K-binID: Kernel binary code identification for Virtual Machine Introspection

Abstract

Virtual Machine Introspection (VMI) techniques generally employ kernel symbols to obtain addresses of kernel data and functions of interest to monitor guest OS states and activities. However, employing kernel symbols in an Infrastructure as a Service (IaaS) cloud presumes perfect knowledge of what kernel version and customization is running in an introspected VM. Moreover, existing kernel fingerprinting techniques are limited in precision and usability due to insufficient coverage of kernel code. So they are not suitable for IaaS cloud. In this paper, we present K-binID, a set of new automatic and OS-independent techniques based on static binary code analysis that enables the hypervisor to precisely identify version and customization of VM main kernel binary code (among a set of known kernels). K-binID achieves this in black-box regardless of challenges presented by compiler optimizations and kernel base address randomization. We designed and implemented our prototype of K-binID on KVM hypervisor. K-binID evaluation on a variety of Linux kernel binary code versions shows that, in 1 to 5 seconds, K-binID identifies precisely both the kernel version and customization of all tested kernels.