To Flexibly Tame Kernel Execution With Onsite Analysis

Presented at Black Hat USA 2022, Aug. 10, 2022, 2:30 p.m. (30 minutes)

Existing kernel analysis tools either instrument the subject kernel to report data from the inside or use QEMU to gain information from the translated execution. Instrumentation based tools are not applicable to binary-only operating systems such as Windows. Users may have to re-compile the whole kernel for even a slight change of the functionality. The QEMU based approach takes a performance toll on the entire kernel execution.

In this talk, we present the Onsite Analysis Infrastructure (OASIS), a novel framework for dynamic kernel analysis. A programmer can develop her kernel analysis application to control a captured kernel thread execution such as tracing or setting breakpoints that affect the thread only and collecting data from it as if the application runs inside the kernel, i.e., onsite analysis. We also show a few applications benefiting from OASIS, including full-VM memory introspection, system call handler control flow tracing, kernel event monitoring, and kernel malware testing.


  • Xuhua Ding - Associate Professor, Singapore Management University
    Xuhua Ding is currently an Associate Professor of School of Computing and Information Systems at Singapore Management University. He received his Ph.D. in Computer Science from the University of Southern California in 2003. With around twenty years of research experience in cybersecurity, his work spans across system and software security, applied cryptography, and privacy-preserving techniques. His recent research interest focuses on virtualization based secure and trustworthy systems on x86 and ARM platforms.


Similar Presentations: