Virtual Machine Logging and Replay for Intrusion Analysis
"Explore the innovative approach of ReVirt for intrusion analysis using virtual machine logging and replay techniques. Learn about attacks, current systems, UMLinux, Trusted Computing Base, deterministic vs. non-deterministic events, and cooperative logging in this comprehensive study." (Approximately 324 characters)
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
ReVirt: Enabling Intrusion Analysis Through Virtual-Machine Logging and Replay By Dunlap, King, Cinar, Basrai, Chen Presented by Seth Goldstein and Nathan Immerman EECS 582 W16 1
Outline Attacks Current Systems UMLinux Trusted Computing Base ReVirt Evaluation Conclusion 2
Attacks Use unintended consequences of non-deterministic events Attempt to gain root access Change code 3
Current Systems Security Logs can be modified by a malicious kernel Completeness Don t log external events 4
UMLinux VMM loadable kernel module OS-on-OS Provides software analog for peripherals OS-on-OS Diagram Using UMLinux 5
Trusted Computing Base (TCB) Everything in a computing system that provides a secure environment OS-on-OS The trusted computing base (TCB) of a computer system is the set of all hardware, firmware, and/or software components that are critical to its security, in the sense that bugs or vulnerabilities occurring inside the TCB might jeopardize the security properties of the entire system. ~Wikipedia 6
ReVert: Details Deterministic and Non-Deterministic Events Cooperative Logging Analyzing Attacks 7
Deterministic / Non-Deterministic Events Deterministic Events Most normal instructions do not need to be logged Non-Deterministic Events Time (interrupts) and external input (ex. human input) Only need to log events that affect actions of VM Use branch_retired to monitor branching and interrupts 8
Cooperative Logging One computers outgoing message is another computer s incoming Multiple computers can use ReVirt and perform a replay together 9
Analysis of Attacks Allows administrators to replay attacks Run inside the guest OS Debuggers and disk analyzer Input packets from log 10
Evaluation Virtualization Overhead Correctness Replay Overhead 11
Virtualization Overhead Very little overhead added for computationally heavy tasks High overhead for tasks that have a lot of kernel calls - more VMM involvement 12
Correctness Saved register values and branch_retired to validate replay Validates interprocess interaction and external inputs It works. 13
Logging and Replay Overhead Logging and replay time overhead manageable Daily use - 0.2GB/day * 365 days/year = 73GB per year! 14
Conclusion ReVirt successfully allows administrators to replay long-term instruction by instruction execution of a computer system 15
Discussion 16
