Memory Forensic Challenges Under Misused Architectural Features

Abstract

With increasingly complex cyber attacks occurring every day, memory-based forensic techniques are becoming instrumental in digital investigations. Forensic examiners can unravel what happened on a system by acquiring and inspecting in-memory data. However, the foundation of this analysis can be invalidated if the memory acquisition has been altered. In this paper, we study the feasibility of malicious software misusing architectural features to sabotage memory forensics. The misuse of two architectural features, namely, physical address layout and secure containers, is presented. The first architectural feature explored in this paper is the physical address layout. It is used by the northbridge to route memory access to either physical memory or I/O devices on x86 platforms. Observing this design choice, we propose Hidden in I/O Space (HIveS), which manipulates CPU registers to alter the physical address layout to conceal memory. The system uses a novel I/O shadowing technique to lock a memory region named HIveS memory into I/O address space to prevent access. Two novel techniques, blackbox write and TLB camouflage, are developed to further protect the unlocked HIveS memory against memory forensics while allowing access for attackers. The second architectural feature explored in this paper is hardware-aided secure execution technology. More specifically, hardware-enforced memory encryption in Intel secure guard extension is used in malicious enclave software (Malclaveware) to prevent introspection and memory forensics. A prototype of HIveS is built and tested against a set of memory acquisition tools for both Windows and Linux running on the x86 platform. Malclaveware is also prototyped in Windows to demonstrate the risk. More importantly, we proposed countermeasures and mitigations for the newly discovered attacks. Through these discussions, we aim to raise the awareness of the potential risks of misusing hardware architectural features.