To Flexibly Tame Kernel Execution With Onsite Analysis

The Onsite Analysis Infrastructure (OASIS) is a novel framework for dynamic kernel analysis that allows developers to dynamically analyze a kernel event and malware. It provides analysis primitives to control a captured kernel thread execution and collect data from it as if the application runs inside the kernel.

• Existing kernel analysis tools either instrument the subject kernel or use QEMU to gain information from the translated execution, but these approaches have limitations.
• OASIS is a new framework for dynamic kernel analysis that allows developers to analyze a kernel event and malware.
• OASIS provides analysis primitives to control a captured kernel thread execution and collect data from it as if the application runs inside the kernel.
• OASIS has several potential applications, including full-VM memory introspection, system call handler control flow tracing, kernel event monitoring, and kernel malware testing.

Existing approaches for kernel analysis are either intrusive or have limitations. OASIS provides a new framework for dynamic kernel analysis that allows developers to analyze a kernel event and malware without modifying the kernel. It provides analysis primitives to control a captured kernel thread execution and collect data from it as if the application runs inside the kernel. This allows for several potential applications, including full-VM memory introspection, system call handler control flow tracing, kernel event monitoring, and kernel malware testing.

Existing kernel analysis tools either instrument the subject kernel to report data from the inside or use QEMU to gain information from the translated execution. Instrumentation based tools are not applicable to binary-only operating systems such as Windows. Users may have to re-compile the whole kernel for even a slight change of the functionality. The QEMU based approach takes a performance toll on the entire kernel execution. In this talk, we present the Onsite Analysis Infrastructure (OASIS), a novel framework for dynamic kernel analysis. A programmer can develop her kernel analysis application to control a captured kernel thread execution such as tracing or setting breakpoints that affect the thread only and collecting data from it as if the application runs inside the kernel, i.e., onsite analysis. We also show a few applications benefiting from OASIS, including full-VM memory introspection, system call handler control flow tracing, kernel event monitoring, and kernel malware testing.