We present HyperSleuth, a framework that leverages the virtualization extensions provided by commodity hardware to securely perform live forensic analysis of potentially compromised production systems. HyperSleuth provides a trusted execution environment that guarantees four fundamental properties. First, an attacker controlling the system cannot interfere with the analysis and cannot tamper the results. Second, the framework can be installed as the system runs, without a reboot and without loosing any volatile data. Third, the analysis performed is completely transparent to the OS and to an attacker. Finally, the analysis can be periodically and safely interrupted to resume normal execution of the system. On top of HyperSleuth we implemented three forensic analysis applications: a lazy physical memory dumper, a lie detector, and a system call tracer. The experimental evaluation we conducted demonstrated that even time consuming analysis, such as the dump of the content of the physical memory, can be securely performed without interrupting the services offered by the system.
Live and trustworthy forensic analysis of commodity production systems / L. Martignoni, A. Fattori, R. Paleari, L. Cavallaro - In: Recent advances in intrusion detection : 13th international symposium, RAID 2010, Ottawa, Ontario, Canada, September 15-17, 2010. proceedings / [a cura di] S. Jha, R. Sommer, C. Kreibich. - New York : Springer, 2010. - ISBN 978-3-642-15511-6. - pp. 297-316 (( Intervento presentato al 13. convegno International Symposium on Recent Advances in Intrusion Detection tenutosi a Ottawa nel 2010 [10.1007/978-3-642-15512-3_16].
Live and trustworthy forensic analysis of commodity production systems
L. Martignoni;A. Fattori;R. Paleari;L. Cavallaro
2010
Abstract
We present HyperSleuth, a framework that leverages the virtualization extensions provided by commodity hardware to securely perform live forensic analysis of potentially compromised production systems. HyperSleuth provides a trusted execution environment that guarantees four fundamental properties. First, an attacker controlling the system cannot interfere with the analysis and cannot tamper the results. Second, the framework can be installed as the system runs, without a reboot and without loosing any volatile data. Third, the analysis performed is completely transparent to the OS and to an attacker. Finally, the analysis can be periodically and safely interrupted to resume normal execution of the system. On top of HyperSleuth we implemented three forensic analysis applications: a lazy physical memory dumper, a lie detector, and a system call tracer. The experimental evaluation we conducted demonstrated that even time consuming analysis, such as the dump of the content of the physical memory, can be securely performed without interrupting the services offered by the system.
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
