|
 ABSTRACT
Most systems contain software with yet-to-be-discovered security vulnerabilities. When a vulnerability is disclosed, administrators face the grim reality that they have been running software which was open to attack. Sites that value availability may be forced to continue running this vulnerable software until the accompanying patch has been tested. Our goal is to improve security by detecting intrusions that occurred before the vulnerability was disclosed and by detecting and responding to intrusions that are attempted after the vulnerability is disclosed. We detect when a vulnerability is triggered by executing vulnerability-specific predicates as the system runs or replays. This paper describes the design, implementation and evaluation of a system that supports the construction and execution of these vulnerability-specific predicates. Our system, called IntroVirt, uses virtual-machine introspection to monitor the execution of application and operating system software. IntroVirt executes predicates over past execution periods by combining virtual-machine introspection with virtual-machine replay. IntroVirt eases the construction of powerful predicates by allowing predicates to run existing target code in the context of the target system, and it uses checkpoints so that predicates can execute target code without perturbing the state of the target system. IntroVirt allows predicates to refresh themselves automatically so they work in the presence of preemptions. We show that vulnerability-specific predicates can be written easily for a wide variety of real vulnerabilities, can detect and respond to intrusions over both the past and present time intervals, and add little overhead for most vulnerabilities.
REFERENCES
Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.
| |
1
|
J. Allen, A. Christie, W. Fithen, J. McHugh, J. Pickel, and E. Stoner. State of the Practice of Intrusion Detection Technologies. Technical Report CMU/SEI-99-TR-028, Carnegie Mellon University, 1999.
|
| |
2
|
|
 |
3
|
Paul Barham , Boris Dragovic , Keir Fraser , Steven Hand , Tim Harris , Alex Ho , Rolf Neugebauer , Ian Pratt , Andrew Warfield, Xen and the art of virtualization, Proceedings of the nineteenth ACM symposium on Operating systems principles, October 19-22, 2003, Bolton Landing, NY, USA
|
| |
4
|
|
| |
5
|
|
| |
6
|
A. B. Brown and D. A. Patterson. Undo for Operators: Building an Undoable E-mail Store. In Proceedings of the 2003 USENIX Technical Conference, June 2003.
|
| |
7
|
|
| |
8
|
M. Costa, July 2005. personal communication.
|
| |
9
|
Manuel Costa , Jon Crowcroft , Miguel Castro , Antony Rowstron , Lidong Zhou , Lintao Zhang , Paul Barham, Vigilante: end-to-end containment of internet worms, Proceedings of the twentieth ACM symposium on Operating systems principles, October 23-26, 2005, Brighton, United Kingdom
|
| |
10
|
D. Dean and A. J. Hu. Fixing Races for Fun and Profit: How to use access(2). In Proceedings of the 2004 USENIX Security Symposium, pages 195--206, August 2004.
|
| |
11
|
J. Dike. A user-mode port of the Linux kernel. In Proceedings of the 2000 Linux Showcase and Conference, October 2000.
|
| |
12
|
G. W. Dunlap. Execution Replay for Intrusion Analysis. Technical report, University of Michigan, January 2005. PhD thesis proposal.
|
| |
13
|
George W. Dunlap , Samuel T. King , Sukru Cinar , Murtaza A. Basrai , Peter M. Chen, ReVirt: enabling intrusion analysis through virtual-machine logging and replay, Proceedings of the 5th symposium on Operating systems design and implementation Due to copyright restrictions we are not able to make the PDFs for this conference available for downloading, December 09-11, 2002, Boston, Massachusetts
[doi> 10.1145/1060289.1060309]
|
| |
14
|
Tal Garfinkel , Ben Pfaff , Jim Chow , Mendel Rosenblum , Dan Boneh, Terra: a virtual machine-based platform for trusted computing, Proceedings of the nineteenth ACM symposium on Operating systems principles, October 19-22, 2003, Bolton Landing, NY, USA
|
| |
15
|
T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Proceedings of the 2003 Network and Distributed System Security Symposium (NDSS), February 2003.
