering of software is of great importance within the security and forensics elds, particularly when investigating malicious software or carrying out forensic analysis following a successful security breach. Due to the complexity of the Nvidia CUDA (Compute Uni ed Device Architecture) framework, it is not clear how best to approach the reverse engineering of a piece of CUDA software. We carry out a review of the di erent binary output formats which may be encountered from the CUDA compiler, and their implications on reverse engineering. We then demonstrate the process of carrying out disassembly of an example CUDA application, to establish the various techniques available to forensic investigators carrying out black-box disassembly and reverse engineering of CUDA binaries. We show that the Nvidia compiler, using default settings, leaks useful information. Finally, we demonstrate techniques to better protect intellectual property in CUDA algorithm implementations from reverse engineering

Beyond XSPEC: Towards Highly Configurable Analysis

We present a quantitative comparison between software features of the defacto standard X-ray spectral analysis tool, XSPEC, and ISIS, the Interactive Spectral Interpretation System. Our emphasis is on customized analysis, with ISIS offered as a strong example of configurable software. While noting that XSPEC has been of immense value to astronomers, and that its scientific core is moderately extensible--most commonly via the inclusion of user contributed "local models"--we identify a series of limitations with its use beyond conventional spectral modeling. We argue that from the viewpoint of the astronomical user, the XSPEC internal structure presents a Black Box Problem, with many of its important features hidden from the top-level interface, thus discouraging user customization. Drawing from examples in custom modeling, numerical analysis, parallel computation, visualization, data management, and automated code generation, we show how a numerically scriptable, modular, and extensible analysis platform such as ISIS facilitates many forms of advanced astrophysical inquiry.Comment: Accepted by PASP, for July 2008 (15 pages