K-binID: Kernel Binary Code Identification for Virtual Machine Introspection - Inria - Institut national de recherche en sciences et technologies du numérique Accéder directement au contenu
Communication Dans Un Congrès Année : 2017

K-binID: Kernel Binary Code Identification for Virtual Machine Introspection

Résumé

Virtual Machine Introspection (VMI) techniques generally employ kernel symbols to obtain addresses of kernel data and functions of interest to monitor guest OS states and activities. However, employing kernel symbols in an Infrastructure as a Service (IaaS) cloud presumes perfect knowledge of what kernel version and customization is running in an introspected VM. Moreover, existing kernel fingerprinting techniques are limited in precision and usability due to insufficient coverage of kernel code. So they are not suitable for IaaS cloud. In this paper, we present K-binID, a set of new automatic and OS-independent techniques based on static binary code analysis that enables the hypervisor to precisely identify version and customization of VM main kernel binary code (among a set of known kernels). K-binID achieves this in black-box regardless of challenges presented by compiler optimizations and kernel base address randomization. We designed and implemented our prototype of K-binID on KVM hypervisor. K-binID evaluation on a variety of Linux kernel binary code versions shows that, in 1 to 5 seconds, K-binID identifies precisely both the kernel version and customization of all tested kernels.
Fichier non déposé

Dates et versions

hal-01520867 , version 1 (11-05-2017)

Identifiants

Citer

Yacine Hebbal, Sylvie Laniepce, Jean-Marc Menaud. K-binID: Kernel Binary Code Identification for Virtual Machine Introspection. DSC 2017 : IEEE Conference on Dependable and Secure Computing, Aug 2017, Taipei, Taiwan. ⟨10.1109/DESEC.2017.8073801⟩. ⟨hal-01520867⟩
302 Consultations
0 Téléchargements

Altmetric

Partager

Gmail Facebook X LinkedIn More