|
| |
16
|
|
| |
17
|
S. T. King, G. W. Dunlap, and P. M. Chen. Debugging operating systems with time-traveling virtual machines. In Proceedings of the 2005 USENIX Technical Conference, April 2005.
|
| |
18
|
K. Lhee and S. J. Chapin. Detection of file-based race conditions. International Journal of Information Security, pages 105--119, February 2005.
|
| |
19
|
Peter S. Magnusson , Magnus Christensson , Jesper Eskilson , Daniel Forsgren , Gustav Hållberg , Johan Högberg , Fredrik Larsson , Andreas Moestedt , Bengt Werner, Simics: A Full System Simulation Platform, Computer, v.35 n.2, p.50-58, February 2002
[doi> 10.1109/2.982916]
|
| |
20
|
|
| |
21
|
R. Meushaw and D. Simard. NetTop: Commercial Technology in High Assurance Applications. Tech Trend Notes: Preview of Tomorrow's Information Technologies, 9(4), September 2000.
|
| |
22
|
E. Rescorla. Security Holes...Who Cares? In Proceedings of the 2002 USENIX Security Symposium, August 2003.
|
| |
23
|
|
| |
24
|
|
| |
25
|
Margo I. Seltzer , Yasuhiro Endo , Christopher Small , Keith A. Smith, Dealing with disaster: surviving misbehaved kernel extensions, Proceedings of the second USENIX symposium on Operating systems design and implementation, p.213-227, October 29-November 01, 1996, Seattle, Washington, United States
|
| |
26
|
A. Somayaji and S. Forrest. Automated response using system-call delays. In Proceedings of the 2000 USENIX Security Symposium, August 2000.
|
| |
27
|
C. A. N. Soules, J. Appavoo, K. Hui, R. W. Wisniewski, D. D. Silva, G. R. Ganger, O. Krieger, M. Stumm, M. Auslander, M. Ostrowski, B. Rosenburg, and J. Xenidis. System Support for Online Reconfiguration. In Proceedings of the 2003 USENIX Technical Conference, June 2003.
|
| |
28
|
|
| |
29
|
Rich Uhlig , Gil Neiger , Dion Rodgers , Amy L. Santoni , Fernando C. M. Martins , Andrew V. Anderson , Steven M. Bennett , Alain Kagi , Felix H. Leung , Larry Smith, Intel Virtualization Technology, Computer, v.38 n.5, p.48-56, May 2005
[doi> 10.1109/MC.2005.163]
|
| |
30
|
Helen J. Wang , Chuanxiong Guo , Daniel R. Simon , Alf Zugenmaier, Shield: vulnerability-driven network filters for preventing known vulnerability exploits, Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications, August 30-September 03, 2004, Portland, Oregon, USA
|
| |
31
|
A. Whitaker, R. Cox, M. Shaw, and S. D. Gribble. Constructing Services With Interposable Virtual Hardware. In Proceedings of the 2004 Symposium on Network System Design and Implementation (NSDI), March 2004.
|
| |
32
|
A. Whitaker, R. S. Cox, and S. D. Gribble. Configuration Debugging as Search: Finding the Needle in the Haystack. In Proceedings of the 2004 Symposium on Operating Systems Design and Implementation (OSDI), December 2004.
