|
 ABSTRACT
Current system loggers have two problems: they depend on the integrity of the operating system being logged, and they do not save sufficient information to replay and analyze attacks that include any non-deterministic events. ReVirt removes the dependency on the target operating system by moving it into a virtual machine and logging below the virtual machine. This allows ReVirt to replay the system's execution before, during, and after an intruder compromises the system, even if the intruder replaces the target operating system. ReVirt logs enough information to replay a long-term execution of the virtual machine instruction-by-instruction. This enables it to provide arbitrarily detailed observations about what transpired on the system, even in the presence of non-deterministic attacks and executions. ReVirt adds reasonable time and space overhead. Overheads due to virtualization are imperceptible for interactive use and CPU-bound workloads, and 13--58% for kernel-intensive workloads. Logging adds 0--8% overhead, and logging traffic for our workloads can be stored on a single disk for several months.
REFERENCES
Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.
| |
1
|
{Anderson80} James P. Anderson. Computer Security Threat Monitoring and Surveillance. Technical report, James P. Anderson Co., April 1980. Contract 79F296400.
|
| |
2
|
|
 |
3
|
|
| |
4
|
{Bishop96} Matt Bishop and Michael Dilger. Checking for Race Conditions on File Accesses. USENIX Computing Systems, 9(2):131--152, 1996.
|
| |
5
|
|
| |
6
|
|
| |
7
|
{CER01a} CERT/CC Security Improvement Modules: Analyze all available information to characterize an intrusion. Technical report, CERT Coordination Center, May 2001.
|
| |
8
|
{CER01b} Linux kernel contains race condition via ptrace/procfs/execve. Technical Report Vulnerability Note VU#176888, CERT Coordination Center, March 2001.
|
| |
9
|
{CER02} CERT/CC Overview Incident and Vulner-ability Trends. Technical report, CERT Coordination Center, April 2002.
|
| |
10
|
|
| |
11
|
{Dike00} Jeff Dike. A user-mode port of the Linux kernel. In Proceedings of the 2000 Linux Showcase and Conference, October 2000.
|
| |
12
|
|
| |
13
|
{Goldberg 74} Robert P. Goldberg. Survey of Virtual Machine Research. IEEE Computer, pages 34--45, June 1974.
|
| |
14
|
{Goldberg96} Ian Goldberg, David Wagner, Randi Thomas, and Eric A. Brewer. A Secure Environment for Untrusted Helper Applications. In Proceedings of the 1996 USENIX Technical Conference, July 1996.
|
| |
15
|
|
| |
16
|
{Hon00} Report on the Linux Honeypot Compromise. Technical report, Honeynet Project November 2000. http://project.honey-net.org/challenge/results/dittrich/evidence.txt.
|
| |
17
|
{Int01} The IA-32 Intel Architecture Software Developer's Manual, Volume 3: System Programming Guide. Technical report, Intel Corporation, 2001.
|
| |
18
|
|
| |
19
|
{King02} Samuel T. King. Operating System Extensions to Support Host-Based Virtual Machines. Technical Report CSE-TR-465-02, University of Michigan, September 2002.
|
| |
20
|
|
| |
21
|
{Meushaw00} Robert Meushaw and Donald Simard. NetTop: Commercial Technology in High Assurance Applications. Tech Trend Notes: Preview of Tomorrow's Information Technologies, 9(4), September 2000.
|
| |
22
|
|
| |
23
|
{Plank95} James S. Plank, Micah Beck, and Gerry Kingsley. Libckpt: Transparent Check-pointing under Unix. In Proceedings of the Winter 1995 USENIX Conference, pages 213--224, January 1995.
|
| |
24
|
|
| |
25
|
|
| |
26
|
{Strunk00} John D. Strunk, Garth R. Goodson, Michael L. Scheinholtz, Craig A. N. Soules, and Gregory R. Ganger. Self-securing storage: Protecting data in compromised systems. In Proceedings of the 2000 Symposium on Operating Systems Design and Implementation (OSDI), October 2000.
|
| |
27
|
|
CITED BY 69
|
|
|
|
|
|
|
|
|
|
|
Tal Garfinkel , Ben Pfaff , Jim Chow , Mendel Rosenblum , Dan Boneh, Terra: a virtual machine-based platform for trusted computing, Proceedings of the nineteenth ACM symposium on Operating systems principles, October 19-22, 2003, Bolton Landing, NY, USA
|
|
|
Rich Uhlig , Gil Neiger , Dion Rodgers , Amy L. Santoni , Fernando C. M. Martins , Andrew V. Anderson , Steven M. Bennett , Alain Kagi , Felix H. Leung , Larry Smith, Intel Virtualization Technology, Computer, v.38 n.5, p.48-56, May 2005
|
|
|
|
|
|
|
|
|
|
|
|
Manuel Costa , Jon Crowcroft , Miguel Castro , Antony Rowstron , Lidong Zhou , Lintao Zhang , Paul Barham, Vigilante: end-to-end containment of internet worms, ACM SIGOPS Operating Systems Review, v.39 n.5, December 2005
|
|
|
|
|
|
|
|
|
|
|
|
Jun Xu , Peng Ning , Chongkyung Kil , Yan Zhai , Chris Bookholt, Automatic diagnosis and response to memory corruption vulnerabilities, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA
|
|
|
|
|
|
|
|
|
Gregory Collier , Derek Plassman , Mahmoud Pegah, Virtualization's next frontier: security, Proceedings of the 35th annual ACM SIGUCCS conference on User services, p.34-36, October 07-10, 2007, Orlando, Florida, USA
|
|
|
Alexander Moshchuk , Tanya Bragin , Damien Deville , Steven D. Gribble , Henry M. Levy, SpyProxy: execution-based detection of malicious web content, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-16, August 06-10, 2007, Boston, MA
|
|
|
Manuel Egele , Christopher Kruegel , Engin Kirda , Heng Yin , Dawn Song, Dynamic spyware analysis, 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference, p.1-14, June 17-22, 2007, Santa Clara, CA
|
|
|
|
|
|
|
|
|
|
|
|
James Newsome , David Brumley , Jason Franklin , Dawn Song, Replayer: automatic protocol replay by binary analysis, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA
|
|
|
Sanjay Bhansali , Wen-Ke Chen , Stuart de Jong , Andrew Edwards , Ron Murray , Milenko Drinić , Darek Mihočka , Joe Chau, Framework for instruction-level tracing and analysis of program executions, Proceedings of the second international conference on Virtual execution environments, June 14-16, 2006, Ottawa, Ontario, Canada
|
|
|
|
|
|
|
|
|
Songqing Chen , Xinyuan Wang , Lei Liu , Xinwen Zhang, WormTerminator: an effective containment of unknown and polymorphic fast spreading worms, Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems, December 03-05, 2006, San Jose, California, USA
|
|
|
|
|
|
|
|
|
|
|
|
Joseph Tucek , James Newsome , Shan Lu , Chengdu Huang , Spiros Xanthos , David Brumley , Yuanyuan Zhou , Dawn Song, Sweeper: a lightweight end-to-end system for defending against fast worms, ACM SIGOPS Operating Systems Review, v.41 n.3, June 2007
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
H. Andres Lagar-Cavilla , Niraj Tolia , M. Satyanarayanan , Eyal de Lara, VMM-independent graphics acceleration, Proceedings of the 3rd international conference on Virtual execution environments, June 13-15, 2007, San Diego, California, USA
|
|
|
|
|
|
|
|
|
Arnar Birgisson , Mohan Dhawan , Úlfar Erlingsson , Vinod Ganapathy , Liviu Iftode, Enforcing authorization policies using transactional memory introspection, Proceedings of the 15th ACM conference on Computer and communications security, October 27-31, 2008, Alexandria, Virginia, USA
|
|
|
Brendan Cully , Geoffrey Lefebvre , Dutch Meyer , Mike Feeley , Norm Hutchinson , Andrew Warfield, Remus: high availability via asynchronous virtual machine replication, Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation, p.161-174, April 16-18, 2008, San Francisco, California
