Vis Virtualization Enhanced Live Acquisition for Native Sys - PowerPoint Presentation

Slide1

VisVirtualization Enhanced Live Acquisition for Native System

Miao Yu, Qian Lin, Bingyu Li, Zhengwei Qi, Haibing GuanShanghai Jiao Tong UniversitySlide2

Motivation2

Acquisition is the most important step in a typical computer forensics scenario. Missing evidence leads to an incomplete or wrong investigation result.Static Acquisition Live Acquisition

Static

Acquisition

Live Acquisition

In-Disk Evidence

In-Memory

Evidence

24/7 Availability ServersSlide3

Problem - Live Acquisition3

Live AcquisitionTarget System requiring in VM Already

Low Result

Accuracy

Late

Virtualization

Virtual

Snapshot

Virtualization Introspection

In-OS Introspection

Vis provides

accurate retrieving

of native system physical memory while

preserving

the execution of target.Slide4

Late Virtualization4

Insert a Drop-in Hypervisor after the target OS is started up.1) Save the host state 2)Fill the host state in the virtual machineSlide5

Late Virtualization5

HardwareOS Kernel

User App

User App

Vis Hypervisor

Virtual Machine

Event Handler

Vis Driver

Event

EventSlide6

Virtual Snapshot6

Dump!Time

Finish!

Guest

Virtual Pages

Unmodified

Modified

Acquisition Duration (>10 Seconds)

Guest

Physical Pages

Machine

Physical Pages

Legend

Identical Mapping on Nested Page Table

Modified Pages  Copy-on-Write mechanism on nested page table

Unmodified Pages

 Dump remaining pages when handling frequent event

Amortized  Dump multiple pages per trapSlide7

Virtual Snapshot7

Dump!Time

Finish!

Guest

Virtual Pages

Unmodified

Modified

Acquisition Duration (>10 Seconds)

Guest

Physical Pages

Machine

Physical Pages

Legend

Identical Mapping on Nested Page Table

Modified Pages  Copy-on-Write mechanism on nested page table

Unmodified Pages  Dump remaining pages when handling frequent event

Amortized  Dump multiple pages per trapSlide8

Virtual Snapshot8

Dump!Time

Finish!

Guest

Virtual Pages

Unmodified

Modified

Acquisition Duration (>10 Seconds)

Guest

Physical Pages

Machine

Physical Pages

Legend

Identical Mapping on Nested Page Table

Modified Pages  Copy-on-Write mechanism on nested page table

Unmodified Pages  Dump remaining pages when handling frequent event

Amortized  Dump multiple pages per trap

DumpingSlide9

ImplementationBased on Techniques:Intel® VT-xEPT for Nested Paging Vis PrototypeSupport Windows 7 i386 (Uniprocessor

)Tailored from NewBluePill (Hypervisor based virus)9Slide10

Effectiveness EvaluationWin32dd and Memoryze recorded >50% polluted content in the result fileVis recorded

no polluted content.10Slide11

Performance Evaluation11

Virtualizing CPU and memory only, Vis incurs no I/O performance overhead.High performance degradation on certain memory-intensive benchmark is imputed to EPT overhead.

Normalized

Performance

BenchmarksSlide12

Performance Evaluation12

Virtualizing CPU and memory only, Vis incurs no I/O performance overhead.High performance degradation on certain memory-intensive benchmark is imputed to EPT overhead.

Normalized

PerformanceSlide13

DiscussionsTrustworthy hypervisorHypervisor code can be attested before being loaded via Trusted Platform Module (TPM) (Martignoni et al, RAID’10)

No nested virtualizationThe Turtles Project (Muli et al, OSDI’10)For future workA little invasion is acceptableLocard’s exchange principle (Chisum, Journal of Behavioral Profiling, January 2000)13Slide14

SummaryVis achieved:Virtualization for native systemAccurate acquisition

14VisVirtualization for Native System

Accurate Acquisition

Late

Virtualization

Virtual

SnapshotSlide15

VisVirtualization Enhanced Live Acquisition for Native System

Miao Yu, Qian Lin, Bingyu Li, Zhengwei Qi, Haibing GuanShanghai Jiao Tong UniversitySlide16

Backup16