Presentation is loading. Please wait.

Presentation is loading. Please wait.

By Dunlap, King, Cinar, Basrai, Chen

Published byAnnabel Horn Modified over 6 years ago

Similar presentations

Presentation on theme: "By Dunlap, King, Cinar, Basrai, Chen"— Presentation transcript:

1 ReVirt: Enabling Intrusion Analysis Through Virtual-Machine Logging and Replay
By Dunlap, King, Cinar, Basrai, Chen Presented by Seth Goldstein and Nathan Immerman EECS 582 – W16

2 Outline Attacks Current Systems UMLinux Trusted Computing Base ReVirt
Evaluation Conclusion

3 Attacks Use unintended consequences of non-deterministic events
Attempt to gain root access Change code

4 Current Systems Security Completeness
Logs can be modified by a malicious kernel Completeness Don’t log external events

5 UMLinux OS-on-OS Diagram Using UMLinux
VMM loadable kernel module OS-on-OS Provides software analog for peripherals OS-on-OS Diagram Using UMLinux

6 Trusted Computing Base (TCB)
Everything in a computing system that provides a secure environment OS-on-OS “The trusted computing base (TCB) of a computer system is the set of all hardware, firmware, and/or software components that are critical to its security, in the sense that bugs or vulnerabilities occurring inside the TCB might jeopardize the security properties of the entire system.” ~Wikipedia

7 ReVert: Details Deterministic and Non-Deterministic Events
Cooperative Logging Analyzing Attacks

8 Deterministic / Non-Deterministic Events
Most normal instructions do not need to be logged Non-Deterministic Events Time (interrupts) and external input (ex. human input) Only need to log events that affect actions of VM Use “branch_retired” to monitor branching and interrupts

9 Cooperative Logging One computers outgoing message is another computer’s incoming Multiple computers can use ReVirt and perform a replay together

10 Analysis of Attacks Allows administrators to replay attacks
Run inside the guest OS Debuggers and disk analyzer Input packets from log

11 Evaluation Virtualization Overhead Correctness Replay Overhead

12 Virtualization Overhead
Very little overhead added for computationally heavy tasks High overhead for tasks that have a lot of kernel calls - more VMM involvement

13 Correctness Saved register values and branch_retired to validate replay Validates interprocess interaction and external inputs It works.

14 Logging and Replay Overhead
Logging and replay time overhead manageable Daily use - 0.2GB/day * 365 days/year = 73GB per year!

15 Conclusion ReVirt successfully allows administrators to replay long-term instruction by instruction execution of a computer system

16 Discussion

Download ppt "By Dunlap, King, Cinar, Basrai, Chen"

Similar presentations

Secure Virtual Machine Execution Under an Untrusted Management OS Chunxiao Li Anand Raghunathan Niraj K. Jha.

Secure Virtual Machine Execution Under an Untrusted Management OS Chunxiao Li Anand Raghunathan Niraj K. Jha.
Debugging operating systems with time-traveling virtual machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.

Debugging operating systems with time-traveling virtual machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.
New Direction for Software Protection in Embedded Systems Department of EECS University of Michigan Feb 22, 2007 Kang G. Shin.

New Direction for Software Protection in Embedded Systems Department of EECS University of Michigan Feb 22, 2007 Kang G. Shin.
ReVirt: Enabling Intrusion Analysis through Virtual Machine Logging And Replay Authors: George W. Dunlap Samuel T. King Sukru Cinar Murtaza A. Basrai Peter.

ReVirt: Enabling Intrusion Analysis through Virtual Machine Logging And Replay Authors: George W. Dunlap Samuel T. King Sukru Cinar Murtaza A. Basrai Peter.
Figure 1.1 Interaction between applications and the operating system.

Figure 1.1 Interaction between applications and the operating system.
Real-Time Kernels and Operating Systems. Operating System: Software that coordinates multiple tasks in processor, including peripheral interfacing Types.

Real-Time Kernels and Operating Systems. Operating System: Software that coordinates multiple tasks in processor, including peripheral interfacing Types.
An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.

An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.
Towards Application Security On Untrusted OS

Towards Application Security On Untrusted OS
Virtual Machine approach to Security Gautam Prasad and Sudeep Pradhan 10/05/2010 CS 239 UCLA.

Virtual Machine approach to Security Gautam Prasad and Sudeep Pradhan 10/05/2010 CS 239 UCLA.
SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.

SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.
March 24, 2003Upadhyaya – IWIA 20031 A Tamper-resistant Framework for Unambiguous Detection of Attacks in User Space Using Process Monitors R. Chinchani.

March 24, 2003Upadhyaya – IWIA A Tamper-resistant Framework for Unambiguous Detection of Attacks in User Space Using Process Monitors R. Chinchani.
Operating System Support for Virtual Machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.

Operating System Support for Virtual Machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.
Copyright Arshi Khan1 System Programming Instructor Arshi Khan.

Copyright Arshi Khan1 System Programming Instructor Arshi Khan.
Virtualization: An Overview Brendan Lynch. Forms of virtualization In all cases virtualization is taking a physical component and simulating the interface.

Virtualization: An Overview Brendan Lynch. Forms of virtualization In all cases virtualization is taking a physical component and simulating the interface.
CSE598C Virtual Machines and Their Applications Operating System Support for Virtual Machines Coauthored by Samuel T. King, George W. Dunlap and Peter.

CSE598C Virtual Machines and Their Applications Operating System Support for Virtual Machines Coauthored by Samuel T. King, George W. Dunlap and Peter.
Virtualization Technology Prof D M Dhamdhere CSE Department IIT Bombay Moving towards Virtualization… Department of Computer Science and Engineering, IIT.

Virtualization Technology Prof D M Dhamdhere CSE Department IIT Bombay Moving towards Virtualization… Department of Computer Science and Engineering, IIT.
SymCall: Symbiotic Virtualization Through VMM-to-Guest Upcalls John R. Lange and Peter Dinda University of Pittsburgh (CS) Northwestern University (EECS)

SymCall: Symbiotic Virtualization Through VMM-to-Guest Upcalls John R. Lange and Peter Dinda University of Pittsburgh (CS) Northwestern University (EECS)
Jakub Szefer, Eric Keller, Ruby B. Lee Jennifer Rexford Princeton University CCS October, 2011 報告人:張逸文.

Jakub Szefer, Eric Keller, Ruby B. Lee Jennifer Rexford Princeton University CCS October, 2011 報告人:張逸文.
UNIX System Administration OS Kernal Copyright 2002, Dr. Ken Hoganson All rights reserved. OS Kernel Concept Kernel or MicroKernel Concept: An OS architecture-design.

UNIX System Administration OS Kernal Copyright 2002, Dr. Ken Hoganson All rights reserved. OS Kernel Concept Kernel or MicroKernel Concept: An OS architecture-design.
80386DX.

80386DX.

Similar presentations

Ads by Google