Students create open source, cross-platform memory scanning tool
Mozilla has unveiled the result of a successful project executed by a group of Computer Science students from Argentina: it’s called Masche, and it’s an open source, cross-platform tool for inspecting the content of the memory of a system and detecting threats.
The Masche project, started in mid-2014 as part of Mozilla’s Winter of Security (MWOS) program whose goal is to involve students in building security tools, has been executed by students Agustin Martinez Suñé, Marco Vanotti, Nahuel Lascano, Patricio Palladino, aided by Professor Alejandro Furfaro, and advised by Julien Vehent, one of the members of Mozilla’s Operations Security team.
“Mozilla operates thousands of servers to build products and run services for our users. Keeping these servers secure is the primary concern of the Operations Security team, and the reason why we have built Mozilla InvestiGator (MIG), a cross-platform endpoint security system,” Vehent noted in a recent blog post.
“MIG can inspect the file system and network information of thousands of hosts in parallel, which greatly helps increase visibility across the infrastructure. But until recently, it lacked the ability to look into the memory of running processes, a need that often arises during security investigations,” he explained the motivation behind the creation of Masche.
Mozilla was looking for a less invasive and more lightweight alternative to popular memory inspection libraries, and Masche fits the bill, so the company is turning it into a module for their MIG system.
“The typical approach in memory forensic is to dump the memory of a system, and perform analysis on another system,” the team explained. Masche can do this by inspecting its own memory.
“Compared with frameworks like Volatility or Rekall, Masche does not provide the same level of advanced forensics features. Instead, it focuses on searching for regexes and byte strings in the processes of large pools of systems, and does so live and very fast,” added Vehent.
As required by the MWOS program, the tool’s source code is open source, and can be picked up here. It can run on Linux, OS X and Windows.