Search

US-20260127019-A1 - SYSTEM CALL TRACE RECONSTRUCTION

US20260127019A1US 20260127019 A1US20260127019 A1US 20260127019A1US-20260127019-A1

Abstract

Technologies for system call trace reconstruction are described. A system includes a memory and one or more processors. Responsive to detecting a change in a first value of a first memory location of a set of memory locations, the one or more processors determine that an execution of a first system call corresponding to a process has occurred. The one or more processors further retrieve one or more values of one or more second memory locations of the set of memory locations, the one or more second memory locations being associated with the first system call responsive to determining that the execution of the first system call corresponding to the process has occurred. The one or more processors further provide an output identifying identification of the first system call corresponding to the process based on the one or more values of the one or more second memory locations.

Inventors

  • Thanh Ngoc Nguyen
  • Meni Orenbach
  • Ahmad Atamli

Assignees

  • MELLANOX TECHNOLOGIES, LTD.

Dates

Publication Date
20260507
Application Date
20251229

Claims (20)

  1. 1 . A computing system, comprising: a memory; and one or more processors, coupled to the memory, to: responsive to detecting a change in a first value of a first memory location of a set of memory locations, determining that an execution of a first system call corresponding to a process has occurred, wherein the first value indicates a status of the first system call corresponding to the process; responsive to determining that the execution of the first system call corresponding to the process has occurred, retrieving one or more values of one or more second memory locations of the set of memory locations, the one or more second memory locations being associated with the first system call; and providing an output identifying identification of the first system call corresponding to the process based on the one or more values of the one or more second memory locations.
  2. 2 . The computing system of claim 1 , wherein the one or more processors are further to: extract data indicating a thread context of a kernel memory structure comprising the set of memory locations, the thread context corresponding to a first operating system (OS), wherein the set of memory locations are determined based on the thread context.
  3. 3 . The computing system of claim 2 , wherein the data comprises a first Intermediate Symbol Table (IST) corresponding to the first OS.
  4. 4 . The computing system of claim 1 , wherein the one or more processors are further to: determine an instance of malware associated with the process based on an identity of the first system call; and provide a second output indicating the instance of malware.
  5. 5 . The computing system of claim 1 , wherein the one or more processors are further to: poll access requests to the set of memory locations of a kernel memory structure.
  6. 6 . The computing system of claim 5 , wherein the kernel memory structure corresponds to a kernel stack of a first operating system.
  7. 7 . The computing system of claim 1 , wherein the process corresponds to a virtual machine (VM) and the one or more processors are associated with a hypervisor.
  8. 8 . A method comprising: responsive to detecting a change in a first value of a first memory location of a set of memory locations, determining, by one or more processors, that an execution of a first system call corresponding to a process has occurred, wherein the first value indicates a status of the first system call corresponding to the process; responsive to determining that the execution of the first system call corresponding to the process has occurred, retrieving, by the one or more processors, one or more values of one or more second memory locations of the set of memory locations, the one or more second memory locations being associated with the first system call; and providing, by the one or more processors, an output identifying identification of the first system call corresponding to the process based on the one or more values of the one or more second memory locations.
  9. 9 . The method of claim 8 , further comprising: extracting, by the one or more processors, data indicating a thread context of a kernel memory structure comprising the set of memory locations, wherein the thread context corresponds to a first operating system (OS), wherein the set of memory locations are determined based on the thread context.
  10. 10 . The method of claim 9 , wherein the data comprises a first Intermediate Symbol Table (IST) corresponding to the first OS.
  11. 11 . The method of claim 8 , wherein the process corresponds to a virtual machine (VM) and the one or more processors are associated with a hypervisor, wherein at least a portion of the method is carried out by the hypervisor.
  12. 12 . The method of claim 8 , further comprising: determining, by the one or more processors, an instance of malware associated with the process based on an identity of the first system call; and providing, by the one or more processors, a second output indicating the instance of malware.
  13. 13 . The method of claim 8 , further comprising: polling, by the one or more processors, access requests to the set of memory locations of a kernel memory structure.
  14. 14 . The method of claim 13 , wherein the kernel memory structure corresponds to a kernel stack of a first operating system.
  15. 15 . The method of claim 13 , further comprising: determining, by the one or more processors, a null character within a third memory location of the kernel memory structure, wherein the set of memory locations are determined based on a proximity between the set of memory locations and the third memory location.
  16. 16 . A non-transitory computer-readable storage medium comprising instructions that, when executed by one or more processors, cause the one or more processors to perform operations comprising: responsive to detecting a change in a first value of a first memory location of a set of memory locations, determining that an execution of a first system call corresponding to a process has occurred, wherein the first value indicates a status of the first system call corresponding to the process; responsive to determining that the execution of the first system call corresponding to the process has occurred, retrieving one or more values of one or more second memory locations of the set of memory locations, the one or more second memory locations being associated with the first system call; and providing an output identifying identification of the first system call corresponding to the process based on the one or more values of the one or more second memory locations.
  17. 17 . The non-transitory computer-readable storage medium of claim 16 , wherein the instructions further cause the one or more processors to perform operations comprising: extracting data indicating a thread context of a kernel memory structure comprising the set of memory locations, the thread context corresponding to a first operating system (OS), wherein the set of memory locations are determined based on the thread context.
  18. 18 . The non-transitory computer-readable storage medium of claim 17 , wherein the kernel memory structure corresponds to a kernel stack of a first operating system.
  19. 19 . The non-transitory computer-readable storage medium of claim 16 , wherein the instructions further cause the one or more processors to perform operations comprising: determining an instance of malware associated with the process based on an identity of the first system call; and providing a second output indicating the instance of malware.
  20. 20 . The non-transitory computer-readable storage medium of claim 19 , wherein the process corresponds to a virtual machine (VM) and the one or more processors are associated with a hypervisor.

