An Experience Report on Extracting and Viewing Memory Events via Wireshark

Modern program analysis environments lack a principled method of monitoring low-level memory events. Such monitoring is of great value to activities like debugging, reverse engineering, vulnerability analysis, and security policy enforcement. Although current systems can be coerced to produce streams of memory events, most such techniques are inefficient or overly invasive and offer an unconstrained control over memory, which can subvert the reliability of such memory interposition as part of the attack engineering workflow.

Our system, Cage, is a kernel-level mechanism for monitoring the memory events of a process. Like several existing memory trapping systems, Cage modifies and uses the functionality of the Linux kernel memory page subsystem. Cage translates the memory activity of a process into a packet-like format, and these events are exported over a network device. The memory event packets can be captured and displayed using an existing network packet analyzer (Wireshark). At present, Cage can monitor the memory events for the data, stack, and heap of a process as well as arbitrarily cage any other memory region. We have caged a Gnome login session successfully and noticed no ill effects. We discuss several potential applications that arise from imposing this “network packet” metaphor on memory events.