ExecRecorder

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback
Take a look at the new version of this page: [ beta version ]. Tell us what you think.

ExecRecorder: VM-based full-system replay for attack analysis and system recovery

Full text

Pdf (431 KB)

Source

Architectural Support for Programming Languages and Operating Systems archive
Proceedings of the 1st workshop on Architectural and system support for improving software dependability table of contents

San Jose, California

Pages: 66 - 71

Year of Publication: 2006

ISBN:1-59593-576-2

Authors

Daniela A. S. de Oliveira	University of California at Davis, Santa Barbara
Jedidiah R. Crandall	University of California at Davis, Santa Barbara
Gary Wassermann	University of California at Davis, Santa Barbara
S. Felix Wu	University of California at Davis, Santa Barbara
Zhendong Su	University of California at Davis, Santa Barbara
Frederic T. Chong	University of California at Davis, Santa Barbara

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 16, Downloads (12 Months): 58, Citation Count: 3

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1181309.1181320 What is a DOI?

ABSTRACT

Log-based recovery and replay systems are important for system reliability, debugging and postmortem analysis/recovery of malware attacks. These systems must incur low space and performance overhead, provide full-system replay capabilities, and be resilient against attacks. Previous approaches fail to meet these requirements: they replay only a single process, or require changes in the host and guest OS, or do not have a fully-implemented replay component. This paper studies full-system replay for uniprocessors by logging and replaying architectural events. To limit the amount of logged information, we identify architectural nondeterministic events, and encode them compactly. Here we present ExecRecorder, a full-system, VM-based, log and replay framework for post-attack analysis and recovery. ExecRecorder can replay the execution of an entire system by checkpointing the system state and logging architectural nondeterministic events, and imposes low performance overhead (less than 4% on average). In our evaluation its log files grow at about 5.4 GB/hour (arithmetic mean). Thus it is practical to log on the order of hours or days between checkpoints. It can also be integrated naturally with an IDS and a post-attack analysis tool for intrusion analysis and recovery.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	http://x82.inetcop.org/h0me/papers/free-ur-mind.pdf.
	2	Lorenzo Alvisi, Understanding the message logging paradigm for masking process crashes, Cornell University, Ithaca, NY, 1996
	3	Lorenzo Alvisi , Keith Marzullo, Message Logging: Pessimistic, Optimistic, Causal, and Optimal, IEEE Transactions on Software Engineering, v.24 n.2, p.149-159, February 1998 [doi>10.1109/32.666828]
	4	Web benchmark. http://www.serverwatch.com/news/article.php/10824_1133391_2.
	5	Thomas C. Bressoud , Fred B. Schneider, Hypervisor-based fault tolerance, ACM Transactions on Computer Systems (TOCS), v.14 n.1, p.80-107, Feb. 1996 [doi>10.1145/225535.225538]
	6	Peter M. Chen , Brian D. Noble, When Virtual Is Better Than Real, Proceedings of the Eighth Workshop on Hot Topics in Operating Systems, p.133, May 20-22, 2001
	7	Jong-Deok Choi , Harini Srinivasan, Deterministic replay of Java multithreaded applications, Proceedings of the SIGMETRICS symposium on Parallel and distributed tools, p.48-59, August 03-04, 1998, Welches, Oregon, United States [doi>10.1145/281035.281041]
	8	Jedidiah R. Crandall , Frederic T. Chong, Minos: Control Data Attack Prevention Orthogonal to Memory Model, Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture, p.221-232, December 04-08, 2004, Portland, Oregon [doi>10.1109/MICRO.2004.26]
	9	Jedidiah R. Crandall , Zhendong Su , S. Felix Wu , Frederic T. Chong, On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA [doi>10.1145/1102120.1102152]
	10	George W. Dunlap , Samuel T. King , Sukru Cinar , Murtaza A. Basrai , Peter M. Chen, ReVirt: enabling intrusion analysis through virtual-machine logging and replay, ACM SIGOPS Operating Systems Review, v.36 n.SI, Winter 2002 [doi>10.1145/844128.844148]
