ReVirt

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

ReVirt: enabling intrusion analysis through virtual-machine logging and replay

Full text

Pdf (1.56 MB)

Source

ACM SIGOPS Operating Systems Review archive
Volume 36 , Issue SI (Winter 2002) table of contents
OSDI '02: Proceedings of the 5th symposium on Operating systems design and implementation

SPECIAL ISSUE: Virtual machines table of contents

Pages: 211 - 224

Year of Publication: 2002

ISSN:0163-5980

Authors

George W. Dunlap	University of Michigan
Samuel T. King	University of Michigan
Sukru Cinar	University of Michigan
Murtaza A. Basrai	University of Michigan
Peter M. Chen	University of Michigan

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 19, Downloads (12 Months): 169, Citation Count: 16

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/844128.844148 What is a DOI?

ABSTRACT

Current system loggers have two problems: they depend on the integrity of the operating system being logged, and they do not save sufficient information to replay and analyze attacks that include any non-deterministic events. ReVirt removes the dependency on the target operating system by moving it into a virtual machine and logging below the virtual machine. This allows ReVirt to replay the system's execution before, during, and after an intruder compromises the system, even if the intruder replaces the target operating system. ReVirt logs enough information to replay a long-term execution of the virtual machine instruction-by-instruction. This enables it to provide arbitrarily detailed observations about what transpired on the system, even in the presence of non-deterministic attacks and executions. ReVirt adds reasonable time and space overhead. Overheads due to virtualization are imperceptible for interactive use and CPU-bound workloads, and 13--58% for kernel-intensive workloads. Logging adds 0--8% overhead, and logging traffic for our workloads can be stored on a single disk for several months.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	{Anderson80} James P. Anderson. Computer Security Threat Monitoring and Surveillance. Technical report, James P. Anderson Co., April 1980. Contract 79F296400.
	2	Ken Ashcraft , Dawson Engler, Using Programmer-Written Compiler Extensions to Catch Security Holes, Proceedings of the 2002 IEEE Symposium on Security and Privacy, p.143, May 12-15, 2002
	3	J. Bellino , Cl. Hans, Virtual machine or virtual operating system?, Proceedings of the workshop on virtual computer systems, p.20-29, March 26-27, 1973, Cambridge, Massachusetts, United States [doi>10.1145/800122.803946]
	4	{Bishop96} Matt Bishop and Michael Dilger. Checking for Race Conditions on File Accesses. USENIX Computing Systems, 9(2): 131--152, 1996.
	5	Thomas C. Bressoud , Fred B. Schneider, Hypervisor-based fault tolerance, ACM Transactions on Computer Systems (TOCS), v.14 n.1, p.80-107, Feb. 1996 [doi>10.1145/225535.225538]
	6	Kerstin Buchacker , Volkmar Sieh, Framework for Testing the Fault-Tolerance of Systems Including OS and Network Aspects, The 6th IEEE International Symposium on High-Assurance Systems Engineering: Special Topic: Impact of Networking, p.95-105, October 24-26, 2001
	7	{CER01a} CERT/CC Security Improvement Modules: Analyze all available information to characterize an intrusion. Technical report, CERT Coordination Center, May 2001.
	8	{CER01b} Linux kernel contains race condition via ptrace/procfs/execve. Technical Report Vulnerability Note VU#176888, CERT Coordination Center, March 2001.
	9	{CER02} CERT/CC Overview Incident and Vulnerability Trends. Technical report, CERT Coordination Center, April 2002.
