Intrusion Recovery Using Selective Re-execution
Author(s)
Kim, Taesoo; Wang, Xi; Zeldovich, Nickolai; Kaashoek, M. Frans
DownloadZeldovich_Intrusion recovery.pdf (518.1Kb)
OPEN_ACCESS_POLICY
Open Access Policy
Creative Commons Attribution-Noncommercial-Share Alike
Terms of use
Metadata
Show full item recordAbstract
RETRO repairs a desktop or server after an adversary compromises it, by undoing the adversary's changes while preserving legitimate user actions, with minimal user involvement. During normal operation, RETRO records an action history graph, which is a detailed dependency graph describing the system's execution. RETRO uses refinement to describe graph objects and actions at multiple levels of abstraction, which allows for precise dependencies. During repair, RETRO uses the action history graph to undo an unwanted action and its indirect effects by first rolling back its direct effects, and then re-executing legitimate actions that were influenced by that change. To minimize user involvement and re-execution, RETRO uses predicates to selectively re-execute only actions that were semantically affected by the adversary's changes, and uses compensating actions to handle external effects. An evaluation of a prototype of RETRO for Linux with 2 real-world attacks, 2 synthesized challenge attacks, and 6 attacks from previous work, shows that RETRO can often repair the system without user involvement, and avoids false positives and negatives from previous solutions. These benefits come at the cost of 35–127% in execution time overhead and of 4–150 GB of log space per day, depending on the workload. For example, a HotCRP paper submission web site incurs 35% slowdown and generates 4 GB of logs per day under the workload from 30 minutes prior to the SOSP 2007 deadline.
Date issued
2010-10Department
Massachusetts Institute of Technology. Department of Electrical Engineering and Computer ScienceJournal
Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI '10)
Publisher
USENIX Association
Citation
Kim, Taesoo, et al. “Intrusion Recovery Using Selective Re-execution.” Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI '10). Vancouver, BC, Canada, 2010. 89-104.
Version: Author's final manuscript
ISBN
978-1-931971-79-9