• Journal of KIISE:Computer Systems and Theory
• /
• v.34 no.12
• /
• pp.618-629
• /
• 2007

In this paper, we propose an effective memory test environment, called a virtualized kernel, for 64bit multi-core computing environments. The term of effectiveness means that we can test all of the physical memory space, even the memory space occupied by the kernel itself, without rebooting. To obtain this capability, our virtualized kernel provides four mechanisms. The first is direct accessing to physical memory both in kernel and user mode, which allows applying various test patterns to any place of physical memory. The second is making kernel virtualized so that we can run two or more kernel image at the different location of physical memory. The third is isolating memory space used by different instances of virtualized kernel. The final is kernel hibernation, which enables the context switch between kernels. We have implemented the proposed virtualized kernel by modifying the latest Linux kernel 2.6.18 running on Intel Xeon system that has two 64bit dual-core CPUs with hyper-threading technology and 2GB main memory. Experimental results have shown that the two instances of virtualized kernel run at the different location of physical memory and the kernel hibernation works well as we have designed. As the results, the every place of physical memory can be tested without rebooting.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2009.05a
• /
• pp.801-804
• /
• 2009

In this paper, the Linux kernel memory map was analyzed as the approach to Improving performance for Embedded Linux system. Since the Linux kernel memory map supporting a stability and various H/W platforms and in which it becomes to the general purpose system with optimization manages the role of being important in the booting time and the efficient system utilization of resources, the analysis of the kernel memory map is required for the performance improvement of the Embedded Linux system in which it is restrictive the resources. According to the analysis result, and of the Linux kernel memory, the booting speed of and improvement of the memory efficiency were confirmed. It is therefore considered that the proposed in this paper and kernel memory allocation method are suitable to the memory availability improvement of the Embedded Linux system.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.31 no.4
• /
• pp.661-674
• /
• 2021

Malware, such as a rootkit that modifies the kernel, can adversely affect the analyst's judgment, making the analysis difficult or impossible if a mechanism to evade memory analysis is added. Therefore, we plan to preemptively respond to malware such as rootkits that bypass detection through advanced kernel modulation in the future. To this end, the main structure used in the Windows kernel was analyzed from the attacker's point of view, and a method capable of modulating the kernel object was applied to modulate the memory dump file. The result of tampering is confirmed through experimentation that it cannot be detected by memory analysis tool widely used worldwide. Then, from the analyst's point of view, using the concept of tamper resistance, it is made in the form of software that can detect tampering and shows that it is possible to detect areas that are not detected by existing memory analysis tools. Through this study, it is judged that it is meaningful in that it preemptively attempted to modulate the kernel area and derived insights to enable precise analysis. However, there is a limitation in that the necessary detection rules need to be manually created in software implementation for precise analysis.

• KIPS Transactions on Computer and Communication Systems
• /
• v.2 no.11
• /
• pp.461-470
• /
• 2013

This paper proposes high speed kernel data collection method for analysis of memory workload, using technique of direct access to process's memory management structure. The conventional analysis tools have a slower data collection speed and they are lack of scalability due to collection only formalized memory information. The proposed method collects kernel data much faster than the conventional methods using technique of direct collect to process's memory information, page table, page structure in the memory management structure, and it can collect data which user wanted. We collect memory management data of the running process, and analyze its memory workload.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.29 no.4B
• /
• pp.397-402
• /
• 2004

In this paper, we have designed and simulated a new file transmission method. This method restricts memory copy and context switching happened in traditional file transmission. This method shows an improved performance than traditional method in network environment. When the UNIX/LINUX system that uses the existing file transfer technique transmits a packet to the remote system, a memory copy between the user and kernel space occurs over twice at least. Memory copy between the user and kernel space increase a file transmission time and the number of context switching. As a result, the existing file transfer technique has a problem of deteriorating the performance of file transmission. We propose a new algorithm for solving these problems. It doesn't perform memory copy between the user and kernel space. Hence, the number of memory copy and context switching is limited to the minimum. We have modified the network related source code of LINUX kernel 2.6.0 to analyzing the performance of proposed algorithm and implement new network system calls.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.33 no.2
• /
• pp.337-344
• /
• 2023

Modern OSs, including Linux, show high scalability by adopting a monolithic kernel design, but have weak security because they share all memory space. This study presents a kernel module that are isolated inside the kernel using WebAssembly. WebAssembly provides a high-performance virtual machine by defining a low-level instruction set while guaranteeing memory safety. In this paper, the WebAssembly execution environment is implemented inside the kernel, allowing developers to control the operation of kernel modules and achieving higher security.

