ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
The taser intrusion recovery system
Full text PdfPdf (346 KB)
Source ACM Symposium on Operating Systems Principles archive
Proceedings of the twentieth ACM symposium on Operating systems principles table of contents
Brighton, United Kingdom
SESSION: Containment table of contents
Pages: 163 - 176  
Year of Publication: 2005
ISBN:1-59593-079-5
Also published in ...
Authors
Ashvin Goel  University of Toronto
Kenneth Po  University of Toronto
Kamran Farhadi  University of Toronto
Zheng Li  University of Toronto
Eyal de Lara  University of Toronto
Sponsors
ACM: Association for Computing Machinery
SIGOPS: ACM Special Interest Group on Operating Systems
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 13,   Downloads (12 Months): 118,   Citation Count: 7
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1095810.1095826
What is a DOI?

ABSTRACT

Recovery from intrusions is typically a very time-consuming operation in current systems. At a time when the cost of human resources dominates the cost of computing resources, we argue that next generation systems should be built with automated intrusion recovery as a primary goal. In this paper, we describe the design of Taser, a system that helps in selectively recovering legitimate file-system data after an attack or local damage occurs. Taser reverts tainted, i.e. attack-dependent, file-system operations but preserves legitimate operations. This process is difficult for two reasons. First, the set of tainted operations is not known precisely. Second, the recovery process can cause conflicts when legitimate operations depend on tainted operations. Taser provides several analysis policies that aid in determining the set of tainted operations. To handle conflicts, Taser uses automated resolution policies that isolate the tainted operations. Our evaluation shows that Taser is effective in recovering from a wide range of intrusions as well as damage caused by system management errors.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Ed Bailey, Maximum RPM, Sams, Indianapolis, IN, 1997
 
2
Paul T. Barham, Austin Donnelly, Rebecca Isaacs, and Richard Mortier. Using magpie for request extraction and workload modelling. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation, pages 259--272, 2004.
 
3
Aaron B. Brown and David A. Patterson. Undo for operators: Building an undoable e-mail store. In Proceedings of the USENIX Technical Conference, pages 1--14, 2003.
 
4
Jim Chow, Ben Pfaff, Tal Garfinkel, Kevin Christopher, and Mendel Rosenblum. Understanding data lifetime via whole system simulation. In Proceedings of the USENIX Security Symposium, pages 321--336, August 2004.
5
George W. Dunlap , Samuel T. King , Sukru Cinar , Murtaza A. Basrai , Peter M. Chen, ReVirt: enabling intrusion analysis through virtual-machine logging and replay, Proceedings of the 5th symposium on Operating systems design and implementation

Due to copyright restrictions we are not able to make the PDFs for this conference available for downloading

, December 09-11, 2002, Boston, Massachusetts  [doi>10.1145/1060289.1060309]
 
6
Tal Garfinkel. Traps and pitfalls: Practical problems in system call interposition based security tools. In Proceedings of the Network and Distributed System Security Symposium, February 2003.
 
7
Tal Garfinkel and Mendel Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the Network and Distributed System Security Symposium, February 2003.
 
8
Ashvin Goel , Wu-chang Feng , David Maier , Wu-chi Feng , Jonathan Walpole, Forensix: A Robust, High-Performance Reconstruction System, Proceedings of the Second International Workshop on Security in Distributed Computing Systems (SDCS) (ICDCSW'05), p.155-162, June 06-10, 2005  [doi>10.1109/ICDCSW.2005.62]
 
9
Ian Goldberg, David Wagner, Randi Thomas, and Eric A. Brewer. A secure environment for untrusted helper applications. In Proceedings of the USENIX Security Symposium, 1996.
 
10
Bobbie Harder. Microsoft windows system restore. http://msdn.microsoft.com/library/en-us/dnwxp/ html/windowsxpsystemrestore.asp, April 2001.
11
Gene H. Kim , Eugene H. Spafford, The design and implementation of tripwire: a file system integrity checker, Proceedings of the 2nd ACM Conference on Computer and communications security, p.18-29, November 1994, Fairfax, Virginia, United States  [doi>10.1145/191177.191183]
12
Samuel T. King , Peter M. Chen, Backtracking intrusions, Proceedings of the nineteenth ACM symposium on Operating systems principles, October 19-22, 2003, Bolton Landing, NY, USA
 
13
Puneet Kumar and Mahadev Satyanarayanan. Flexible and safe resolution of file conflicts. In Proceedings of the USENIX Technical Conference, pages 95--106. USENIX, January 1995.
 
14
Peng Liu , Paul Ammann , Sushil Jajodia, Rewriting Histories: Recovering from Malicious Transactions, Distributed and Parallel Databases, v.8 n.1, p.7-40, Jan. 2000  [doi>10.1023/A:1008731200105]
 
15
Toby Miller. Analysis of the knark rootkit. http://www.ossec.net/rootkits/studies/knark.txt, 2001. SecurityFocus.
 
16
Nicholas Petreley. Security report: Windows vs Linux. The Register, October 2004. http://www.theregister.co.uk/security/security_report_windows_vs_linux.
 
17
Dhruv Pilania and Tzi cker Chiueh. Design, implementation, and evaluation of an intrusion resilient database system. Technical Report TR-124, SUNY, Stony Brook, April 2005.
 
18
N. Provos. Improving host security with system call policies. In Proceedings of the USENIX Security Symposium, pages 257--272, August 2003.
 
19
Peter Reiher, John S. Heidemann, David Ratner, Gregory Skinner, and Gerald J. Popek. Resolving file conflicts in the Ficus file system. In USENIX Technical Conference, pages 183--195. USENIX, June 1994.
 