	10	Peter M. Chen , Brian D. Noble, When Virtual Is Better Than Real, Proceedings of the Eighth Workshop on Hot Topics in Operating Systems, p.133, May 20-22, 2001
	11	{Dike00} Jeff Dike. A user-mode port of the Linux kernel. In Proceedings of the 2000 Linux Showcase and Conference, October 2000.
	12	E. N. (Mootaz) Elnozahy , Lorenzo Alvisi , Yi-Min Wang , David B. Johnson, A survey of rollback-recovery protocols in message-passing systems, ACM Computing Surveys (CSUR), v.34 n.3, p.375-408, September 2002 [doi>10.1145/568522.568525]
	13	{Goldberg74} Robert P. Goldberg. Survey of Virtual Machine Research. IEEE Computer, pages 34--45, June 1974.
	14	{Goldberg96} Ian Goldberg, David Wagner, Randi Thomas, and Eric A. Brewer. A Secure Environment for Untrusted Helper Applications. In Proceedings of the 1996 USENIX Technical Conference, July 1996.
	15	Kinshuk Govil , Dan Teodosiu , Yongqiang Huang , Mendel Rosenblum, Cellular disco: resource management using virtual clusters on shared-memory multiprocessors, ACM Transactions on Computer Systems (TOCS), v.18 n.3, p.229-262, Aug. 2000 [doi>10.1145/354871.354873]
	16	{Hon00} Report on the Linux Honeypot Compromise. Technical report, Honeynet Project, November 2000. http://project.honeynet.org/challenge/results/dittrich/evidence.txt.
	17	{Int01} The IA-32 Intel Architecture Software Developer's Manual, Volume 3: System Programming Guide. Technical report, Intel Corporation, 2001.
	18	Paul A. Karger , Mary Ellen Zurko , Douglas W. Bonin , Andrew H. Mason , Clifford E. Kahn, A Retrospective on the VAX VMM Security Kernel, IEEE Transactions on Software Engineering, v.17 n.11, p.1147-1165, November 1991 [doi>10.1109/32.106971]
	19	{King02} Samuel T. King. Operating System Extensions to Support Host-Based Virtual Machines. Technical Report CSE-TR-465-02, University of Michigan, September 2002.
	20	T. J. LeBlanc , J. M. Mellor-Crummey, Debugging parallel programs with instant replay, IEEE Transactions on Computers, v.36 n.4, p.471-482, April 1987 [doi>10.1109/TC.1987.1676929]
	21	{Meushaw00} Robert Meushaw and Donald Simard. NetTop: Commercial Technology in High Assurance Applications. Tech Trend Notes: Preview of Tomorrow's Information Technologies, 9(4), September 2000.
	22	Robert H. B. Netzer , Mark H. Weaver, Optimal tracing and incremental reexecution for debugging long-running programs, Proceedings of the ACM SIGPLAN 1994 conference on Programming language design and implementation, p.313-325, June 20-24, 1994, Orlando, Florida, United States
	23	{Plank95} James S. Plank, Micah Beck, and Gerry Kingsley. Libckpt: Transparent Checkpointing under Unix. In Proceedings of the Winter 1995 USENIX Conference, pages 213--224, January 1995.
	24	Mendel Rosenblum , Stephen A. Herrod , Emmett Witchel , Anoop Gupta, Complete Computer System Simulation: The SimOS Approach, IEEE Parallel & Distributed Technology: Systems & Technology, v.3 n.4, p.34-43, December 1995 [doi>10.1109/88.473612]
	25	Mark Russinovich , Bryce Cogswell, Replay for concurrent non-deterministic shared-memory applications, Proceedings of the ACM SIGPLAN 1996 conference on Programming language design and implementation, p.258-266, May 21-24, 1996, Philadelphia, Pennsylvania, United States
	26	{Strunk00} John D. Strunk, Garth R. Goodson, Michael L. Scheinholtz, Craig A. N. Soules, and Gregory R. Ganger. Self-securing storage: Protecting data in compromised systems. In Proceedings of the 2000 Symposium on Operating Systems Design and Implementation (OSDI), October 2000.
	27	Jeremy Sugerman , Ganesh Venkitachalam , Beng-Hong Lim, Virtualizing I/O Devices on VMware Workstation's Hosted Virtual Machine Monitor, Proceedings of the General Track: 2002 USENIX Annual Technical Conference, p.1-14, June 25-30, 2001

