Towards Automatic Inference of Kernel Object Semantics from Binary Code

This paper presents ARGOS, the first system that can automatically uncover the semantics of kernel objects directly from a kernel binary. Based on the principle of data use reveals data semantics, it starts from the execution of system calls (i.e., the user level application interface) and exported kernel APIs (i.e., the kernel module development interface), and automatically tracks how an instruction accesses the kernel object and assigns a bit-vector for each observed kernel object. This bit-vector encodes which system call accesses the object and how the object is accessed (e.g., read, write, create, destroy), from which we derive the meaning of the kernel object based on a set of rules developed according to the general understanding of OS kernels. The experimental results with Linux kernels show that ARGOS is able to recognize the semantics of kernel objects of our interest, and can even directly pinpoint the important kernel data structures such as the process descriptor and memory descriptor across different kernels. We have applied ARGOS to recognize internal kernel functions by using the kernel objects we inferred, and we demonstrate that with ARGOS we can build a more precise kernel event tracking system by hooking these internal functions.