Boffins in Microsoft Research has pulled the covers off Project Freta, a free service aimed at spotting memory malfeasance.
A technology demonstration named for the street in Warsaw, Poland where Marie Curie was born, Freta comes from the NExT Security Ventures (NSV) team and is all about taking a VM snapshot and scanning the volatile memory for signs of nefarious behaviour.
Smile, you've been snapped
By working on a captured image and not interacting with the OS, Microsoft reckons the project has a better chance of identifying malware before the offending code can cover its tracks (and potentially destroy data.) The snapshot approach also means there is no need for agents and their like when hunting kernel rootkits and other malicious software.
The project kicked off two years ago, partially in response to existing malware sensors being evaded as malicious code gained the ability to spot when it was being observed and self-destruct to prevent discovery.
Taking a different path to the sensor-malware arms race, the Project Freta requirements called for an offline analysis system that could work in batch mode and a sensor to provide memory captures without executing a clarifying instruction on the guest.
4,000 Linux kernels are now supported (Windows is on the roadmap) and Freta will accept four types of memory images: Hyper-V Memory Snapshot (.vmrs files), LiME image (.lime files), Elf Core Dump of Physical Memory (.core files) and Raw Physical Memory Dump (.raw files.)
"Currently," explained Mike Walker, senior director at New Security Ventures, "only a Hyper-V checkpoint has been evaluated to provide a reasonable approximation of the 'element of surprise' necessary to achieve trusted sensing."
Once a snapshot is uploaded to the portal (or via an API for automation fans), Freta will spit out a report breaking down the artefacts present when the volatile memory was imaged. Information such as the kernel modules, interrupt table and in-memory files are all present for inspection.
Very much a tool for investigators, Project Freta will also have a crack at inferring the presence of malware and note potential rootkits, but "it does not flag everything" according to Microsoft. The gang also recommends comparing images over time to check for malware that only operates at specific times or in response to certain events.
A sensor has also been developed for Azure that will shunt the volatile memory of live VMs to offline analysis without disrupting execution, but only Microsoft's own researchers currently have access to it. For Project Freta, the plan is to add Windows support and fiddle with AI decision making for spotting novel threats.
Project Freta is currently a free service. While the service itself is not fully open source, Microsoft has shovelled a client-side SDK into GitHub, replete with a Python-based command line interface.
While the source behind Project Freta is not yet public, some bits of the code referenced can be found. An engineer on the project directed those interested to Microsoft's AVML (Acquire Volatile Memory for Linux) in GitHub. AVML is an x86_64 userland volatile memory acquisition tool, which can acquire memory without being aware of the target OS distribution. Sound a bit familiar? Like Project Freta, it is written in Rust. ®