George W. Dunlap
Peter M. Chen
Abstract
Current system loggers have two problems: they depend on the integrity of the operating system being logged, and they do not save sufficient information to replay and analyze attacks that include any non-deterministic events. ReVirt removes the dependency on the target operating system by moving it into a virtual machine and logging below the virtual machine. This allows ReVirt to replay the system's execution before, during, and after an intruder compromises the system, even if the intruder replaces the target operating system. ReVirt logs enough information to replay a long-term execution of the virtual machine instruction-by-instruction. This enables it to provide arbitrarily detailed observations about what transpired on the system, even in the presence of non-deterministic attacks and executions. ReVirt adds reasonable time and space overhead. Overheads due to virtualization are imperceptible for interactive use and CPU-bound workloads, and 13--58% for kernel-intensive workloads. Logging adds 0--8% overhead, and logging traffic for our workloads can be stored on a single disk for several months.
- {Anderson80} James P. Anderson. Computer Security Threat Monitoring and Surveillance. Technical report, James P. Anderson Co., April 1980. Contract 79F296400.Google Scholar
- {Ashcraft02} Ken Ashcraft and Dawson Engler. Using Programmer-Written Compiler Extensions to Catch Security Holes. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, May 2002. Google ScholarDigital Library
- {Bellino73} J. Bellino and C. Hans. Virtual Machine or Virtual Operating System? In Proceedings of the 1973 ACM Workshop on Virtual Computer Systems, pages 20--29, 1973. Google ScholarDigital Library
- {Bishop96} Matt Bishop and Michael Dilger. Checking for Race Conditions on File Accesses. USENIX Computing Systems, 9(2): 131--152, 1996.Google Scholar
- {Bressoud96} Thomas C. Bressoud and Fred B. Schneider. Hypervisor-based fault tolerance. ACM Transactions on Computer Systems, 14(1):80--107, February 1996. Google ScholarDigital Library
- {Buchacker01} Kerstin Buchacker and Volkmar Sieh. Framework for testing the fault-tolerance of systems including OS and network aspects. In Proceedings of the 2001 IEEE Symposium on High Assurance System Engineering (HASE), pages 95--105, October 2001. Google ScholarDigital Library
- {CER01a} CERT/CC Security Improvement Modules: Analyze all available information to characterize an intrusion. Technical report, CERT Coordination Center, May 2001.Google Scholar
- {CER01b} Linux kernel contains race condition via ptrace/procfs/execve. Technical Report Vulnerability Note VU#176888, CERT Coordination Center, March 2001.Google Scholar
- {CER02} CERT/CC Overview Incident and Vulnerability Trends. Technical report, CERT Coordination Center, April 2002.Google Scholar
- {Chen01} Peter M. Chen and Brian D. Noble. When virtual is better than real. In Proceedings of the 2001 Workshop on Hot Topics in Operating Systems (HotOS), pages 133--138, May 2001. Google ScholarDigital Library
- {Dike00} Jeff Dike. A user-mode port of the Linux kernel. In Proceedings of the 2000 Linux Showcase and Conference, October 2000. Google ScholarDigital Library
- {Elnozahy02} E. N. Elnozahy, Lorenzo Alvisi, Yi-Min Wang, and David B. Johnson. A survey of rollback-recovery protocols in message-passing systems. ACM Computing Surveys, 34(3):375--408, September 2002. Google ScholarDigital Library
- {Goldberg74} Robert P. Goldberg. Survey of Virtual Machine Research. IEEE Computer, pages 34--45, June 1974.Google ScholarDigital Library
- {Goldberg96} Ian Goldberg, David Wagner, Randi Thomas, and Eric A. Brewer. A Secure Environment for Untrusted Helper Applications. In Proceedings of the 1996 USENIX Technical Conference, July 1996. Google ScholarDigital Library
- {Govil00} Kinshuk Govil, Dan Teodosiu, Yongqiang Huang, and Mendel Rosenblum. Cellular disco: resource management using virtual clusters on shared-memory multiprocessors. ACM Transactions on Computer Systems, 18(3):226--262, August 2000. Google ScholarDigital Library
