Existing kernel analysis tools either instrument the subject kernel to report data from the inside or use QEMU to gain information from the translated execution. Instrumentation based tools are not applicable to binary-only operating systems such as Windows. Users may have to re-compile the whole kernel for even a slight change of the functionality. The QEMU based approach takes a performance toll on the entire kernel execution.
In this talk, we present the Onsite Analysis Infrastructure (OASIS), a novel framework for dynamic kernel analysis. A programmer can develop her kernel analysis application to control a captured kernel thread execution such as tracing or setting breakpoints that affect the thread only and collecting data from it as if the application runs inside the kernel, i.e., onsite analysis. We also show a few applications benefiting from OASIS, including full-VM memory introspection, system call handler control flow tracing, kernel event monitoring, and kernel malware testing.