|
| |
33
|
|
CITED BY 30
|
|
Michael Vrable , Justin Ma , Jay Chen , David Moore , Erik Vandekieft , Alex C. Snoeren , Geoffrey M. Voelker , Stefan Savage, Scalability, fidelity, and containment in the potemkin virtual honeyfarm, ACM SIGOPS Operating Systems Review, v.39 n.5, December 2005
|
|
|
Manuel Costa , Jon Crowcroft , Miguel Castro , Antony Rowstron , Lidong Zhou , Lintao Zhang , Paul Barham, Vigilante: end-to-end containment of internet worms, ACM SIGOPS Operating Systems Review, v.39 n.5, December 2005
|
|
|
Alexander Moshchuk , Tanya Bragin , Damien Deville , Steven D. Gribble , Henry M. Levy, SpyProxy: execution-based detection of malicious web content, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-16, August 06-10, 2007, Boston, MA
|
|
|
Dan Tsafrir , Tomer Hertz , David Wagner , Dilma Da Silva, Portably solving file TOCTTOU races with hardness amplification, Proceedings of the 6th USENIX Conference on File and Storage Technologies, p.1-18, February 26-29, 2008, San Jose, California
|
|
|
Daniel Peek , Edmund B. Nightingale , Brett D. Higgins , Puspesh Kumar , Jason Flinn, Sprockets: safe extensions for distributed file systems, 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference, p.1-14, June 17-22, 2007, Santa Clara, CA
|
|
|
Manuel Egele , Christopher Kruegel , Engin Kirda , Heng Yin , Dawn Song, Dynamic spyware analysis, 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference, p.1-14, June 17-22, 2007, Santa Clara, CA
|
|
|
|
|
|
|
|
|
Songqing Chen , Xinyuan Wang , Lei Liu , Xinwen Zhang, WormTerminator: an effective containment of unknown and polymorphic fast spreading worms, Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems, December 03-05, 2006, San Jose, California, USA
|
|
|
Daniela A. S. de Oliveira , Jedidiah R. Crandall , Gary Wassermann , S. Felix Wu , Zhendong Su , Frederic T. Chong, ExecRecorder: VM-based full-system replay for attack analysis and system recovery, Proceedings of the 1st workshop on Architectural and system support for improving software dependability, p.66-71, October 21-21, 2006, San Jose, California
|
|
|
|
|
|
|
|
|
|
|
|
Zhiqiang Lin , Xuxian Jiang , Dongyan Xu , Bing Mao , Li Xie, AutoPaG: towards automated software patch generation with source code root cause identification and repair, Proceedings of the 2nd ACM symposium on Information, computer and communications security, March 20-22, 2007, Singapore
|
|
|
|
|
|
Yuanyuan Zhou , Darko Marinov , William Sanders , Craig Zilles , Marcelo d'Amorim , Steven Lauterburg , Ryan M. Lefever , Joe Tucek, Delta execution for software reliability, Proceedings of the 3rd conference on Third Workshop on Hot Topics in System Dependability, p.16-16, June 26, 2007, Edinburgh, UK
|
|
|
|
|
|
Charles Reis , John Dunagan , Helen J. Wang , Opher Dubrovsky , Saher Esmeir, BrowserShield: vulnerability-driven filtering of dynamic HTML, Proceedings of the 7th symposium on Operating systems design and implementation, November 06-08, 2006, Seattle, Washington
|
|
|
Yingbo Song , Michael E. Locasto , Angelos Stavrou , Angelos D. Keromytis , Salvatore J. Stolfo, On the infeasibility of modeling polymorphic shellcode, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Manuel Costa , Jon Crowcroft , Miguel Castro , Antony Rowstron , Lidong Zhou , Lintao Zhang , Paul Barham, Vigilante: End-to-end containment of Internet worm epidemics, ACM Transactions on Computer Systems (TOCS), v.26 n.4, p.1-68, December 2008
|
|
|
|
|
|
Hai Jin , Guofu Xiang , Feng Zhao , Deqing Zou , Min Li , Lei Shi, VMFence: a customized intrusion prevention system in distributed virtual computing environment, Proceedings of the 3rd International Conference on Ubiquitous Information Management and Communication, January 15-16, 2009, Suwon, Korea
|
|
|
|
INDEX TERMS
Primary Classification:
D.
Software
D.4
OPERATING SYSTEMS
D.4.6
Security and Protection
Subjects:
Invasive software (e.g., viruses, worms, Trojan horses)
Additional Classification:
K.
Computing Milieux
K.6
MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
K.6.5
Security and Protection (D.4.6, K.4.2)
Subjects:
Invasive software (e.g., viruses, worms, Trojan horses);
Unauthorized access (e.g., hacking, phreaking)
General Terms:
Management,
Security
Keywords:
IntroVirt,
intrusion detection,
semantic gap,
virtual-machine introspection,
virtual-machine replay,
vulnerability-specific predicates
|
Adobe Acrobat
QuickTime
Windows Media Player
Real Player
Pdf