Intrusion Recovery Using Selective Re-execution
RETRO repairs a desktop or server after an adversary compromises it, by undoing the adversary's changes while preserving legitimate user actions, with minimal user involvement. During normal operation, RETRO records an action history graph, which is a detailed dependency graph describing the sy...
Main Authors: | , , , |
---|---|
Other Authors: | |
Format: | Article |
Language: | en_US |
Published: |
USENIX Association
2011
|
Online Access: | http://hdl.handle.net/1721.1/61699 https://orcid.org/0000-0003-0238-2703 https://orcid.org/0000-0001-7098-586X |
_version_ | 1810995164868509696 |
---|---|
author | Kim, Taesoo Wang, Xi Zeldovich, Nickolai Kaashoek, M. Frans |
author2 | Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science |
author_facet | Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science Kim, Taesoo Wang, Xi Zeldovich, Nickolai Kaashoek, M. Frans |
author_sort | Kim, Taesoo |
collection | MIT |
description | RETRO repairs a desktop or server after an adversary compromises it, by undoing the adversary's changes while preserving legitimate user actions, with minimal user involvement. During normal operation, RETRO records an action history graph, which is a detailed dependency graph describing the system's execution. RETRO uses refinement to describe graph objects and actions at multiple levels of abstraction, which allows for precise dependencies. During repair, RETRO uses the action history graph to undo an unwanted action and its indirect effects by first rolling back its direct effects, and then re-executing legitimate actions that were influenced by that change. To minimize user involvement and re-execution, RETRO uses predicates to selectively re-execute only actions that were semantically affected by the adversary's changes, and uses compensating actions to handle external effects. An evaluation of a prototype of RETRO for Linux with 2 real-world attacks, 2 synthesized challenge attacks, and 6 attacks from previous work, shows that RETRO can often repair the system without user involvement, and avoids false positives and negatives from previous solutions. These benefits come at the cost of 35–127% in execution time overhead and of 4–150 GB of log space per day, depending on the workload. For example, a HotCRP paper submission web site incurs 35% slowdown and generates 4 GB of logs per day under the workload from 30 minutes prior to the SOSP 2007 deadline. |
first_indexed | 2024-09-23T13:52:55Z |
format | Article |
id | mit-1721.1/61699 |
institution | Massachusetts Institute of Technology |
language | en_US |
last_indexed | 2024-09-23T13:52:55Z |
publishDate | 2011 |
publisher | USENIX Association |
record_format | dspace |
spelling | mit-1721.1/616992022-09-28T16:48:08Z Intrusion Recovery Using Selective Re-execution Kim, Taesoo Wang, Xi Zeldovich, Nickolai Kaashoek, M. Frans Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science Zeldovich, Nickolai Kim, Taesoo Zeldovich, Nickolai Kaashoek, M. Frans Wang, Xi RETRO repairs a desktop or server after an adversary compromises it, by undoing the adversary's changes while preserving legitimate user actions, with minimal user involvement. During normal operation, RETRO records an action history graph, which is a detailed dependency graph describing the system's execution. RETRO uses refinement to describe graph objects and actions at multiple levels of abstraction, which allows for precise dependencies. During repair, RETRO uses the action history graph to undo an unwanted action and its indirect effects by first rolling back its direct effects, and then re-executing legitimate actions that were influenced by that change. To minimize user involvement and re-execution, RETRO uses predicates to selectively re-execute only actions that were semantically affected by the adversary's changes, and uses compensating actions to handle external effects. An evaluation of a prototype of RETRO for Linux with 2 real-world attacks, 2 synthesized challenge attacks, and 6 attacks from previous work, shows that RETRO can often repair the system without user involvement, and avoids false positives and negatives from previous solutions. These benefits come at the cost of 35–127% in execution time overhead and of 4–150 GB of log space per day, depending on the workload. For example, a HotCRP paper submission web site incurs 35% slowdown and generates 4 GB of logs per day under the workload from 30 minutes prior to the SOSP 2007 deadline. 2011-03-15T14:13:18Z 2011-03-15T14:13:18Z 2010-10 2010-10 Article http://purl.org/eprint/type/ConferencePaper 978-1-931971-79-9 http://hdl.handle.net/1721.1/61699 Kim, Taesoo, et al. “Intrusion Recovery Using Selective Re-execution.” Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI '10). Vancouver, BC, Canada, 2010. 89-104. https://orcid.org/0000-0003-0238-2703 https://orcid.org/0000-0001-7098-586X en_US http://www.usenix.org/event/osdi10/tech/tech.html#Kim Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI '10) Creative Commons Attribution-Noncommercial-Share Alike 3.0 http://creativecommons.org/licenses/by-nc-sa/3.0/ application/pdf USENIX Association MIT web domain |
spellingShingle | Kim, Taesoo Wang, Xi Zeldovich, Nickolai Kaashoek, M. Frans Intrusion Recovery Using Selective Re-execution |
title | Intrusion Recovery Using Selective Re-execution |
title_full | Intrusion Recovery Using Selective Re-execution |
title_fullStr | Intrusion Recovery Using Selective Re-execution |
title_full_unstemmed | Intrusion Recovery Using Selective Re-execution |
title_short | Intrusion Recovery Using Selective Re-execution |
title_sort | intrusion recovery using selective re execution |
url | http://hdl.handle.net/1721.1/61699 https://orcid.org/0000-0003-0238-2703 https://orcid.org/0000-0001-7098-586X |
work_keys_str_mv | AT kimtaesoo intrusionrecoveryusingselectivereexecution AT wangxi intrusionrecoveryusingselectivereexecution AT zeldovichnickolai intrusionrecoveryusingselectivereexecution AT kaashoekmfrans intrusionrecoveryusingselectivereexecution |