Operating System Level Trace Analysis for Automated Problem Identification

Performance bottlenecks, malicious activities, programming bugs and other kinds of problematic behavior could be accurately detected on production systems if the relevant events were being monitored. This could be achieved through kernel level tracing where every time a relevant event occurs, the information is analysed or saved in a trace file to be inspected during post-mortem analysis. While collecting the information from the kernel has a very low impact, the offline analysis is typically performed remotely with no overhead on the system whatsoever. This article presents an automata-based approach for analyzing traces generated by the kernel of an operating system. Some typical patterns of problematic behavior are identified and described using the State Machine Language. These patterns are fed into an offline analyzer which efficiently and simultaneously checks for their occurrences even in traces of several gigabytes. The analyzer achieves a linear performance with respect to the trace size. The remaining factors impacting its performance are also discussed. The main interest of the proposed approach is the efficiency obtained in monitoring such extensive and detailed execution traces for a very large number of simultaneous possible patterns of problematic behavior.

[1]  Giovanni Vigna,et al.  The STAT tool suite , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[2]  Mathieu Desnoyers,et al.  Tracing for Hardware, Driver and Binary Reverse Engineering in Linux , 2008 .

[3]  Li Xiong,et al.  Frequent pattern mining for kernel trace data , 2008, SAC '08.

[4]  Barton P. Miller,et al.  The Paradyn Parallel Performance Measurement Tool , 1995, Computer.

[5]  Giovanni Vigna,et al.  STATL: An Attack Language for State-Based Intrusion Detection , 2002, J. Comput. Secur..

[6]  David A. Wagner,et al.  MOPS: an infrastructure for examining security properties of software , 2002, CCS '02.

[7]  Mathieu Desnoyers,et al.  Linux Kernel Debugging on Google-sized clusters , 2007 .

[8]  Bernd Mohr,et al.  Efficient Pattern Search in Large Traces Through Successive Refinement , 2004, Euro-Par.

[9]  Jonathan Walpole,et al.  A measurement-based analysis of the real-time performance of linux , 2002, Proceedings. Eighth IEEE Real-Time and Embedded Technology and Applications Symposium.

[10]  Somesh Jha,et al.  Static Analysis of Executables to Detect Malicious Patterns , 2003, USENIX Security Symposium.

[11]  Seth Stovack Kessler Piezoelectric-based in-situ damage detection of composite materials for structural health monitoring systems , 2002 .

[12]  M. Desnoyers Low Disturbance Embedded System Tracing with Linux Trace Toolkit Next Generation , 2006 .

[13]  Bryan Cantrill,et al.  Dynamic Instrumentation of Production Systems , 2004, USENIX Annual Technical Conference, General Track.

[14]  David A. Wagner,et al.  Model Checking One Million Lines of C Code , 2004, NDSS.