Date Added: Jan 2011
Brute force scanning of kernel memory images for finding kernel data structure instances is an important function in many computer security and forensics applications. Brute force scanning requires effective, robust signatures of kernel data structures. Existing approaches often use the value invariants of certain fields as data structure signatures. However, they do not fully exploit the rich points to relations between kernel data structures. In this paper, the authors show that such points-to relations can be leveraged to generate graph-based structural invariant signatures. More specifically, they develop SigGraph, a framework that systematically generates non-isomorphic signatures for data structures in an OS kernel. Each signature is a graph rooted at a subject data structure with its edges reflecting the points-to relations with other data structures.