Image-based kernel fingerprinting

In contrast, our work builds robust signatures based solely on the content of the kernel images on disk, and is able to efficiently distinguish among incremental kernel version updates. The approach is entirely content-driven and requires no low-level analysis of the operation of the kernel. It utilizes an approximate matching tool-sdhash-to extract kernel fingerprints, and can be applied across different architectures without the need to parse and interpret the RAM snapshot. In addition, our evaluation data which contains hundreds of kernels, provides insights into the typical levels of content similarity across related kernels.