OS-SOMMELIER: Memory-only operating system fingerprinting in the cloud

Yufei Gu, Yangchun Fu, Aravind Prakash, Zhiqiang Lin, Heng Yin

Research output: Chapter in Book/Report/Conference proceedingConference contribution

30 Scopus citations

Abstract

Precise fingerprinting of an operating system (OS) is critical to many security and virtual machine (VM) management applications in the cloud, such as VM introspection, penetration testing, guest OS administration (e.g., kernel update), kernel dump analysis, and memory forensics. The existing OS fingerprinting techniques primarily inspect network packets or CPU states, and they all fall short in precision and usability. As the physical memory of a VM is always present in all these applications, in this paper, we present OS-SOMMELIER, a memory-only approach for precise and efficient cloud guest OS fingerprinting. Given a physical memory dump of a guest OS, the key idea of OS-SOMMELIER is to compute the kernel code hash for the precise fingerprinting. To achieve this goal, we face two major challenges: (1) how to differentiate the main kernel code from the rest of code and data in the physical memory, and (2) how to normalize the kernel code to deal with practical issues such as address space layout randomization. We have designed and implemented a prototype system to address these challenges. Our experimental results with over 45 OS kernels, including Linux, Windows, FreeBSD, OpenBSD and NetBSD, show that our OS-SOMMELIER can precisely fingerprint all the tested OSes without any false positives or false negatives, and do so within only 2 seconds on average.

Original languageEnglish (US)
Title of host publicationProceedings of the 3rd ACM Symposium on Cloud Computing, SoCC 2012
DOIs
StatePublished - Dec 10 2012
Event3rd ACM Symposium on Cloud Computing, SoCC 2012 - San Jose, CA, United States
Duration: Oct 14 2012Oct 17 2012

Publication series

NameProceedings of the 3rd ACM Symposium on Cloud Computing, SoCC 2012

Other

Other3rd ACM Symposium on Cloud Computing, SoCC 2012
CountryUnited States
CitySan Jose, CA
Period10/14/1210/17/12

Keywords

  • Cloud computing
  • Memory forensics
  • Operating system fingerprinting
  • Virtual machine introspection

ASJC Scopus subject areas

  • Software

Fingerprint Dive into the research topics of 'OS-SOMMELIER: Memory-only operating system fingerprinting in the cloud'. Together they form a unique fingerprint.

  • Cite this

    Gu, Y., Fu, Y., Prakash, A., Lin, Z., & Yin, H. (2012). OS-SOMMELIER: Memory-only operating system fingerprinting in the cloud. In Proceedings of the 3rd ACM Symposium on Cloud Computing, SoCC 2012 (Proceedings of the 3rd ACM Symposium on Cloud Computing, SoCC 2012). https://doi.org/10.1145/2391229.2391234