1 / 24

ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay

OSDI’2002. ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay. George W. Dunlap, Samuel T. King, Sukru Cinar, Murtaza A. Basrai, Peter M. Chen Department of Electrical Engineering and Computer Science University of Michigan. 2006. 11. 29. Yu, Young Jin.

ponce
Download Presentation

ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OSDI’2002 ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay George W. Dunlap, Samuel T. King, Sukru Cinar, Murtaza A. Basrai, Peter M. Chen Department of Electrical Engineering and Computer Science University of Michigan 2006. 11. 29. Yu, Young Jin

  2. Questions ! • What is the “ReVirt” ? • Why does it do so ? The goals ? • Any Relations with VM? • Work Correctly ? And Performance ?

  3. Questions ! • What is the “ReVirt” ? • Why does it do so ? The goals ? • Any Relations with VM? • Work Correctly ? And Performance ? Function, Architecture, …

  4. What is the “ReVirt” ? • Is a Replay Service for Virtual Machines • ReVirt • logs enough information to replay an execution of a virtual machine inst-by-inst. • View the entire state of the system at an arbitrary point in history • reconstructing an attack

  5. The ReVirt System • OS-on-OS structure • VMM => loadable module + some hooks in the kernel • Moving Services Beneath a Virtual Machine

  6. Questions ! • What is the “ReVirt” ? • Why does it do so ? The goals ? • Any Relations with VM? • Work Correctly ? And Performance ? Why beneath VM ? Why Replaying ?

  7. Current Logging System

  8. To solve the two problems • To improve integrity, • encapsulates the target system inside a VM, then places the logger beneath this VM. • ReVirt continues to log the actions of intruders even if they replace the target boot block or the target kernel.

  9. To solve the two problems • To improve the completeness, • replay the complete, instruction-by-instruction execution of the VM. • ReVirt adapts techniques such as checkpointing, logging, roll-forward recovery.

  10. Questions ! • What is the “ReVirt” ? • Why does it do so ? The goals ? • Any Relations with VM? • Work Correctly ? And Performance ? Any VM technology ?

  11. UMLinux: Linux on Linux • Linux ported to run on ‘Linux’ arch. • OS-on-OS structure(vs. direct-on-host) • Guest OS and all applications run within a single host process. • But the authors were not happy with the original UMLinux.

  12. Original UMLinux

  13. Modified UMLinux Use VMM as a Kernel module Modification to Host OS also… (+510 lines)

  14. Emulation • UMLinux provides a software analogy to each peripheral device in a normal computer system. • How to distinguish between system calls issued by a guest application and those issued by a guest kernel ?

  15. System Call Flow

  16. Trusted Computing Base for UMLinux • TCB for an OS-on-OS structure can be much smaller than the complete host OS. • VMM restricts the guest kernel to use fewer than 7% of the system calls(host) • network traffic => mostly processed by guest OS’s TCP and UDP stacks.

  17. Logging and Replaying UMLinux • Replaying a process requires logging the non-deterministic events that affect the process’s computation. • Non-deterministic events • Time • We must log the instruction at which the interrupt occurred • External Input • keyboard, mouse, or network card • Logging (similar to syslogd) • VMM and kernel hooks add log records to a circular buffer in host kernel memory • user-level daemon(rlogd) consumes the buffer

  18. Questions ! • What is the “ReVirt” ? • Why does it do so ? The goals ? • Any Relations with VM? • Work Correctly ? And Performance ? • How do we know it’s doing the same thing? • What’s the overhead of virtualization? • What’s the overhead of logging?

  19. Experiment Setup • AMD Athlon 1800+, 256 MB • Samsung SV4084 IDE Disk • Linux 2.4.18 guest/host • VM configured to use 192 MB Ram

  20. Validating ReVirt correctness • Extensive error checking • At every system call and virtual interrupt, we log all register values • and verify that these values are the same during replay

  21. Validating ReVirt correctness PASSED

  22. Experiment Workload • POV-Ray raytracer • CPU-intensive • Kernel build(Linux 2.4.18) • make clean; make dep; make bzImage • NFS Kernel build • kernel stored on an NFS server • SPEC Web 99 • benchmark that measures web server performance • Daily use test: 24hrs

  23. Virtualization Overhead * UMLinux adds very little overhead for compute-intensive applications. * The overheads for (2,3,4) are higher because they issue more guest kernel calls, each of which must be trapped by the VMM kernel module and reflected back to the guest kernel by sending a signal(SIGUSR1). * The overhead is low enough for normal desktop use.

  24. Logging and Replaying Overhead * The time overhead of logging is small (at most 8%). * Log growth rate (**) higher because of the need to log incoming packets * No perceptible time overhead relative to running without logging * Sometimes much faster because replay skips over periods of idle time

More Related