	11	E. N. Elnozahy, L. Alvisi, Y.-M. Wang, and D. B. Johnson. A Survey of Rollback-Recovery Protocols in Message-Passing Systems. University of Michigan Technical Report CSE-TR-410, 34(3):375--408, September 2002.
	12	T. Garfinkel and M. Rosenblum. When Virtual is Harder than Real: Security Challenges in Virtual Machine Based Computing Environments. HotOS, June 2005.
	13	Satish Narayanasamy , Gilles Pokam , Brad Calder, BugNet: Continuously Recording Program Execution for Deterministic Replay Debugging, Proceedings of the 32nd Annual International Symposium on Computer Architecture, p.284-295, June 04-08, 2005
	14	Intel. IA-32 Intel Architecture Software Developer's Manual. Volumes 1, 2 and 3.
	15	Ashlesha Joshi , Samuel T. King , George W. Dunlap , Peter M. Chen, Detecting past and present intrusions through vulnerability-specific predicates, Proceedings of the twentieth ACM symposium on Operating systems principles, October 23-26, 2005, Brighton, United Kingdom
	16	S. T. King, G. W. Dunlap, and P. M. Chen. Operating System Support for Virtual Machines. In USENIX, 2003.
	17	T. J. LeBlanc , J. M. Mellor-Crummey, Debugging parallel programs with instant replay, IEEE Transactions on Computers, v.36 n.4, p.471-482, April 1987 [doi>10.1109/TC.1987.1676929]
	18	R. Love. Linux Kernel Development. 2005.
	19	D. E. Lowell and P. M. Chen. Discount Checking: Transparent, Low-Overhead Recovery for General Applications. University of Michigan Technical Report CSE-TR-410-99, 1998.
	20	Milos Prvulovic , Josep Torrellas, ReEnact: using thread-level speculation mechanisms to debug data races in multithreaded codes, Proceedings of the 30th annual international symposium on Computer architecture, June 09-11, 2003, San Diego, California
	21	Feng Qin , Joseph Tucek , Jagadeesan Sundaresan , Yuanyuan Zhou, Rx: treating bugs as allergies---a safe method to survive software failures, Proceedings of the twentieth ACM symposium on Operating systems principles, October 23-26, 2005, Brighton, United Kingdom
	22	Mendel Rosenblum , Tal Garfinkel, Virtual Machine Monitors: Current Technology and Future Trends, Computer, v.38 n.5, p.39-47, May 2005 [doi>10.1109/MC.2005.176]
	23	J. H. Slye , E. N. Elnozahy, Supporting nondeterministic execution in fault-tolerant systems, Proceedings of the The Twenty-Sixth Annual International Symposium on Fault-Tolerant Computing (FTCS '96), p.250, June 25-27, 1996
	24	J. Hamilton Slye , E. N. Elnozahy, Support for Software Interrupts in Log-Based Rollback-Recovery, IEEE Transactions on Computers, v.47 n.10, p.1113-1123, October 1998 [doi>10.1109/12.729794]
	25	J. E. Smith and R. Nair. Virtual Machines - Versatile Platforms for Systems and Processes. Morgan Kaufmann, 2005.
	26	Microsoft SQLIO. http://www.microsoft.com/downloads/.
	27	S. M. Srinivasan, S. Kandula, C. R. Andrews, and Y. Zhou. Flashback: A Lightweight Extension for Rollback and Deterministic Replay for Software Debugging. USENIX, June 2004.
	28	UnixBench. http://www.tux.org/pub/tux/benchmarks/System/unixbench/.
	29	Andrew Whitaker , Richard S. Cox , Marianne Shaw , Steven D. Gribble, Rethinking the Design of Virtual Machine Monitors, Computer, v.38 n.5, p.57-62, May 2005 [doi>10.1109/MC.2005.169]
	30	Min Xu , Rastislav Bodik , Mark D. Hill, A "flight data recorder" for enabling full-system multiprocessor deterministic replay, Proceedings of the 30th annual international symposium on Computer architecture, June 09-11, 2003, San Diego, California
	31	bochs: the Open Source IA-32 Emulation Project (Home Page). http://bochs.sourceforge.net.

CITED BY 3

	Khalid Elbadawi , Ehab Al-Shaer, TimeVM: a framework for online intrusion mitigation and fast recovery using multi-time-lag traffic replay, Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, March 10-12, 2009, Sydney, Australia
	Haikun Liu , Hai Jin , Xiaofei Liao , Liting Hu , Chen Yu, Live migration of virtual machine based on full system trace and replay, Proceedings of the 18th ACM international symposium on High performance distributed computing, June 11-13, 2009, Garching, Germany
	Shay Artzi , Sunghun Kim , Michael D. Ernst, ReCrashJ: a tool for capturing and reproducing program crashes in deployed applications, Proceedings of the the 7th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering, August 24-28, 2009, Amsterdam, The Netherlands