Live forensics of software attacks on cyber–physical systems

Abstract

Increasingly, Cyber–physical Systems are expected to operate in different environments and interconnect with a diverse set of systems, equipment, and networks. This openness to heterogeneity, diversity, and complexity introduces a new level of vulnerabilities, which adds to the consistent need for security including the digital forensics capabilities. Digital investigators utilize the information on the attacker’s computer to find clues that may help in proving a case. One aspect is the digital evidence that can be extracted from the main memory (RAM), which includes live information about running programs. A program’s states, represented by variables’ values, vary in their scope and duration. This paper explores RAM artifacts of Java programs. Because JVMs can run on various platforms, we compare the same program on three different implementations of JVM from forensic perspectives. Our investigation model assumes no information is provided by the underlying OS or JVM. Our results show that a program’s states can still be extracted even after the garbage collector is explicitly invoked, the software is stopped, or the JVM is terminated. This research helps investigators identify the software used to launch the attack and understand its internal flows. Investigators can utilize this information to accuse the perpetrators and recover from attacks.

Introduction

Cyber–physical Systems (CPS) can be defined as the result of integration between computations and physical processes, in which computations affect the physical processes and vice versa [[1], [2], [3]].However, due to the recent technological advances in computations and communications, more of these CPS systems are connected to the Internet and communicating with each other and with traditional computing machines [4]. These machines can be hijacked and compromised by perpetrators, who may intend to do harmful actions or compromise the functionalities of these CPS systems. This mandates the need to elevate the security measurements, including the Digital Forensics (DF) capabilities. Digital Investigators (DI) need to be able to detect the perpetrator’s activities; including the ability to find and identify any possible harmful or illegal concession made on the system and to uncover the perpetrator.

Though, often these perpetrators utilize computers and software to execute or cover their attacks. Locating the presumed software on their machine’s hard disk might not be a strong evidence about its actual usage. A definite evidence might be needed to prove that the perpetrator has actually used the software [5]. This evidence can be found in several places, one of which is the Main Memory (RAM) of the used machine. RAM encompasses vital information about the very recent states of a system such as its active processes and their execution states [[6], [7]].

A software current execution state resides in RAM. However, often program’s execution states are formalized by the execution paths of the encountered source code. Identifying this path can help in detecting the control-flow and data-flow of the presumed software and then characterizing the possible values of various variables that ought to be scattered over different RAM pages. Obviously, the use of object oriented programs increases the complexity of execution states, evidenced in part by the difficulty of its software testing process [8]. Software variables of an OOP can be categorized based on their scopes, access modifiers, and execution lifetimes. A variable’s scope and its access modifier determine the visibility of a variable and where it can be accessed within the program’s source code. Hence, a variable’s storage, which is defined by the memory type such as stack and heap, determines the duration in which its value is allocated and released [9]. On the other hand, variables can be classified based on whether they are allowed to be changed during execution and how these changes are visible within various parts of the program’s source code. For example, in Java, the program do not change variables’ values that are marked with $final$ once they are assigned, such variables are often initialized with literal values. These literals might be unique to the executable program and its execution state. Moreover, many other non-constant variables might be assigned with literal values too. When these literals are unique to the presumed program’s source code and some of its execution paths, then retaining these values in RAM can be used to establish the Digital Evidences (DE), define the actual software usage and assert its distinct execution path.

Common DF tools and techniques are not designed and developed to stop an attack, but to identify the source of an incident, determine its type, preserve the DE, and analyze the findings [10]. This paper focuses on the Memory Forensics (MF) of the Java-based software usage. It identifies various DE that would be employed to confirm the software usage and its association with the crime. The research methodology presented in this paper is relying solely on mining the core dumps of the physical memory of the host machine and assuming no information is available from the Operating System (OS) or the used Java Virtual Machine (JVM).

In order to verify our approach, various experiments and scenarios are established, for each of which a RAM dump is created and analyzed. During the analysis process, various variables’ scopes and memory types are assumed. Our experiments are designed to establish the DE between source code related values that obtained from the execution states of a running Java program and compare these DE when the internal implementation of the used JVM is different. JVMs that are running on all of MS Windows, Mac OS X, and Fedora Linux are investigated and the obtained DE are compared between similar scenarios.

Our results show that regardless of whether the program is running, the JVM is active or just stopped, the DI can employ knowledge from the presumed program’s source code such as static and instance level variables and their potential values in order to confirm the actual usage of the software; based on identifying these values in corresponding RAM dumps. Hence, some values of local variables are not expected to be successfully located when their corresponding stack frames are not active, though most of which are successfully identified. Additionally, values of static variables and local variables of static methods are often found to have longer duration in memory than the instance related values. Furthermore, in most cases, dynamically allocated values are identified in RAM dumps even after the Garbage Collector (GC) is explicitly invoked or even after the program is terminated. A comprehensive comparison between our findings during various possible scenarios and variable states are ascertained on all investigated platforms.

The rest of this paper is organized as follows. Section 2 presents a deeper look at CPS systems, in which our research motivations are presented and the needed security measurements are highlighted. Section 3 reviews some of the background knowledge used in this paper. Section 4 presents our investigation model and explains how it employs information available in the program’s source code to confirm that the program is actually used in the attack. Section 5 describes our experiments whereas our results are presented in Section 6. Section 7 presents our related work. Finally, our planned future work is presented in Section 8 whereas Section 9 concludes our findings.