Integrity Verification of Applications on RADIUM Architecture Page: 19
vii, 44 pages : color illustrationsView a full description of this thesis.
Extracted Text
The following text was automatically extracted from the image on this page using optical character recognition software:
is set up. The subsequent instructions write data to stack, overwrite some objects, delete
some of them, and so on and so forth. This process continues until the function is returned.
Therefore, the changes made to stack has to be recorded and analyzed for violations. The
application execution takes place in the target VM that is being measured. The measurement
has to be done from the measuring service VM.
I propose to use Volatility [391, a memory introspection tool to do runtime introspec-
tion of the target VM memory for violations. Volatility has many plug-ins written in python
to perform various introspection and forensic tasks. Memory introspection tasks can be per-
formed dynamically on a live machine while it is running or statistically on a memory dump
that was previously extracted. Originally, Volatility is a forensic tool used to analyze the
memory dump. However, my work requires introspection to be performed on a live VM mem-
ory from outside the target VM. Volatility needs LibVMI, a virtual machine introspection
library that provides access to the target VM memory. Some of the Volatility modules used
in this research were: linux-pslist (to print list of processes), linux-memmap (to
print memory map), linux-proc-maps (to print process memory map), and mapdump (to
extract data from application memory dump. The goal of the experiment was to detect
the attack or anomaly as soon as possible, before the transient state of application destroys
attack evidence. Extraction of frequent memory snapshots and analyzing them on they fly
at the speed of application execution is not possible. The application has to be paused to
get the process' memory dump. This helps minimizing the TOCTOU condition resulting in
better integrity verification. . There would be some time lapse from the time of attack to
the time of detection. This work is based on trusted computing, whose main purpose is to
find integrity verification in trusted fashion and does not offer protection against threats.
The introspection library LibVMI uses measuring service to access the target VM
with the help of hypercalls. A hypercall is a system call equivalent of hypervisor. Measuring
VM makes hypercalls for LibVMI to make memory page snapshots. Hypercalls' access is
managed by the Access Control Policy. So, the memory access of target application through
measuring service is secure.19
Upcoming Pages
Here’s what’s next.
Search Inside
This thesis can be searched. Note: Results may vary based on the legibility of text within the document.
Tools / Downloads
Get a copy of this page or view the extracted text.
Citing and Sharing
Basic information for referencing this web page. We also provide extended guidance on usage rights, references, copying or embedding.
Reference the current page of this Thesis.
Tarigopula, Mohan Krishna. Integrity Verification of Applications on RADIUM Architecture, thesis, August 2015; Denton, Texas. (https://digital.library.unt.edu/ark:/67531/metadc804915/m1/27/: accessed July 17, 2024), University of North Texas Libraries, UNT Digital Library, https://digital.library.unt.edu; .