Title :
Incident-Driven Memory Snapshot for Full-Virtualized OS Using Interruptive Debugging Techniques
Author :
Ando, Ruo ; Kadobayashi, Youki ; Shinoda, Youichi
Author_Institution :
Nat. Inst. of Inf. & Commun. Technol., Tokyo
Abstract :
Memory forensics is growing concern. For effective evidence retrieval, it is important to take snapshot timely. With proper modification of guest OS, VMM is powerful tool for timely snapshot. In this paper, we propose an incident-driven memory snapshot for full-virtualized OS using interruptive debugging techniques. We modify debug register handler to invoke snapshot facility of VMM. Software interrupt or signal are generated in register handler. Then, we can take snapshot asynchronously when debug register is changed. On guest OS, we apply three kinds of interruptive debugging techniques: driver supplied callback function, DLL injection. IDT (interruption descriptor table) is modified by driver supplied callback function, which makes it possible to cope with vulnerability exploitation. DLL injection is applied to insert security check function into a resource access function. Proposed system is implemented XEN virtual machine monitor and KVM (Kernel Virtual machine).
Keywords :
operating system kernels; program debugging; virtual machines; XEN virtual machine monitor; driver supplied callback function; evidence retrieval; full-virtualized operating system; incident-driven memory snapshot; interruption descriptor table; interruptive debugging technique; kernel virtual machine; memory forensic; register handler; Communications technology; Debugging; Forensics; Information security; Kernel; Registers; Signal generators; Virtual machine monitors; Virtual machining; Virtual manufacturing; DLL injection.; IDT modification; Incident-driven snapshot; debug register handling; full virtualization;
Conference_Titel :
Information Security and Assurance, 2008. ISA 2008. International Conference on
Conference_Location :
Busan
Print_ISBN :
978-0-7695-3126-7
DOI :
10.1109/ISA.2008.27
