An Introspection-Based Memory Scraper Attack against Virtualized Point of Sale Systems

  • Jennia Hizver
  • Tzi-cker Chiueh
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7126)


Retail industry Point of Sale (POS) computer systems are frequently targeted by hackers for credit/debit card data. Faced with increasing security threats, new security standards requiring encryption for card data storage and transmission were introduced making harvesting card data more difficult. Encryption can be circumvented by extracting unencrypted card data from the volatile memory of POS systems. One scenario investigated in this empirical study is the introspection-based memory scraping attack. Vulnerability of nine commercial POS applications running on a virtual machine was assessed with a novel tool, which exploited the virtual machine state introspection capabilities supported by modern hypervisors to automatically extract card data from the POS virtual machines. The tool efficiently extracted 100% of the credit/debit card data from all POS applications. This is the first detailed description of an introspection-based memory scraping attack on virtualized POS systems.


Virtual Machine Physical Memory Card Data Payment Card Window Memory 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
    PCI Security Standards Council,
  3. 3.
    Evolution of Malware: Targeting Credit Card Data in Memory,
  4. 4.
  5. 5.
  6. 6.
    Restaurant Chain Upgrades Systems and Cuts 2,000 Servers Using Virtual Machines,
  7. 7.
    Bringing virtualization and thin computing technology to POS,
  8. 8.
    MICROS Systems, Inc. Announces Deployment of MICROS 9700 HMS at M Resort Spa Casino in Las Vegas,
  9. 9.
    Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings of the 10th Annual Symposium on Network and Distributed System Security, pp. 191–206 (2003)Google Scholar
  10. 10.
    Payne, B.D., Carbone, M., Sharif, M., Lee, W.: Lares: an architecture for secure active monitoring using virtualization. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 233–247 (2008)Google Scholar
  11. 11.
    Jiang, X., Wang, A., Xu, D.: Stealthy Malware Detection Through VMM-Based ”‘Out-of-the-Box’” Semantic View Reconstruction. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 128–138 (2007)Google Scholar
  12. 12.
    What is Xen?,
  13. 13.
    Critical Vulnerabilities Identified to Alert Payment System Participants of Data Compromise Trends,
  14. 14.
    Top Five Data Security Vulnerabilities Identified to Promote Merchant Awareness,
  15. 15.
    Common Vulnerabilities and Exposures: CVE-2007-4993,
  16. 16.
    Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: Antfarm: tracking processes in a virtual machine environment. In: Proceedings of the 2006 USENIX Annual Technical Conference (2006)Google Scholar
  17. 17.
    Russinovich M.E., Solomon, D.A.: Microsoft Windows Internals. Microsoft Press (2005)Google Scholar
  18. 18.
    XenAccess Documentation,
  19. 19.
    Luhn, H. P.: Computer For Verifying Numbers. In: Office, U. S. P., USA (1954)Google Scholar
  20. 20.
    Sailer, R., Jaeger, T., Valdez, E., Caceres, R., Perez, R., Berger, S., Griffin, J.L., Van Doorn, L.: Building a MAC-Based Security Architecture for the Xen Open-Source Hypervisor. In: Proceedings of the 21st Annual Computer Security Applications Conference, pp. 276–285 (2005)Google Scholar
  21. 21.
    Nance, K., Bishop, M., Hay, B.: Investigating the Implications of Virtual Machine Introspection for Digital Forensics. In: 2009 International Conference on Availability, Reliability and Security (2009)Google Scholar
  22. 22.
    Shamir, A., van Someren, N.: Playing Hide and Seek with Stored Keys. In: Franklin, M.K. (ed.) FC 1999. LNCS, vol. 1648, pp. 118–124. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  23. 23.
    Petterson, T.: Cryptographic key recovery from Linux memory dumps. In: Chaos Communication Camp (2007)Google Scholar
  24. 24.
    Halderman, J., Schoen, S., Heningen, N., Clarkson, W., Paul, W., Calandrino, J., Feldman, A., Appelbaum, J., Felten, E.: Lest we remember: cold boot attacks on encryption keys (2008)Google Scholar
  25. 25.
    Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds. In: Conference on Computer and Communications Security, pp. 199–212 (2009)Google Scholar
  26. 26.
    Percival, C.: Cache missing for fun and profit. BSDCan, Ottawa (2005)Google Scholar
  27. 27.
    Osvik, D.A., Shamir, A., Tromer, E.: Cache Attacks and Countermeasures: the Case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  28. 28.
    Payne, B., Carbone, M., Lee, W.: Secure and Flexible Monitoring of Virtual Machines. In: Proceedings of the Annual Computer Security Applications Conference (2007)Google Scholar
  29. 29.
    Hay, B., Nance, K.: Forensics examination of volatile system data using virtual introspection. SIGOPS Operating Systems Review 42(3), 75–83 (2008)CrossRefGoogle Scholar
  30. 30.
    Schuster, A.: Searching for processes and threads in Microsoft Windows memory dumps. In: Proceedings of the 6th Annual Digital Forensic Research Workshop, pp. 10–16 (2006)Google Scholar
  31. 31.
  32. 32.

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Jennia Hizver
    • 1
  • Tzi-cker Chiueh
    • 1
  1. 1.Department of Computer ScienceStony Brook UniversityStony BrookUSA

Personalised recommendations