Christian Sarmoria
Steve Chapin

Abstract

The post-mortem state of a compromised system may not contain enough evidence regarding what transpired during an attack to explain the attacker’s modus operandi. Current systems that reconstruct sequences of events gather potential evidence at runtime by monitoring events and objects at the system call level. The reconstruction process starts with a detection point, such as a file with suspicious contents, and establishes a dependency chain with all the processes and files that could be related to the compromise, building a path back to the origin of the attack. However, system call support is lost after a file is memory-mapped because all read and write operations on the file in memory thereafter are through memory pointers. We present a runtime monitor to log read and write operations in memory-mapped files. The basic concept of our approach is to insert a page fault monitor in the kernel’s memory management subsystem. This monitor guarantees the correct ordering of the logs that represent memory access events when two or more processes operate on a file in memory. Our monitor increases accuracy to current reconstruction systems by reducing search time, search space, and false dependencies.