Browse > Article
http://dx.doi.org/10.13089/JKIISC.2022.32.1.67

Static Identification of Firmware Linux Kernel Version by using Symbol Table  

Kim, Kwang-jun (Hannam University)
Cho, Yeo-jeong (Hannam University)
Kim, Yun-jeong (Hannam University)
Lee, Man-hee (Hannam University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.32, no.1, 2022 , pp. 67-75 More about this Journal
Abstract
When acquiring a product having an OS, it is very important to identify the exact kernel version of the OS. This is because the product's administrator needs to keep checking whether a new vulnerability is found in the kernel version. Also, if there is an acquisition requirement for exclusion or inclusion of a specific kernel version, the kernel identification becomes critical to the acquisition decision. In the case of the Linux kernel used in various equipment, sometimes it becomes difficult to pinpoint the device's exact version. The reason is that many manufacturers often modify the kernel to produce their own firmware optimized for their device. Furthermore, if a kernel patch is applied to the modified kernel, it will be very different from its base kernel. Therefore, it is hard to identify the Linux kernel accurately by simple methods such as a specific file existence test. In this paper, we propose a static method to classify a specific kernel version by analyzing function names stored in the symbol table. In an experiment with 100 Linux devices, we correctly identified the Linux kernel version with 99% accuracy.
Keywords
Firmware Kernel Version Identification; Static Analysis; Symbol Table; System map; Kallsyms;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Asif Shaik, "Google slams Samsung for making unnecessary changes to Linux kernel code," SamMobile, https://www.sammobile.com/news/google-slams-samsung-making-unnecessary-changes-linux-kernel-code, Feb. 2020.
2 Yufei Gu, YangChun Fu, Aravind Prakash, Zhiqiang Lin and Heng Yin, "OS-SOMMELIER: Memory-Only Operating System Fingerprinting in the Cloud," Proceedings of the Third ACM Symposium on Cloud Computing, pp. 1-13, Oct. 2012.
3 Alessandro Rubini and Jonathan Corbet, Linux Device Drivers, 2nd Ed., O'Reilly Media, Inc., pp. 27-29,Jun. 2001.
4 Jean-Luc Aufranc, "Allwinner News - Root Exploit in Linux and Fake Pine A64 Boards," CNX Software, https://www.cnx-software.com/2016/05/13/allwinner-news-root-exploit-in-linux-and-fake-pine-a64-boards, May. 2016.
5 Vassil Roussev, Irfan Ahmed and Thomas Sires, "Image-based kernel fingerprinting," Digital Investigation, vol. 11, pp. 13-21, Aug. 2014.
6 Bhatt, Manish, and Irfan Ahmed, "Leveraging relocations in ELF-binaries for Linux kernel version identification," Digital Investigation, vol. 26, pp. 12-20, Jul. 2018.
7 Arati Baliga, Vinod Ganapathy and Liviu Iftode, "Automatic Inference and Enforcement of Kernel Data Structure Invariants," 2008 Annual Computer Security Applications Conference(ACSAC) IEEE, pp. 77-86, Dec. 2008.
8 Linuxbase, "Symbol Table," https://refspecs.linuxbase.org/elf/gabi4+/ch4.symtab.html, Jan. 2022.
9 Unix, "kallsyms - Extract all kernel symbols for debugging," https://www.unix.com/man-page/redhat/8/kallsyms, Apr. 2000.
10 Linux Kernel Newbies, "System.map," https://kernelnewbies.org/FAQ/System.map, Dec. 2017.
11 Mihai Christodorescu, Reiner Sailer,Douglas Lee Schales, Daniele Sgandurra and Diego Zamboni, "Cloud security is not (just) virtualization security: a short paper," Proceedings of the 2009 ACM workshop on Cloud computing security, pp. 97-102, Nov. 2009.
12 Oliver, Jonathan, Chun Cheng and Yanggui Chen, "TLSH--a locality sensitive hash," 2013 Fourth Cybercrime and Trustworthy Computing Workshop. IEEE, pp. 7-13, Nov. 2013.
13 David A. Rusling, "The Linux Kernel," Version 0.8-3, http://pdinda.org/ics/doc/linux-kernel.pdf, Jan. 1999.