Integrity verification of user space code

We present a novel approach for the construction and application of cryptographic hashes to user space memory for the purposes of verifying the provenance of code in memory images. Several key aspects of Windows behaviour which influence this process are examined in-depth. Our approach is implemente...

Full description

Saved in:
Bibliographic Details
Published inDigital investigation Vol. 10; pp. S59 - S68
Main Authors White, Andrew, Schatz, Bradley, Foo, Ernest
Format Journal Article
LanguageEnglish
Published Kidlington Elsevier Ltd 01.08.2013
Elsevier Science Ltd
Subjects
Computer memory
Computer viruses
Cryptography
Data integrity
Malware analysis
Memory forensics
User space
Windows 7
Windows XP
User space
Windows 7
Malware analysis
Memory forensics
Windows XP
Online AccessGet full text

Cover

More Information
Summary:We present a novel approach for the construction and application of cryptographic hashes to user space memory for the purposes of verifying the provenance of code in memory images. Several key aspects of Windows behaviour which influence this process are examined in-depth. Our approach is implemented and evaluated on a selection of malware samples with user space components as well as a collection of common Windows applications. The results demonstrate that our approach is highly effective at reducing the amount of memory requiring manual analysis, highlighting the presence of malicious code in all the malware sampled.
ISSN:1742-2876
1873-202X
DOI:10.1016/j.diin.2013.06.007