Title: Extracting the system call identifier from within VFS: a kernel stack parsing-based approach

Authors: Suvrojit Das; Debayan Chatterjee; D. Ghosh; Narayan C. Debnath

Addresses: Department of Computer Applications, National Institute of Technology, Durgapur-713209, India ' Department of Computer Applications, National Institute of Technology, Durgapur-713209, India ' Department of Computer Science and Engineering, National Institute of Technology, Durgapur-713209, India ' Winona State University, Watkins Hall, Room: 108 E, Winona, MN 55987, USA

Abstract: System call information has been one of the most important candidates for intrusion detection and forensic analysis research during the last several years. This paper focuses on extraction of system call information in terms of system call identifier from within the VFS layer of the Linux kernel. Treating the kernel as a trusted computing base, issues of accurate, authentic extraction of file timestamp metadata has been addressed in Das et al. (2012). In this research, we propose a method to extract the system call identifier from the kernel stack with an intention to strengthen the file timestamp metadata log with the system call identifier of the system call 'for which' the file timestamp metadata log is taken. This ensures a tight coupling based correlation between file timestamp extraction and identification of the event responsible for such an access, from within the kernel.

Keywords: system call identifier; intrusion detection; intrusion prevention; IDPS; modification; file timestamp metadata; system forensics; virtual file system; VFS; kernel function; kernel stack parsing; forensic analysis; Linux kernel; trusted computing; computer security.

DOI: 10.1504/IJICS.2014.059786

International Journal of Information and Computer Security, 2014 Vol.6 No.1, pp.12 - 50

Received: 23 Feb 2013
Accepted: 31 Jul 2013

Published online: 10 Mar 2014 *

Full-text access for editors Access for subscribers Purchase this article Comment on this article