Abstract
The contents of RAM in an operating system (OS) are a critical source of evidence for malware detection or system performance profiling. Digital forensics focused on reconstructing OS RAM structures to detect malware patterns at runtime. In an ongoing arms race, these RAM reconstruction approaches must be designed for the attack they are trying to detect. Even though database management systems (DBMS) are collectively responsible for storing and processing most data in organizations, the equivalent problem of memory reconstruction has not been considered for DBMS-managed RAM.
In this paper, we propose and evaluate a systematic approach to reverse engineer data structures and access patterns in DBMS RAM. Rather than develop a solution for specific scenarios, we describe an approach to detect and track any RAM area in a DBMS. We evaluate our approach with the four most common RAM areas in well-known DBMSes; this paper describes the design of each area-specific query workload and the process to capture and quantify that area at runtime. We further evaluate our approach by observing the RAM data flow in presence of built-in DBMS encryption. We present an overview of available DBMS encryption mechanisms, their relative advantages and disadvantages, and then illustrate the practical implications for the four memory areas.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Order preserving encryption for numeric data. In: SIGMOD conference, pp. 563–574 (2004)
Akin, I.H., Sunar, B.: On the difficulty of securing web applications using cryptDB. In: Conference on Big Data and Cloud Computing, pp. 745–752. IEEE (2014)
Arasu, A., et al.: Orthogonal security with cipherbase. In: CIDR. Citeseer (2013)
Boldyreva, A., Chenette, N., Lee, Y., O’Neill, A.: Order-preserving symmetric encryption. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 224–241. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_13
Case, A., Richard III, G.G.: Detecting objective-C malware through memory forensics. Digit. Invest. 18, S3–S10 (2016)
Case, A., Richard III, G.G.: Memory forensics: the path forward. Digit. Invest. 20, 23–33 (2017)
Garfinkel, S.L.: Carving contiguous and fragmented files with fast object validation. Digit. Invest. 4, 2–12 (2007)
IBM: Security guardium (2017). http://www-03.ibm.com/software/products/en/ibm-security-guardium-express-activity-monitor-for-databases
IBM: Db2 native encryption (2019). https://www.ibm.com/support/knowledgecenter/SSEPGG_11.1.0/com.ibm.db2.luw.admin.sec.doc/doc/c0061758.html
Liu, J., Mesnager, S., Chen, L.: Partially homomorphic encryption schemes over finite fields. In: Carlet, C., Hasan, M.A., Saraswat, V. (eds.) SPACE 2016. LNCS, vol. 10076, pp. 109–123. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-49445-6_6
Microsoft: Transparent data encryption (2019). https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver15
Microsoft: Microsoft seal (2020). https://www.microsoft.com/en-us/research/project/microsoft-seal/
Naehrig, M., Lauter, K., Vaikuntanathan, V.: Can homomorphic encryption be practical? In: Workshop on Cloud computing security, pp. 113–124 (2011)
Naveed, M., Kamara, S., Wright, C.V.: Inference attacks on property-preserving encrypted databases. In: SIGSAC Conference, pp. 644–655 (2015)
Oracle: Database advance security guide (2017). https://docs.oracle.com/database/121/ASOAG/toc.htm
Oracle Corporation: Innodb data-at-rest encryption (2020). https://dev.mysql.com/doc/refman/5.7/en/innodb-data-encryption.html
Peng, Z.: Danger of using fully homomorphic encryption: a look at microsoft seal. arXiv preprint arXiv:1906.07127 (2019)
Peshkov, A., Firebird foundation: encrypting firebird databases (2016). https://firebirdsql.org/file/documentation/release_notes/html/en/3_0/rnfb30-security-encryption.html
Popa, R.A., Redfield, C.M., Zeldovich, N., Balakrishnan, H.: CryptDB: protecting confidentiality with encrypted query processing. In: SOSP, pp. 85–100 (2011)
Richard III, G.G., Roussev, V.: Scalpel: a frugal, high performance file carver. In: DFRWS (2005)
Russinovich, M., Richards, A.: Procdump v9.0 (2017). https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
Skoog, D., West, D., Holler, J., Crouch, S.: Fundamentals of analytical chemistry. Brooks-Cole, Molecular Absorption Spectroscopy (2014)
Song, D.X., Wagner, D., Perrig, A.: Practical techniques for searches on encrypted data. In: IEEE S&P conference, pp. 44–55. IEEE (2000)
SQLite: Sqlite encryption extension (2019). https://www.sqlite.org/see
Stahlberg, P., Miklau, G., Levine, B.N.: Threats to privacy in the forensic analysis of database systems. In: SIGMOD Conference, pp. 91–102 (2007)
The Apache Software Foundation: Configuring database encryption (2016). http://db.apache.org/derby/docs/10.13/security/cseccsecure24366.html
Wagner, J., Rasin, A., Malik, T., Heart, K., Jehle, H., Grier, J.: Database forensic analysis with DBcarver. In: CIDR Conference (2017)
Ward, B.: SQL Server 2019 Revealed. Apress, Berkeley, CA (2019). https://doi.org/10.1007/978-1-4842-5419-6
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Wagner, J., Rasin, A. (2020). A Framework to Reverse Engineer Database Memory by Abstracting Memory Areas. In: Hartmann, S., Küng, J., Kotsis, G., Tjoa, A.M., Khalil, I. (eds) Database and Expert Systems Applications. DEXA 2020. Lecture Notes in Computer Science(), vol 12391. Springer, Cham. https://doi.org/10.1007/978-3-030-59003-1_20
Download citation
DOI: https://doi.org/10.1007/978-3-030-59003-1_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-59002-4
Online ISBN: 978-3-030-59003-1
eBook Packages: Computer ScienceComputer Science (R0)