• IEMEK Journal of Embedded Systems and Applications
• /
• v.13 no.4
• /
• pp.187-194
• /
• 2018

The operating system for IoT should have a small memory footprint and provide low power state, real-time, multitasking, various network protocols, and security. Although the Zephyr kernel, an operating system for IoT, released by the Linux Foundation in February 2016, has these features but errors generated by the user code can generate fatal problems in the system because the Zephyr kernel adopts a single-space method that both the user code and kernel code execute in the same space. In this research, we propose a space separation method, which separates kernel space and user space, to solve this problem. The space separation that we propose consists of three modifications in Zephyr kernel. The first is the code separation that kernel code and user code execute in each space while using different stacks. The second is the kernel space protection that generates an exception by using the MPU (Memory Protection Unit) when the user code accesses the kernel space. The third is the SVC based system call that executes the system call using the SVC instruction that generates the exception. In this research, we implemented the space separation in Zephyr v1.8.0 and evaluated safety through abnormal execution of the user code. As the result, the kernel was not crashed by the errors generated by the user code and was normally executed.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.5
• /
• pp.931-938
• /
• 2013

It is hard to extract original data from encrypted data before getting the password in encrypted data with disk encryption software. This encryption key of disk encryption software can be extract by using physical memory analysis. Searching encryption key time in the physical memory increases with the size of memory because it is intended for whole memory. But physical memory data includes a lot of data that is unrelated to encryption keys like system kernel objects and file data. Therefore, it needs the method that extracts valid data for searching keys by analysis. We provide a method that collect only saved memory parts of disk encrypting keys in physical memory by analyzing Windows kernel virtual address space. We demonstrate superiority because the suggested method experimentally reduces more of the encryption key searching space than the existing method.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.4
• /
• pp.89-100
• /
• 2011

Physical memory analysis has been an issue on a field of live forensic analysis in digital forensics until now. It is very useful to make the result of analysis more reliable, because record of user behavior and data can be founded on physical memory although process is hided. But most memory analysis focuses on windows based system. Because the diversity of target system to be analyzed rises up, it is very important to analyze physical memory based on other OS, not Windows. Mac OS X, has second market share in Operating System, is operated by loading kernel image to physical memory area. In this paper, We propose a methodology for physical memory analysis on Mac OS X using symbol information in kernel image, and acquire a process information, mounted device information, kernel information, kernel extensions(eg. KEXT) and system call entry for detecting system call hooking. In additional to the methodology, we prove that physical memory analysis is very useful though experimental study.

• Transactions of the Korean Society of Automotive Engineers
• /
• v.17 no.3
• /
• pp.127-141
• /
• 2009

While the ever-increasing complexity of automotive software systems can be effectively managed through the adoption of a reliable real-time operating system (RTOS), it may incur additional resource usage to a resultant system. Due to the mass production nature of the automotive industry, reducing physical resources used by automotive software is of the utmost importance for cost reduction. OSEK OS is an automotive real-time kernel standard specifically defined to address this issue. Thus, it is very important to develop and exploit kernel mechanisms such that they can achieve minimal resource usage in the OSEK OS implementation. In this paper, we analyze the task subsystem, resource subsystem, application mode and conformance classes of OSEK OS as well as the OSEK Implementation Language (OIL). Based on our analysis, we in turn devise and implement kernel mechanisms to minimize the dynamic memory usage of the OSEK OS implementation. Finally, we show that our mechanisms effectively reduce the memory usage of OSEK OS and applications.