Bridging the Semantic Gap Through Static Code Analysis

The semantic gap is a challenge inherent in all applications of virtual machine introspection (VMI). It describes the disconnect between the low-level state that the hypervisor has access to and its semantics within the guest. A common approach to bridge this gap is to utilize the debugging symbols of an inspected operating system kernel, although it is well understood that this information does not reflect the dynamic pointer manipulations that an operating system kernel performs at runtime. In this work, we describe an analysis technique for capturing dynamic pointer manipulations and type casts in C code. Our approach analyzes the unmodified kernel source code to establish used-as relations between pointer types and to extract the arithmetic that is performed to transform a source pointer to a target address. We have implemented this technique in our VMI tool InSight for Linux to augment the type information retrieved from the debugging symbols. With this extended type information, our tool is able to cope with runtime pointer manipulations performed by the Linux kernel in a completely automated fashion and greatly eases the development of new VMI applications.