Friday, December 7, 2012

Stuff in the Q...

These come into my google alerts some times, but I don't always get around to them very timely.

1.  This one was from back in Oct.  Memory-Only Operating System Fingerprinting in the Cloud

Has some interesting pieces of info in it.  On my list to get back to and actually read all the way through instead of just skimming it.

Abstract for those interested:
Precise fingerprinting of an operating system (OS) is critical to
many security and virtual machine (VM) management applications
in the cloud, such as VM introspection, penetration testing, guest
OS administration (e.g., kernel update), kernel dump analysis, and
memory forensics. The existing OS fingerprinting techniques primarily
inspect network packets or CPU states, and they all fall short
in precision and usability. As the physical memory of a VM is
always present in all these applications, in this paper, we present
OS-SOMMELIER, a memory-only approach for precise and efficient
cloud guest OS fingerprinting. Given a physical memory dump
of a guest OS, the key idea of OS-SOMMELIER is to compute the
kernel code hash for the precise fingerprinting. To achieve this
goal, we face two major challenges: (1) how to differentiate the
main kernel code from the rest of code and data in the physical
memory, and (2) how to normalize the kernel code to deal with
practical issues such as address space layout randomization. We
have designed and implemented a prototype system to address these
challenges. Our experimental results with over 45 OS kernels, including
Linux, Windows, FreeBSD, OpenBSD and NetBSD, show
that our OS-SOMMELIER can precisely fingerprint all the tested
OSes without any false positives

2.  I've been sitting on since back in September, though it may have been out much longer than that.  That was when the google alert showed up.

YAF does DHCP fingerprinting.  It appears tojust use the fingerprints from packetefence based on the writing, but it is nice to see another program out there taking up dhcp fingerprinting.

By looking at the order of the DHCP options in the DHCP requests from the Operating System's DHCP client, it may be possible to identify the client's OS version. The yaf DHCP fingerprinting plugin does exactly that. For flows that yaf has labeled as DHCP, yaf will look at the DHCP options if available in the payload captured for that flow. yaf specifically looks at Option 55. Option 55 requests a list of parameters. The order in which they are requested can usually identify the OS of the requesting IP address.

No comments: