skip to main content
10.1145/1095810.1095820acmconferencesArticle/Chapter ViewAbstractPublication PagessospConference Proceedingsconference-collections
Article

Detecting past and present intrusions through vulnerability-specific predicates

Published: 20 October 2005 Publication History

Abstract

Most systems contain software with yet-to-be-discovered security vulnerabilities. When a vulnerability is disclosed, administrators face the grim reality that they have been running software which was open to attack. Sites that value availability may be forced to continue running this vulnerable software until the accompanying patch has been tested. Our goal is to improve security by detecting intrusions that occurred before the vulnerability was disclosed and by detecting and responding to intrusions that are attempted after the vulnerability is disclosed. We detect when a vulnerability is triggered by executing vulnerability-specific predicates as the system runs or replays. This paper describes the design, implementation and evaluation of a system that supports the construction and execution of these vulnerability-specific predicates. Our system, called IntroVirt, uses virtual-machine introspection to monitor the execution of application and operating system software. IntroVirt executes predicates over past execution periods by combining virtual-machine introspection with virtual-machine replay. IntroVirt eases the construction of powerful predicates by allowing predicates to run existing target code in the context of the target system, and it uses checkpoints so that predicates can execute target code without perturbing the state of the target system. IntroVirt allows predicates to refresh themselves automatically so they work in the presence of preemptions. We show that vulnerability-specific predicates can be written easily for a wide variety of real vulnerabilities, can detect and respond to intrusions over both the past and present time intervals, and add little overhead for most vulnerabilities.

References

[1]
J. Allen, A. Christie, W. Fithen, J. McHugh, J. Pickel, and E. Stoner. State of the Practice of Intrusion Detection Technologies. Technical Report CMU/SEI-99-TR-028, Carnegie Mellon University, 1999.]]
[2]
W. A. Arbaugh, W. L. Fithen, and J. McHugh. Windows of Vulnerability: A Case Study Analysis. IEEE Computer, 33(12):52--59, December 2000.]]
[3]
P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the Art of Virtualization. In Proceedings of the 2003 Symposium on Operating Systems Principles, October 2003.]]
[4]
S. Beattie, S. Arnold, C. Cowan, P. Wagle, C. Wright, and A. Shostack. Timing the Application of Security Patches for Optimal Uptime. In Proceedings of the 2002 USENIX Systems Administration Conference (LISA), November 2002.]]
[5]
T. C. Bressoud and F. B. Schneider. Hypervisor-based fault tolerance. ACM Transactions on Computer Systems, 14(1):80--107, February 1996.]]
[6]
A. B. Brown and D. A. Patterson. Undo for Operators: Building an Undoable E-mail Store. In Proceedings of the 2003 USENIX Technical Conference, June 2003.]]
[7]
H. K. Browne, W. A. Arbaugh, J. McHugh, and W. L. Fithen. A Trend Analysis of Exploitations. In Proceedings of the 2001 IEEE Symposium on Security and Privacy, May 2001.]]
[8]
M. Costa, July 2005. personal communication.]]
[9]
M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-End Containment of Internet Worms. In Proceedings of the 2005 Symposium on Operating Systems Principles, October 2005.]]
[10]
D. Dean and A. J. Hu. Fixing Races for Fun and Profit: How to use access(2). In Proceedings of the 2004 USENIX Security Symposium, pages 195--206, August 2004.]]
[11]
J. Dike. A user-mode port of the Linux kernel. In Proceedings of the 2000 Linux Showcase and Conference, October 2000.]]
[12]
G. W. Dunlap. Execution Replay for Intrusion Analysis. Technical report, University of Michigan, January 2005. PhD thesis proposal.]]
[13]
G. W. Dunlap, S. T. King, S. Cinar, M. Basrai, and P. M. Chen. ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay. In Proceedings of the 2002 Symposium on Operating Systems Design and Implementation (OSDI), pages 211--224, December 2002.]]
[14]
T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: A Virtual Machine-Based Platform for Trusted Computing. In Proceedings of the 2003 Symposium on Operating Systems Principles, October 2003.]]
[15]
T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Proceedings of the 2003 Network and Distributed System Security Symposium (NDSS), February 2003.]]
[16]
M. Hicks, J. T. Moore, and S. Nettles. Dynamic Software Updating. In Proceedings of the 2001 Conference on Programming Language Design and Implementation (PLDI), June 2001.]]
[17]
S. T. King, G. W. Dunlap, and P. M. Chen. Debugging operating systems with time-traveling virtual machines. In Proceedings of the 2005 USENIX Technical Conference, April 2005.]]
[18]
K. Lhee and S. J. Chapin. Detection of file-based race conditions. International Journal of Information Security, pages 105--119, February 2005.]]
[19]
P. S. Magnusson, M. Christensson, J. Eskilson, D. Forsgren, G. Hallberg, J. Hogberg, F. Larsson, A. Moestedt, and B. Werner. Simics: A Full System Simulation Platform. IEEE Computer, 35(2):50--58, February 2002.]]
[20]
D. Mazieres and M. F. Kaashoek. Secure applications need flexible operating systems. In Proceedings of the 1997 Workshop on Hot Topics in Operating Systems (HotOS), pages 56--61, May 1997.]]
[21]
R. Meushaw and D. Simard. NetTop: Commercial Technology in High Assurance Applications. Tech Trend Notes: Preview of Tomorrow's Information Technologies, 9(4), September 2000.]]
[22]
E. Rescorla. Security Holes...Who Cares? In Proceedings of the 2002 USENIX Security Symposium, August 2003.]]
[23]
R. Rodrigues, M. Castro, and B. Liskov. BASE: Using Abstraction to Improve Fault Tolerance. In Proceedings of the 2001 Symposium on Operating Systems Principles, October 2001.]]
[24]
M. Rosenblum, E. Bugnion, S. Devine, and S. Herrod. Using the SimOS Machine Simulator to Study Complex Computer Systems. ACM Transactions on Modeling and Computer Simulation, 7(1):78--103, January 1997.]]
[25]
M. I. Seltzer, Y. Endo, C. Small, and K. A. Smith. Dealing With Disaster: Surviving Misbehaving Kernel Extensions. In Proceedings of the 1996 Symposium on Operating Systems Design and Implementation (OSDI), October 1996.]]
[26]
A. Somayaji and S. Forrest. Automated response using system-call delays. In Proceedings of the 2000 USENIX Security Symposium, August 2000.]]
[27]
C. A. N. Soules, J. Appavoo, K. Hui, R. W. Wisniewski, D. D. Silva, G. R. Ganger, O. Krieger, M. Stumm, M. Auslander, M. Ostrowski, B. Rosenburg, and J. Xenidis. System Support for Online Reconfiguration. In Proceedings of the 2003 USENIX Technical Conference, June 2003.]]
[28]
A. Tamches and B. P. Miller. Fine-Grained Dynamic Instrumentation of Commodity Operating System Kernels. In Proceedings of the 1999 Symposium on Operating Systems Design and Implementation (OSDI), February 1999.]]
[29]
R. Uhlig, G. Neiger, D. Rodgers, A. L. Santoni, F. C. M. Martins, A. V. Anderson, S. M. Bennett, A. Kagi, F. H. Leung, and L. Smith. Intel Virtualization Technology. IEEE Computer, 38(5):48--56, May 2005.]]
[30]
H. J. Wang, C. Guo, D. R. Simon, and A. Zugenmaier. Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits. In Proceedings of the 2004 ACM SIGCOMM Conference, August 2004.]]
[31]
A. Whitaker, R. Cox, M. Shaw, and S. D. Gribble. Constructing Services With Interposable Virtual Hardware. In Proceedings of the 2004 Symposium on Network System Design and Implementation (NSDI), March 2004.]]
[32]
A. Whitaker, R. S. Cox, and S. D. Gribble. Configuration Debugging as Search: Finding the Needle in the Haystack. In Proceedings of the 2004 Symposium on Operating Systems Design and Implementation (OSDI), December 2004.]]
[33]
M. Xu, R. Bodik, and M. D. Hill. A "Flight Data Recorder" for Enabling Full-system Multiprocessor Deterministic Replay. In Proceedings of the 2003 International Symposium on Computer Architecture, June 2003.]]

Cited By

View all
  • (2023)IRIS: a Record and Replay Framework to Enable Hardware-assisted Virtualization Fuzzing2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58367.2023.00045(389-401)Online publication date: Jun-2023
  • (2022)Semi-Synchronized Non-Blocking Concurrent Kernel CruisingIEEE Transactions on Cloud Computing10.1109/TCC.2020.297018310:2(1428-1444)Online publication date: 1-Apr-2022
  • (2021)TRIGLAV: Remote Attestation of the Virtual Machine's Runtime Integrity in Public Clouds2021 IEEE 14th International Conference on Cloud Computing (CLOUD)10.1109/CLOUD53861.2021.00013(1-12)Online publication date: Sep-2021
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
SOSP '05: Proceedings of the twentieth ACM symposium on Operating systems principles
October 2005
259 pages
ISBN:1595930795
DOI:10.1145/1095810
  • cover image ACM SIGOPS Operating Systems Review
    ACM SIGOPS Operating Systems Review  Volume 39, Issue 5
    SOSP '05
    December 2005
    290 pages
    ISSN:0163-5980
    DOI:10.1145/1095809
    Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 20 October 2005

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. IntroVirt
  2. intrusion detection
  3. semantic gap
  4. virtual-machine introspection
  5. virtual-machine replay
  6. vulnerability-specific predicates

Qualifiers

  • Article

Conference

SOSP05
Sponsor:

Acceptance Rates

Overall Acceptance Rate 174 of 961 submissions, 18%

Upcoming Conference

SOSP '25
ACM SIGOPS 31st Symposium on Operating Systems Principles
October 13 - 16, 2025
Seoul , Republic of Korea

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)9
  • Downloads (Last 6 weeks)3
Reflects downloads up to 07 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2023)IRIS: a Record and Replay Framework to Enable Hardware-assisted Virtualization Fuzzing2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58367.2023.00045(389-401)Online publication date: Jun-2023
  • (2022)Semi-Synchronized Non-Blocking Concurrent Kernel CruisingIEEE Transactions on Cloud Computing10.1109/TCC.2020.297018310:2(1428-1444)Online publication date: 1-Apr-2022
  • (2021)TRIGLAV: Remote Attestation of the Virtual Machine's Runtime Integrity in Public Clouds2021 IEEE 14th International Conference on Cloud Computing (CLOUD)10.1109/CLOUD53861.2021.00013(1-12)Online publication date: Sep-2021
  • (2018)SledgehammerProceedings of the 13th USENIX conference on Operating Systems Design and Implementation10.5555/3291168.3291208(545-560)Online publication date: 8-Oct-2018
  • (2018)Using Virtual Machine Introspection for Operating Systems Security EducationProceedings of the 49th ACM Technical Symposium on Computer Science Education10.1145/3159450.3159606(396-401)Online publication date: 21-Feb-2018
  • (2018)Record-Replay Architecture as a General Security Framework2018 IEEE International Symposium on High Performance Computer Architecture (HPCA)10.1109/HPCA.2018.00025(180-193)Online publication date: Feb-2018
  • (2017)A Wingman for Virtual AppliancesRuntime Verification10.1007/978-3-319-67531-2_25(390-399)Online publication date: 6-Sep-2017
  • (2016)ReplayconfusionThe 49th Annual IEEE/ACM International Symposium on Microarchitecture10.5555/3195638.3195685(1-14)Online publication date: 15-Oct-2016
  • (2016)Harvesting the low-hanging fruitsProceedings of the 2016 New Security Paradigms Workshop10.1145/3011883.3011885(11-22)Online publication date: 26-Sep-2016
  • (2016)Lightweight Examination of DLL Environments in Virtual Machines to Detect MalwareProceedings of the 4th ACM International Workshop on Security in Cloud Computing10.1145/2898445.2898456(10-16)Online publication date: 30-May-2016
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media