20
Martin Roesch, Snort - Lightweight Intrusion Detection for Networks, Proceedings of the 13th USENIX conference on System administration, November 07-12, 1999, Seattle, Washington
 
21
A. Sabelfeld and A. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21(1), January 2003.
22
Douglas S. Santry , Michael J. Feeley , Norman C. Hutchinson , Alistair C. Veitch , Ross W. Carton , Jacob Ofir, Deciding when to forget in the Elephant file system, Proceedings of the seventeenth ACM symposium on Operating systems principles, p.110-123, December 12-15, 1999, Charleston, South Carolina, United States
 
23
sd and devik. Linux on-the-fly kernel patching without LKM. Phrack issue 58, December 2001.
 
24
Secunia. Secunia vulnerability report. http://www.secunia.com.
 
25
Craig A. N. Soules , Garth R. Goodson , John D. Strunk , Gregory R. Ganger, Metadata Efficiency in Versioning File Systems, Proceedings of the 2nd USENIX Conference on File and Storage Technologies, March 31-31, 2003, San Francisco, CA
 
26
John D. Strunk, Garth R. Goodson, Michael L. Scheinholtz, Craig A. N. Soules, and Gregory R. Ganger. Self-securing storage: Protecting data in compromised systems. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation, pages 165--180, 2000.
 
27
G. Edward Suh, Jae W. Lee, David Zhang, and Srinivas Devadas. Secure program execution via dynamic information flow tracking. ACM SIGARCH Computer Architecture News, 32(5):85--96, 2004.
 
28
Weiqing Sun, Zhenkai Liang, R. Sekar, and V.N. Venkatakrishnan. One-way Isolation: An Effective Approach for Realizing Safe Execution Environments. In Proceedings of the Network and Distributed System Security Symposium, February 2005.
29
D. B. Terry , M. M. Theimer , Karin Petersen , A. J. Demers , M. J. Spreitzer , C. H. Hauser, Managing update conflicts in Bayou, a weakly connected replicated storage system, Proceedings of the fifteenth ACM symposium on Operating systems principles, p.172-182, December 03-06, 1995, Copper Mountain, Colorado, United States
 
30
Andy Watson and Paul Benn. Multiprotocol Data Access: NFS, CIFS, and HTTP. Technical Report TR3014, Network Appliance, Inc., 1999. http://www.netapp.com/tech_library/3014.html.
 
31
Chris Wright , Crispin Cowan , Stephen Smalley , James Morris , Greg Kroah-Hartman, Linux Security Modules: General Security Support for the Linux Kernel, Proceedings of the 11th USENIX Security Symposium, p.17-31, August 05-09, 2002
 
32
Huagang Xie and et. al. Linux intrusion detection system (LIDS) project. http://www.lids.org/.
 
33
Ningning Zhu and Tzi-Cker Chiueh. Design, implementation, and evaluation of repairable file service. In Proceedings of the IEEE Dependable Systems and Networks, pages 217--226, June 2003.

CITED BY  7
Shvetank Jain , Fareha Shafique , Vladan Djeric , Ashvin Goel, Application-level isolation and recovery with solitude, ACM SIGOPS Operating Systems Review, v.42 n.4, May 2008
Xiaoqi Jia , Shengzhi Zhang , Jiwu Jing , Peng Liu, Using virtual machines to do cross-layer damage assessment, Proceedings of the 1st ACM workshop on Virtual machine security, October 27-27, 2008, Alexandria, Virginia, USA
Ashvin Goel , Kamran Farhadi , Kenneth Po , Wu-chang Feng, Reconstructing system state for intrusion analysis, ACM SIGOPS Operating Systems Review, v.42 n.3, April 2008
Heng Yin , Dawn Song , Manuel Egele , Christopher Kruegel , Engin Kirda, Panorama: capturing system-wide information flow for malware detection and analysis, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA
Yih Huang , Angelos Stavrou , Anup K. Ghosh , Sushil Jajodia, Efficiently tracking application interactions using lightweight virtualization, Proceedings of the 1st ACM workshop on Virtual machine security, October 27-27, 2008, Alexandria, Virginia, USA
Kiran-Kumar Muniswamy-Reddy , David A. Holland, Causality-based versioning, Proccedings of the 7th conference on File and stroage technologies, p.15-28, February 24-27, 2009, San Francisco, California
Zhenkai Liang , Weiqing Sun , V. N. Venkatakrishnan , R. Sekar, Alcatraz: An Isolated Environment for Experimenting with Untrusted Software, ACM Transactions on Information and System Security (TISSEC), v.12 n.3, p.1-37, January 2009

INDEX TERMS

Primary Classification:
  E. Data
  E.5 FILES

Additional Classification:
  D. Software
  D.4 OPERATING SYSTEMS
      D.4.5 Reliability
          Subjects: Backup procedures; Fault-tolerance
      D.4.6 Security and Protection
          Subjects: Invasive software (e.g., viruses, worms, Trojan horses); Information flow controls

  K. Computing Milieux
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
      K.6.5 Security and Protection (D.4.6, K.4.2)
          Subjects: Unauthorized access (e.g., hacking, phreaking)


General Terms:
Management, Reliability, Security


Keywords:
file systems, intrusion analysis, intrusion recovery, snapshots

Collaborative Colleagues:
Ashvin Goel: colleagues
Kenneth Po: colleagues
Kamran Farhadi: colleagues
Zheng Li: colleagues
Eyal de Lara: colleagues
This Article has also been published in:

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player