Evaluating atomicity, and integrity of correct memory acquisition methods

AbstractWith increased use of forensic memory analysis, the soundness of memory acquisition becomes more important. We therefore present a black box analysis technique in which memory contents are constantly changed via our payload application with a traceable access pattern. This way, given the correctness of a memory acquisition procedure, we can evaluate its atomicity and one aspect of integrity as defined by Vömel and Freiling (2012). We evaluated our approach on several memory acquisition techniques represented by 12 memory acquisition tools using a Windows 7 64-bit operating system running on a i5-2400 with 2 GiB RAM. We found user-mode memory acquisition software (ProcDump, Windows Task Manager), which suspend the process during memory acquisition, to provide perfect atomicity and integrity for snapshots of process memory. Cold-boot attacks (memimage, msramdump), virtualization (VirtualBox) and emulation (QEMU) all deliver perfect atomicity and integrity of full physical system memory snapshots. Kernel level software acquisition tools (FTK Imager, DumpIt, win64dd, WinPmem) exhibit memory smear from concurrent system activity reducing their atomicity. There integrity is reduced by running within the imaged memory space, hence overwriting part of the memory contents to be acquired. The least amount of atomicity is exhibited by a DMA attack (inception using IEEE 1394). Further, even if DMA is performed completely in hardware, integrity violations with respect to the point in time of the acquisition let this method appear inferior to all other methods. Our evaluation methodology is generalizable to examine further memory acquisition procedures on other operating systems and platforms

06371 Abstracts Collection -- From Security to Dependability

From 10.09.06 to 15.09.06, the Dagstuhl Seminar 06371 ``From Security to Dependability\u27\u27 was held in the International Conference and Research Center (IBFI), Schloss Dagstuhl. During the seminar, several participants presented their current research, and ongoing work and open problems were discussed. Abstracts of the presentations given during the seminar as well as abstracts of seminar results and ideas are put together in this paper. The first section describes the seminar topics and goals in general. Links to extended abstracts or full papers are provided, if available

Code Stabilization

Abstract. Dijkstra’s concept of self-stabilization assumes that faults can only affect the variables of a program. We study the notion of selfstabilization if faults can also affect (i.e., augment) the program code of a system. A code stabilizing system automatically recovers from (almost) arbitrary perturbations of its program code. We prove some lower bounds for code stabilizing systems and argue that code stabilization has many resemblances to the area of integrity management in the domain of security.

Byzantine Fault Tolerance on General Hybrid Adversary Structures

Adversary structures are a generalization of the classical "at most t-out-of-n" threshold failure model which is used in many published Byzantinetolerant protocols. An adversary structure basically lists all coalitions of parties whose corruption the protocol should tolerate. Using adversary structures it is possible to encode dependent failure models, such as "either all Linux machines fail or all Windows machines but not both at the same time". We describe a general technique that allows to transform an algorithm designed for the threshold model into an algorithm that works for general adversary structures. Our technique is based on several (partly informal) rules which describe how the algorithm and its proof must be augmented so that general adversary structures can be tolerated. We demonstrate the applicability of our approach by transforming an asynchronous Byzantine-tolerant reliable broadcast protocol into one that tolerates Byzantine adversary structures. We also consider similar transformations for hybrid failures (combinations of di#erent fault models) and discuss ways to map adversary structures to the real world and manage them e#ciently

in

Illustrating the impossibility of crash-tolerant consensu