The ghost of intrusions past

The ghost of intrusions past Ashlesha Joshi Peter M. Chen University of Michigan 7 December 2004

Vulnerability Introduced Vulnerability Discovered Vulnerability Patched Vulnerability Patched Motivation time • Red time interval: window of vulnerability during which exploit is possible • Prompt patching makes this interval smaller, but cannot eliminate it • What to do in what’s left of window of vulnerability?

Vulnerability Introduced Vulnerability Discovered Vulnerability Patched Solution • Use VM replay and VM introspection to detect the triggering of a vulnerability • As machine replays, examine its state to determine if vulnerability gets triggered time

Example • Consider a race condition: • Predicate: (v does not satisfy the condition at line 4) • Who writes the predicate? 1 if (variable v does not satisfy condition) 2 return error 3 Do other stuff 4 Use variable v // condition not rechecked

Vulnerability Introduced Vulnerability Discovered Patch Applied Patch Available Summary and Status • Can use same VM introspection technique during live execution, not just replay • Already can write and evaluate predicates for kernel bugs • Currently extending to work for application bugs too time

The ghost of intrusions past

The ghost of intrusions past

Presentation Transcript

IGNEOUS INTRUSIONS

Detecting Past and Present Intrusions through Vulnerability-Specific Predicates

The ghost of intrusions past

The Ghost of John

The Ghost of the Past

The ghost of thomas kemPE

The Ghost of Crutchfield Hall

Intrusions

The “ Ghost of Christmas Past”

Backtracking Intrusions

The Ghost of Christmas Past

The Ghost of Thomas Kemp

Backtracking Intrusions

Backtracking Intrusions

Detecting past and present intrusions through vulnerability-specific predicates

Igneous Intrusions

13Computer Intrusions

Detecting past and present intrusions through vulnerability-specific predicates

The Chamber of Ghost