TY - GEN
T1 - OS-SOMMELIER
T2 - 3rd ACM Symposium on Cloud Computing, SoCC 2012
AU - Gu, Yufei
AU - Fu, Yangchun
AU - Prakash, Aravind
AU - Lin, Zhiqiang
AU - Yin, Heng
PY - 2012
Y1 - 2012
N2 - Precise fingerprinting of an operating system (OS) is critical to many security and virtual machine (VM) management applications in the cloud, such as VM introspection, penetration testing, guest OS administration (e.g., kernel update), kernel dump analysis, and memory forensics. The existing OS fingerprinting techniques primarily inspect network packets or CPU states, and they all fall short in precision and usability. As the physical memory of a VM is always present in all these applications, in this paper, we present OS-SOMMELIER, a memory-only approach for precise and efficient cloud guest OS fingerprinting. Given a physical memory dump of a guest OS, the key idea of OS-SOMMELIER is to compute the kernel code hash for the precise fingerprinting. To achieve this goal, we face two major challenges: (1) how to differentiate the main kernel code from the rest of code and data in the physical memory, and (2) how to normalize the kernel code to deal with practical issues such as address space layout randomization. We have designed and implemented a prototype system to address these challenges. Our experimental results with over 45 OS kernels, including Linux, Windows, FreeBSD, OpenBSD and NetBSD, show that our OS-SOMMELIER can precisely fingerprint all the tested OSes without any false positives or false negatives, and do so within only 2 seconds on average.
AB - Precise fingerprinting of an operating system (OS) is critical to many security and virtual machine (VM) management applications in the cloud, such as VM introspection, penetration testing, guest OS administration (e.g., kernel update), kernel dump analysis, and memory forensics. The existing OS fingerprinting techniques primarily inspect network packets or CPU states, and they all fall short in precision and usability. As the physical memory of a VM is always present in all these applications, in this paper, we present OS-SOMMELIER, a memory-only approach for precise and efficient cloud guest OS fingerprinting. Given a physical memory dump of a guest OS, the key idea of OS-SOMMELIER is to compute the kernel code hash for the precise fingerprinting. To achieve this goal, we face two major challenges: (1) how to differentiate the main kernel code from the rest of code and data in the physical memory, and (2) how to normalize the kernel code to deal with practical issues such as address space layout randomization. We have designed and implemented a prototype system to address these challenges. Our experimental results with over 45 OS kernels, including Linux, Windows, FreeBSD, OpenBSD and NetBSD, show that our OS-SOMMELIER can precisely fingerprint all the tested OSes without any false positives or false negatives, and do so within only 2 seconds on average.
KW - Cloud computing
KW - Memory forensics
KW - Operating system fingerprinting
KW - Virtual machine introspection
UR - http://www.scopus.com/inward/record.url?scp=84870525044&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84870525044&partnerID=8YFLogxK
U2 - 10.1145/2391229.2391234
DO - 10.1145/2391229.2391234
M3 - Conference contribution
AN - SCOPUS:84870525044
SN - 9781450317610
T3 - Proceedings of the 3rd ACM Symposium on Cloud Computing, SoCC 2012
BT - Proceedings of the 3rd ACM Symposium on Cloud Computing, SoCC 2012
Y2 - 14 October 2012 through 17 October 2012
ER -