- {Hon00} Report on the Linux Honeypot Compromise. Technical report, Honeynet Project, November 2000. http://project.honeynet.org/challenge/results/dittrich/evidence.txt.Google Scholar
- {Int01} The IA-32 Intel Architecture Software Developer's Manual, Volume 3: System Programming Guide. Technical report, Intel Corporation, 2001.Google Scholar
- {Karger91} Paul A. Karger, Mary Ellen Zurko, DouglisW. Bonin, Andrew H. Mason, and Clifford E. Kahn. A retrospective on the VAX VMM security kernel. IEEE Transactions on Software Engineering, 17(11), November 1991. Google ScholarDigital Library
- {King02} Samuel T. King. Operating System Extensions to Support Host-Based Virtual Machines. Technical Report CSE-TR-465-02, University of Michigan, September 2002.Google Scholar
- {LeBlanc87} T. J. LeBlanc and J. M. Mellor-Crummey. Debugging Parallel Programs with Instant Replay. IEEE Transactions on Computers, pages 471--482, April 1987. Google ScholarDigital Library
- {Meushaw00} Robert Meushaw and Donald Simard. NetTop: Commercial Technology in High Assurance Applications. Tech Trend Notes: Preview of Tomorrow's Information Technologies, 9(4), September 2000.Google Scholar
- {Netzer94} Robert H. B. Netzer and Mark H. Weaver. Optimal Tracing and Incremental Reexecution for Debugging Long-Running Programs. In Proceedings of the 1994 Conference on Programming Language Design and Implementation (PLDI), June 1994. Google ScholarDigital Library
- {Plank95} James S. Plank, Micah Beck, and Gerry Kingsley. Libckpt: Transparent Checkpointing under Unix. In Proceedings of the Winter 1995 USENIX Conference, pages 213--224, January 1995. Google ScholarDigital Library
- {Rosenblum95} Mendel Rosenblum, Stephen A. Herrod, Emmett Witchel, and Anoop Gupta. Complete computer system simulation: the SimOS approach. IEEE Parallel & Distributed Technology: Systems & Applications, 3(4):34--43, January 1995. Google ScholarDigital Library
- {Russinovich96} Mark Russinovich and Bryce Cogswell. Replay for concurrent non-deterministic shared-memory applications. In Proceedings of the 1996 Conference on Programming Language Design and Implementation (PLDI), pages 258--266, May 1996. Google ScholarDigital Library
- {Strunk00} John D. Strunk, Garth R. Goodson, Michael L. Scheinholtz, Craig A. N. Soules, and Gregory R. Ganger. Self-securing storage: Protecting data in compromised systems. In Proceedings of the 2000 Symposium on Operating Systems Design and Implementation (OSDI), October 2000. Google ScholarDigital Library
- {Sugerman01} Jeremy Sugerman, Ganesh Venkitachalam, and Beng-Hong Lim. Virtualizing I/O Devices on VMware Workstation's Hosted Virtual Machine Monitor. In Proceedings of the 2001 USENIX Technical Conference, June 2001. Google ScholarDigital Library
Index Terms
- ReVirt: enabling intrusion analysis through virtual-machine logging and replay
Recommendations
ReVirt: enabling intrusion analysis through virtual-machine logging and replay
OSDI '02: Proceedings of the 5th symposium on Operating systems design and implementation (Copyright restrictions prevent ACM from being able to make the PDFs for this conference available for downloading)Current system loggers have two problems: they depend on the integrity of the operating system being logged, and they do not save sufficient information to replay and analyze attacks that include any non-deterministic events. ReVirt removes the ...
SRVM: Hypervisor Support for Live Migration with Passthrough SR-IOV Network Devices
VEE '16Single-Root I/O Virtualization (SR-IOV) is a specification that allows a single PCI Express (PCIe) device (ysical function or PF) to be used as multiple PCIe devices (virtual functions or VF). In a virtualization system, each VF can be directly assigned ...
SRVM: Hypervisor Support for Live Migration with Passthrough SR-IOV Network Devices
VEE '16: Proceedings of the12th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution EnvironmentsSingle-Root I/O Virtualization (SR-IOV) is a specification that allows a single PCI Express (PCIe) device (ysical function or PF) to be used as multiple PCIe devices (virtual functions or VF). In a virtualization system, each VF can be directly assigned ...
Comments