OS-SOMMELIER: Memory-only operating system fingerprinting in the cloud

Yufei Gu, Yangchun Fu, Aravind Prakash, Zhiqiang Lin, Heng Yin

Research output: Chapter in Book/Entry/PoemConference contribution

36 Scopus citations


Precise fingerprinting of an operating system (OS) is critical to many security and virtual machine (VM) management applications in the cloud, such as VM introspection, penetration testing, guest OS administration (e.g., kernel update), kernel dump analysis, and memory forensics. The existing OS fingerprinting techniques primarily inspect network packets or CPU states, and they all fall short in precision and usability. As the physical memory of a VM is always present in all these applications, in this paper, we present OS-SOMMELIER, a memory-only approach for precise and efficient cloud guest OS fingerprinting. Given a physical memory dump of a guest OS, the key idea of OS-SOMMELIER is to compute the kernel code hash for the precise fingerprinting. To achieve this goal, we face two major challenges: (1) how to differentiate the main kernel code from the rest of code and data in the physical memory, and (2) how to normalize the kernel code to deal with practical issues such as address space layout randomization. We have designed and implemented a prototype system to address these challenges. Our experimental results with over 45 OS kernels, including Linux, Windows, FreeBSD, OpenBSD and NetBSD, show that our OS-SOMMELIER can precisely fingerprint all the tested OSes without any false positives or false negatives, and do so within only 2 seconds on average.

Original languageEnglish (US)
Title of host publicationProceedings of the 3rd ACM Symposium on Cloud Computing, SoCC 2012
StatePublished - 2012
Event3rd ACM Symposium on Cloud Computing, SoCC 2012 - San Jose, CA, United States
Duration: Oct 14 2012Oct 17 2012

Publication series

NameProceedings of the 3rd ACM Symposium on Cloud Computing, SoCC 2012


Other3rd ACM Symposium on Cloud Computing, SoCC 2012
Country/TerritoryUnited States
CitySan Jose, CA


  • Cloud computing
  • Memory forensics
  • Operating system fingerprinting
  • Virtual machine introspection

ASJC Scopus subject areas

  • Software


Dive into the research topics of 'OS-SOMMELIER: Memory-only operating system fingerprinting in the cloud'. Together they form a unique fingerprint.

Cite this