Skip to Main content Skip to Navigation
Conference papers

K-binID: Kernel Binary Code Identification for Virtual Machine Introspection

Abstract : Virtual Machine Introspection (VMI) techniques generally employ kernel symbols to obtain addresses of kernel data and functions of interest to monitor guest OS states and activities. However, employing kernel symbols in an Infrastructure as a Service (IaaS) cloud presumes perfect knowledge of what kernel version and customization is running in an introspected VM. Moreover, existing kernel fingerprinting techniques are limited in precision and usability due to insufficient coverage of kernel code. So they are not suitable for IaaS cloud. In this paper, we present K-binID, a set of new automatic and OS-independent techniques based on static binary code analysis that enables the hypervisor to precisely identify version and customization of VM main kernel binary code (among a set of known kernels). K-binID achieves this in black-box regardless of challenges presented by compiler optimizations and kernel base address randomization. We designed and implemented our prototype of K-binID on KVM hypervisor. K-binID evaluation on a variety of Linux kernel binary code versions shows that, in 1 to 5 seconds, K-binID identifies precisely both the kernel version and customization of all tested kernels.
Complete list of metadata

https://hal.inria.fr/hal-01520867
Contributor : Jean-Marc Menaud <>
Submitted on : Thursday, May 11, 2017 - 10:35:00 AM
Last modification on : Wednesday, July 21, 2021 - 7:36:02 AM

Identifiers

Citation

Yacine Hebbal, Sylvie Laniepce, Jean-Marc Menaud. K-binID: Kernel Binary Code Identification for Virtual Machine Introspection. DSC 2017 : IEEE Conference on Dependable and Secure Computing, Aug 2017, Taipei, Taiwan. ⟨10.1109/DESEC.2017.8073801⟩. ⟨hal-01520867⟩

Share

Metrics

Record views

1038