@inproceedings{10.1145/2714576.2714600,
author = {Zhang, Ning and Sun, Kun and Lou, Wenjing and Hou, Y. Thomas and Jajodia, Sushil},
title = {Now You See Me: Hide and Seek in Physical Address Space},
year = {2015},
isbn = {9781450332453},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {[https://doi.org/10.1145/2714576.2714600](https://doi.org/10.1145/2714576.2714600)},
doi = {10.1145/2714576.2714600},
abstract = {With the growing complexity of computing systems, memory based forensic techniques are becoming instrumental in digital investigations. Digital forensic examiners can unravel what happened on a system by acquiring and inspecting in-memory data. Meanwhile, attackers have developed numerous anti-forensic mechanisms to defeat existing memory forensic techniques by manipulation of system software such as OS kernel. To counter anti-forensic techniques, some recent researches suggest that memory acquisition process can be trusted if the acquisition module has not been tampered with and all the operations are performed without relying on any untrusted software including the operating system.However, in this paper, we show that it is possible for malware to bypass the current state-of-art trusted memory acquisition module by manipulating the physical address space layout, which is shared between physical memory and I/O devices on x86 platforms. This fundamental design on x86 platform enables an attacker to build an OS agnostic anti-forensic system. Base on this finding, we propose Hidden in I/O Space (HIveS) which manipulates CPU registers to alter such physical address layout. The system uses a novel I/O Shadowing technique to lock a memory region named HIveS memory into I/O address space, so all operation requests to the HIveS memory will be redirected to the I/O bus instead of the memory controller. To access the HIveS memory, the attacker unlocks the memory by mapping it back into the memory address space. Two novel techniques, Blackbox Write and TLB Camouflage, are developed to further protect the unlocked HIveS memory against memory forensics while allowing attackers to access it. A HIveS prototype is built and tested against a set of memory acquisition tools for both Windows and Linux running on x86 platform. Lastly, we propose potential countermeasures to detect and mitigate HIveS.},
booktitle = {Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security},
pages = {321–331},
numpages = {11},
keywords = {system security, rootkits, memory acquisition, digital forensics},
location = {Singapore, Republic of Singapore},
series = {ASIA CCS '15}
}