|
|
|
Xiaoqi Jia , Shengzhi Zhang , Jiwu Jing , Peng Liu, Using virtual machines to do cross-layer damage assessment, Proceedings of the 1st ACM workshop on Virtual machine security, October 27-27, 2008, Alexandria, Virginia, USA
|
|
|
Sam Small , Joshua Mason , Fabian Monrose , Niels Provos , Adam Stubblefield, To catch a predator: a natural language approach for eliciting malicious payloads, Proceedings of the 17th conference on Security symposium, p.171-183, July 28-August 01, 2008, San Jose, CA
|
|
|
|
|
|
|
|
|
|
|
|
Maxwell Krohn , Alexander Yip , Micah Brodsky , Natan Cliffer , M. Frans Kaashoek , Eddie Kohler , Robert Morris, Information flow control for standard OS abstractions, ACM SIGOPS Operating Systems Review, v.41 n.6, December 2007
|
|
|
Dut h T. Meyer , Gitika Aggarwal , Brendan Cully , Geoffrey Lefebvre , Mi hael J. Feeley , Norman C. Hut hinson , Andrew Warfield, Parallax: virtual disks for virtual machines, ACM SIGOPS Operating Systems Review, v.42 n.4, May 2008
|
|
|
George W. Dunlap , Dominic G. Lucchetti , Michael A. Fetterman , Peter M. Chen, Execution replay of multiprocessor virtual machines, Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, March 05-07, 2008, Seattle, WA, USA
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Chad Verbowski , Emre Kiciman , Arunvijay Kumar , Brad Daniels , Shan Lu , Juhan Lee , Yi-Min Wang , Roussi Roussev, Flight data recorder: monitoring persistent-state interactions to improve systems management, Proceedings of the 7th symposium on Operating systems design and implementation, November 06-08, 2006, Seattle, Washington
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Geoffrey Lefebvre , Brendan Cully , Michael J. Feeley , Norman C. Hutchinson , Andrew Warfield, Tralfamadore: unifying source code and execution experience, Proceedings of the fourth ACM european conference on Computer systems, April 01-03, 2009, Nuremberg, Germany
|
|
|
Xiaofeng Wang , Zhuowei Li , Jong Youl Choi , Jun Xu , Michael K. Reiter , Chongkyung Kil, Fast and Black-box Exploit Detection and Signature Generation for Commodity Software, ACM Transactions on Information and System Security (TISSEC), v.12 n.2, p.1-35, December 2008
|
|
|
Manuel Costa , Jon Crowcroft , Miguel Castro , Antony Rowstron , Lidong Zhou , Lintao Zhang , Paul Barham, Vigilante: End-to-end containment of Internet worm epidemics, ACM Transactions on Computer Systems (TOCS), v.26 n.4, p.1-68, December 2008
|
|
|
|
|
|
Hai Jin , Guofu Xiang , Feng Zhao , Deqing Zou , Min Li , Lei Shi, VMFence: a customized intrusion prevention system in distributed virtual computing environment, Proceedings of the 3rd International Conference on Ubiquitous Information Management and Communication, January 15-16, 2009, Suwon, Korea
|
|
|
H. Andrés Lagar-Cavilla , Niraj Tolia , Eyal de Lara , M. Satyanarayanan , David O'Hallaron, Interactive resource-intensive applications made easy, Proceedings of the ACM/IFIP/USENIX 2007 International Conference on Middleware, November 26-30, 2007, Newport Beach, California
|
|
|
Haikun Liu , Hai Jin , Xiaofei Liao , Liting Hu , Chen Yu, Live migration of virtual machine based on full system trace and replay, Proceedings of the 18th ACM international symposium on High performance distributed computing, June 11-13, 2009, Garching, Germany
|
|
|
|
|
|
|
|
Adobe Acrobat
QuickTime
Windows Media Player
Real Player
