Automatic profile generation for live Linux Memory analysis

3Citations
Citations of this article
42Readers
Mendeley users who have this article in their library.

Abstract

Live Memory analysis on the Linux platform has traditionally been difficult to perform. Memory analysis requires precise knowledge of struct layout information in memory, usually obtained through debugging symbols generated at compile time. The Linux kernel is however, highly configurable, implying that debugging information is rarely applicable to systems other than the ones that generated it. For incident response applications, obtaining the relevant debugging information is currently a slow and manual process, limiting its usefulness in rapid triaging. We have developed a tool dubbed, the Layout Expert which is able to calculate memory layout of critical kernel structures at runtime on the target system without requiring extra tools, such as the compiler tool-chain to be pre-installed. Our approach specifically addresses the need to adapt the generated profile to customized Linux kernels - an important first step towards a general version agnostic system. Our system is completely self sufficient and allows a live analysis tool to operate automatically on the target system. The layout expert operates in two phases: First it pre-parses the kernel source code into a preprocessor AST (Pre-AST) which is trimmed and stored as a data file in the analysis tool's distribution. When running on the target system, the running system configuration is used to resolve the Pre-AST into a C-AST, and combined with a pre-calculated layout model. The result is a running system specific profile with precise struct layout information. We evaluate the effectiveness of the Layout Expert in producing profiles for analysis of two very differently configured kernels. The produced profiles can be used to analyze the live memory through the /proc/kcore device without resorting to local or remote compilers. We finally consider future applications of this technique, such as memory acquisition.

Cite

CITATION STYLE

APA

Socała, A., & Cohen, M. (2016). Automatic profile generation for live Linux Memory analysis. Digital Investigation, 16, S11–S24. https://doi.org/10.1016/j.diin.2016.01.004

Register to see more suggestions

Mendeley helps you to discover research relevant for your work.

Already have an account?

Save time finding and organizing research with Mendeley

Sign up for free