Description

RELATED APPLICATIONS This application is a Continuation of and claims priority to U.S. application Ser. No. 17/890,850, filed on Aug. 18, 2022, which claims the benefit of U.S. Provisional Application No. 63/239,966, filed Sep. 2, 2021, and U.S. Provisional Application No. 63/359,750, filed Jul. 8, 2022, each of which are incorporated by reference herein in their entirety. TECHNICAL FIELD At least one embodiment pertains to system call trace reconstruction. For example, at least one embodiment pertains to live stack tracing. BACKGROUND Cyber-attacks commonly use malware as a means for damages and/or destroying computers and/or computer systems. A widely used method of preventing malware is virtual machine introspection (VMI). Through forensic analysis of volatile memory, VMI detects malicious programs that have infiltrated virtual machines (VMs). When incidents occur, memory forensics can be used to gather information. By inferring the current state of a VM, such as active processes and loaded kernel modules, one can determine its current state. By analyzing the current state of the VM, malicious activity can be detected. In contrast, disk forensics examines the artifacts left behind by cyber-security attacks. It makes it harder for malware to remain undetected by using memory forensics to build a behavioral landscape of malware and advanced persistent threats. BRIEF DESCRIPTION OF DRAWINGS Various embodiments in accordance with the present disclosure will be described with reference to the drawings, in which: FIG. 1 illustrates a block diagram of a system call invocation flow, in accordance with at least some embodiments. FIG. 2 is a diagram illustrating system call tracing, according to at least one embodiment. FIG. 3A is a block diagram illustrating an intrusive system call tracing process, according to at least one embodiment. FIG. 3B is a block diagram illustrating a non-intrusive system call tracing process, according to at least one embodiment. FIG. 4 is a block diagram illustrating a kernel memory structure, according to at least one embodiment. FIG. 5 is a block diagram illustrating a kernel memory structure, according to at least one embodiment. FIG. 6 is a block diagram illustrating a system call trace reconstruction, according to at least one embodiment. FIG. 7 is a flow diagram of a method for system call trace reconstruction, according to embodiments of the present disclosure. FIG. 8 depicts a block diagram of an example computing device, operating in accordance with one or more aspects of the present disclosure. DETAILED DESCRIPTION Technologies for system call trace reconstruction are described. As described above, cyber-attacks commonly use malware as a means for damages and/or destroying computers and/or computer systems. A widely used method of preventing malware is virtual machine introspection (VMI). Through forensic analysis of volatile memory, VMI detects malicious programs that have infiltrated virtual machines (VMs). When incidents occur, memory forensics can be used to gather information. By inferring the current state of a VM, such as active processes and loaded kernel modules, one can determine its current state. By analyzing the current state of the VM, malicious activity can be detected. In contrast, disk forensics examines the artifacts left behind by cyber-security attacks. It makes it harder for malware to remain undetected by using memory forensics to build a behavioral landscape of malware and advanced persistent threats. Cyber-crime is advancing, making detecting malware more challenging due to malware's increasing ability to evade detection systems. A system call trace records the operations performed by the malware. Trace system calls typically use memory forensic methods that operate on raw memory images and analyze kernel thread stack state to infer executed system calls. Trap-based methods use a processor's ability to hook into events such as system calls, allowing a hypervisor to track each executed call. VMs can be traced via their guest operating systems (OS) with the help of tools installed in them, such as “strace.” However, this may result in a non-negligible degradation of performance for conventional systems. An observer effect can also result from in-guest tracing tools. A sophisticated malware program can detect tracing tools and disable them, for example, by hiding the malware behavior or disabling them completely. In order to reduce malware's ability to avoid detection, VMI techniques can place data acquisition methods outside the infected virtual machine. VMI methods are intrusive and can impact the performance of programs running in a virtual machine. These methods interfere with the execution of code, so they are classified as intrusive. In trap-based methods, a VM must exit and re-enter, resulting in a high latency penalty. Due to the fact that existing memory forensic methods operate on a static raw memory image, recording a live system call trace of