Paper Info
Title
Non-interactive OS fingerprinting through memory de-duplication technique in virtual machines
Abstract
OS fingerprinting tries to identify the type and version of a system based on gathered information of a target host. It is an essential step for many subsequent penetration attempts and attacks. Traditional OS fingerprinting depends on banner grabbing schemes or network traffic analysis results to identify the system. These interactive procedures can be detected by intrusion detection systems (IDS) or fooled by fake network packets. In this paper, we propose a new OS fingerprinting mechanism in virtual machine hypervisors that adopt the memory de-duplication technique. Specifically, when multiple memory pages with the same contents occupy only one physical page, their reading and writing access delay will demonstrate some special properties. We use the accumulated access delay to the memory pages that are unique to some specific OS images to derive out whether or not our VM instance and the target VM are using the same OS. The experiment results on VMware ESXi hypervisor with both Windows and Ubuntu Linux OS images show the practicability of the attack. We also discuss the mechanisms to defend against such attacks by the hypervisors and VMs.
Year
DOI
Venue
2011
10.1109/PCCC.2011.6108094
IPCCC
Keywords
Field
DocType
fingerprint identification,operating systems (computers),security of data,virtual machines,IDS,OS fingerprinting mechanism,Ubuntu Linux OS images,VM,VMware ESXi hypervisor,interactive procedures,intrusion detection systems,memory deduplication technique,memory pages,network traffic analysis,noninteractive OS fingerprinting,virtual machines
Data deduplication,Banner grabbing,Traffic analysis,Virtual machine,Computer science,Virtual memory,Network packet,Computer network,Hypervisor,Real-time computing,Intrusion detection system,Operating system
Conference
Citations 
PageRank 
References 
21
1.24
12
Authors
2
Name
Order
Citations
PageRank
Rodney Owens11105.60
Weichao Wang250033.87