We describe min-c, a C interpreter that solves the generalized problem of the "semantic gap." The semantic gap exists in virtual machine introspection (VMI) and in volatile memory forensics because there is not a native hardware environment. For example, a pointer in a data structure in a process cannot be used without translation to a physical address, a function of the native hardware and operating system. The usual solution is to build an OS interface library to provide the necessary translations. This is brittle as it must constantly track OS versions. Min-c solves this problem by enabling automatic generation of the OS interface library using native OS code itself, or debugging symbols when source is not available. We describe the design of min-c and our method for automatically building the semantic interface database required for type interpretation for both Linux and Windows OSs.
Keywords: Forensics, memory analysis, virtual machine introspection, semantic gap, volatile memory, C interpreter
Return to the Publication list.