CITED BY 16

	Paul Barham , Boris Dragovic , Keir Fraser , Steven Hand , Tim Harris , Alex Ho , Rolf Neugebauer , Ian Pratt , Andrew Warfield, Xen and the art of virtualization, Proceedings of the nineteenth ACM symposium on Operating systems principles, October 19-22, 2003, Bolton Landing, NY, USA
	Pin Zhou , Vivek Pandey , Jagadeesan Sundaresan , Anand Raghuraman , Yuanyuan Zhou , Sanjeev Kumar, Dynamic tracking of page miss ratio curve for memory management, ACM SIGOPS Operating Systems Review, v.38 n.5, December 2004
	Jedidiah R. Crandall , Zhendong Su , S. Felix Wu , Frederic T. Chong, On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA
	Mendel Rosenblum , Tal Garfinkel, Virtual Machine Monitors: Current Technology and Future Trends, Computer, v.38 n.5, p.39-47, May 2005
	Jedidiah R. Crandall , Gary Wassermann , Daniela A. S. de Oliveira , Zhendong Su , S. Felix Wu , Frederic T. Chong, Temporal search: detecting hidden malware timebombs with virtual machines, ACM SIGPLAN Notices, v.41 n.11, November 2006
	Daniela A. S. de Oliveira , Jedidiah R. Crandall , Gary Wassermann , S. Felix Wu , Zhendong Su , Frederic T. Chong, ExecRecorder: VM-based full-system replay for attack analysis and system recovery, Proceedings of the 1st workshop on Architectural and system support for improving software dependability, p.66-71, October 21-21, 2006, San Jose, California
	Jim Chow , Ben Pfaff , Tal Garfinkel , Kevin Christopher , Mendel Rosenblum, Understanding data lifetime via whole system simulation, Proceedings of the 13th conference on USENIX Security Symposium, p.22-22, August 09-13, 2004, San Diego, CA
	Steven Hand , Andrew Warfield , Keir Fraser , Evangelos Kotsovinos , Dan Magenheimer, Are virtual machine monitors microkernels done right?, Proceedings of the 10th conference on Hot Topics in Operating Systems, p.1-1, June 12-15, 2005, Santa Fe, NM
	Jake Wires , Michael J. Feeley, Secure file system versioning at the block level, ACM SIGOPS Operating Systems Review, v.41 n.3, June 2007
	Costin Raiciu , Mark Handley , David S. Rosenblum, Exploit hijacking: side effects of smart defenses, Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense, p.123-130, September 11-15, 2006, Pisa, Italy
	Olivier Crameri , Nikola Knezevic , Dejan Kostic , Ricardo Bianchini , Willy Zwaenepoel, Staged deployment in mirage, an integrated software upgrade testing and distribution system, ACM SIGOPS Operating Systems Review, v.41 n.6, December 2007
	Yih Huang , Angelos Stavrou , Anup K. Ghosh , Sushil Jajodia, Efficiently tracking application interactions using lightweight virtualization, Proceedings of the 1st ACM workshop on Virtual machine security, October 27-27, 2008, Alexandria, Virginia, USA
	Khalid Elbadawi , Ehab Al-Shaer, TimeVM: a framework for online intrusion mitigation and fast recovery using multi-time-lag traffic replay, Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, March 10-12, 2009, Sydney, Australia
	Siddharth Choudhuri , Tony Givargis, FlashBox: a system for logging non-deterministic events in deployed embedded systems, Proceedings of the 2009 ACM symposium on Applied Computing, March 08-12, 2009, Honolulu, Hawaii
	Chris Matthews , Yvonne Coady, Virtualized recomposition: Cloudy or clear?, Proceedings of the 2009 ICSE Workshop on Software Engineering Challenges of Cloud Computing, p.38-43, May 23-23, 2009
	Satish Narayanasamy , Cristiano Pereira , Brad Calder, Software Profiling for Deterministic Replay Debugging of User Code, Proceeding of the 2006 conference on New Trends in Software Methodologies, Tools and Techniques: Proceedings of the fifth SoMeT_06, p.211-230, May 28, 2006