Abstract
Dynamic kernel memory is difficult to analyze due to its volatile status; numerous kernel objects are frequently
allocated or freed in a kernel’s heap, and their data types are missing in the memory systems of current commodity
operating systems. Since the majority of kernel data is stored dynamically, this memory has been a favorite target
of many malicious software and kernel bugs. In order to analyze dynamic kernel memory, a global technique that
systematically translates a given memory address into a data type is essential.
Previous approaches had a limited focus in the analysis of either a malware’s execution or a snapshot of kernel
memory. We present here a new memory interpretation system called LiveDM that can automatically translate
dynamic kernel memory addresses into data types. This system enables the accurate memory analysis of the
entire kernel execution, ranging from malware activity to legitimate kernel code execution, over a period of time
beyond the instant of a snapshot by using these two novel techniques. (1) The system identifies an individual
dynamic kernel object with its systematically-determined runtime identifier that points to the code where the object
is allocated. (2) The data type then can be automatically extracted from the code using static code analysis offline.
We have implemented a prototype of LiveDM that supports three Linux kernels where LiveDM dynamically
tracks tens of thousands of dynamic kernel memory objects that can be accurately translated into data types in
the offline process. We have evaluated and validated its general applicability and effectiveness in extensive case
studies of kernel malware analysis and kernel debugging.
