Memory forensics of control flow integrity violations

Abstract

Incident response comprises of conducting digital investigation after a breach into a system occurs. Current tools which aid the incident responder in obtaining information on the attack are able to locate the payload of the attack such as a backdoor to the system, either by performing disk or memory forensics. However, current tools are not able to obtain artefacts related to the exploit i.e. the entrypoint to the system. This is due to the fact that disk forensic tools are only able to locate those artefacts which are persistent on disk. Memory forensics addresses the limitation of disk forensics as it aids the incident responder in locating artefacts which do not interact with the disk. However, such artefacts are recycled quickly out of memory especially in the case of script-based exploits since memory is volatile. Thus, memory snapshots need to be taken when some events occur and exploits are suspected, defined as MemDump points. If the exploit which violated the system is found, the system can be hardened so as to prevent future intrusions. The project aims to take an event-driven approach to memory forensics. Research proceeded into phases, the first part being conducting process memory analysis to locate the artefacts produced by state-of-the-art exploits and thus deduce a pattern of exploits at the memory level. Suitable MemDump points were defined based on the research conducted. The second phase was the definition of a framework Mem- CFI, which makes use of runtime instrumentation to inject the MemDump points in existing binaries in a way that minimal overhead is incurred and the MemDump points are tamper resistant. The framework was evaluated in terms of practicality and effectiveness. The practicality was evaluated by measuring the number of memory snapshots that are taken while browsing, the performance overhead which is induced and the size of the memory snapshots. The effectiveness of the proposed framework was shown through the use of different case studies which are representative of current attacks. The exploit was successfully located in memory in each case.