Abstract
The diversity of Linux versions brings challenges to Linux memory analysis, which is an established technique in security and forensic investigations. During memory forensics, kernel data structures are essential information. Existing solutions obtain this information by analyzing debugging information or by decompiling kernel functions to handle a certain range of versions. In this paper, by collecting and analyzing a number of Linux versions, we characterize the properties of different Linux kernel versions and how struct offsets change between versions. Furthermore, the Linux kernel provides over 10,000 configurable features, which leads to different kernel structure layouts for the same kernel version. To deal with this problem, we propose a method of identifying kernel struct layout based on brute-force matching. By examining the relationships between kernel structures, common features are extracted and exploited for brute-force matching. The experimental results show that the proposed technology can deduce structure member offsets accurately and efficiently.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Cohen, M.I.: Characterization of the windows kernel version variability for accurate memory analysis. Digit. Invest. 12, 28–49 (2015)
The rekall profile repository. https://github.com/google/rekall-profiles
The volatility framework. http://www.volatilityfoundation.org/
Linux Kernel. https://en.wikipedia.org/wiki/Linux_kernel
Linux memory forensics. http://www.drdobbs.com/linux-memory-forensics/199101801
Memoryze. https://www.mandiant.com/resources/download/memoryze
Moonsols windows memory toolkit. http://www.moonsols.com/windows-memory-toolkit
Zhang, S., Meng, X., Wang, L.: An adaptive approach for Linux memory analysis based on kernel code reconstruction. EURASIP J. Inf. Secur. 14, 1–13 (2016)
Ligh, M.H., Case, A., Levy, J., Walters, A.: The Art Of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. Wiley Publishing, Indianapolis (2014)
Socala, A., Cohen, M.: Automatic profile generation for live Linux memory analysis. Digit. Invest. 16, 11–24 (2016)
Case, A., Marziale, L., Richard, G.G.: Dynamic recreation of kernel data structures for live forensics. Digit. Invest. 7, 32–40 (2010)
Acknowledgments
This work is supported by the National Natural Science Foundation of China (Grant Nos. 61572297, and 61602281), the Shandong Provincial Natural Science Foundation of China (Grant Nos. ZR2016YL014, ZR2016YL011, ZR2014FM003, and ZY2015YL018), the Shandong Provincial Outstanding Research Award Fund for Young Scientists of China (Grant Nos. BS2015DX006, and BS2014DX007), and the Shandong Academy of Sciences Youth Fund Project, China (Grant Nos. 2015QN003).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Zhang, S., Meng, X., Wang, L., Liu, G. (2017). Research on Linux Kernel Version Diversity for Precise Memory Analysis. In: Zou, B., Li, M., Wang, H., Song, X., **e, W., Lu, Z. (eds) Data Science. ICPCSEE 2017. Communications in Computer and Information Science, vol 727. Springer, Singapore. https://doi.org/10.1007/978-981-10-6385-5_32
Download citation
DOI: https://doi.org/10.1007/978-981-10-6385-5_32
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-10-6384-8
Online ISBN: 978-981-10-6385-5
eBook Packages: Computer ScienceComputer Science (R0)