基于虚拟机监控器的类蜜罐实时内存取证

为了解决传统的基于“镜像-分析”的内存取证技术面临的提取内存镜像时间过长及无法有效截获瞬时性内存攻击的问题,提出类蜜罐的实时内存取证方法（RTMF）.利用虚拟机监控器针对性地提取内存片段,对提取的数据进行语义重构,以获得操作系统级语义信息.利用扩展页表机制设置关键内存页面的访问权限,将这些内存页面作为蜜罐;针对蜜罐的违规访问会触发扩展页表故障而陷入虚拟机监控器,实时拦截攻击.结果表明,在发现内存攻击后,RTMF既可记录攻击者对内存的修改历史,又可对攻击者追踪溯源.经微基准测试,该方法引入的性能开销在可接受的范围内.

Honeypot-like real-time memory forensics based on virtual machine monitor

Traditional image-analysis based memory forensics technologies face two issues:one is that the time for extracting memory images is too long, the other is that transient memory attacks cannot be effectively intercepted. A honeypot-like real-time memory forensics method RTMF was proposed to solve these issues. Virtual machine monitor (VMM) was used to purposefully extract memory fragments, then obtained data were semantically reconstructed to get the OS-level semantic information. Extended page table (EPT) mechanism was applied to set access permissions for key memory pages, and these pages were treated as "honeypot". EPT violation would be triggered by the violated access aiming at the honeypot, and the guest OS would be trapped in VMM. Thus memory attacks could be captured in real time. Results show that RTMF can record the attack-modifying history on memory and trace the attacker after the memory attack is found. The MicroBench tests results show that the performance overhead RTMF introduces is acceptable.