Automatic intrusion recovery with system-wide history

Thesis: Ph. D., Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science, 2014.

Bibliographic Details
Main Author: Kim, Taesoo, Ph. D. Massachusetts Institute of Technology
Other Authors: Nickolai Zeldovich.
Format: Thesis
Language:eng
Published: Massachusetts Institute of Technology 2014
Subjects:
Online Access:http://hdl.handle.net/1721.1/91107
_version_ 1826191732745699328
author Kim, Taesoo, Ph. D. Massachusetts Institute of Technology
author2 Nickolai Zeldovich.
author_facet Nickolai Zeldovich.
Kim, Taesoo, Ph. D. Massachusetts Institute of Technology
author_sort Kim, Taesoo, Ph. D. Massachusetts Institute of Technology
collection MIT
description Thesis: Ph. D., Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science, 2014.
first_indexed 2024-09-23T09:00:24Z
format Thesis
id mit-1721.1/91107
institution Massachusetts Institute of Technology
language eng
last_indexed 2024-09-23T09:00:24Z
publishDate 2014
publisher Massachusetts Institute of Technology
record_format dspace
spelling mit-1721.1/911072019-04-10T20:11:36Z Automatic intrusion recovery with system-wide history Kim, Taesoo, Ph. D. Massachusetts Institute of Technology Nickolai Zeldovich. Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science. Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science. Electrical Engineering and Computer Science. Thesis: Ph. D., Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science, 2014. Cataloged from PDF version of thesis. Includes bibliographical references (pages 67-71). Compromises of our computer systems are inevitable. New software vulnerabilities are discovered and exploited daily, but even if the software is bug-free, administrators may inadvertently make mistakes in configuring permissions, or unaware users may click on buttons in application installers with little understanding of its consequences. Unfortunately, recovering from those inevitable compromises leads to days and weeks of wasted effort by users or system administrators, with no conclusive guarantee that all traces of the attack have been cleaned up. This dissertation presents RETRO, an automatic recovery system that repairs a computer after an adversary compromises it, by undoing the adversary's changes while preserving legitimate user actions, with minimal user involvement. During normal operation, RETRO records an action history graph to describe the system's execution, enabling RETRO to trace the adversary's changes and their effects. During repair, RETRO uses the action history graph to undo an unwanted action and its indirect effects by first rolling back its direct effects, and then re-executing legitimate actions that were influenced by that change. To minimize re-execution and user involvement, RETRO uses predicates to selectively re-execute only actions that were semantically affected by the adversary's changes, uses refinement to represent high level semantics into the action history graph, and uses compensating actions to handle external effects. An evaluation of a prototype of RETRO for Linux with 2 real-world attacks, 2 synthesized challenge attacks, and 6 attacks from previous work, shows that RETRO can handle a wide range of real attacks with minimal user involvement, and preserve user's changes by efficiently re-executing parts of an action history graph. These benefits come at the cost of 35-127% in execution time overhead and of 4-150 GB of log space per day, depending on the workload. For example, a HotCRP paper submission web site incurs 35% slowdown and generates 4 GB of logs per day under the workload from 30 minutes prior to the SOSP 2007 deadline. We believe those overheads are acceptable in systems whose integrity is critical in their operations. by Taesoo Kim. Ph. D. 2014-10-21T17:26:30Z 2014-10-21T17:26:30Z 2014 2014 Thesis http://hdl.handle.net/1721.1/91107 892921874 eng M.I.T. theses are protected by copyright. They may be viewed from this source for any purpose, but reproduction or distribution in any format is prohibited without written permission. See provided URL for inquiries about permission. http://dspace.mit.edu/handle/1721.1/7582 71 pages application/pdf Massachusetts Institute of Technology
spellingShingle Electrical Engineering and Computer Science.
Kim, Taesoo, Ph. D. Massachusetts Institute of Technology
Automatic intrusion recovery with system-wide history
title Automatic intrusion recovery with system-wide history
title_full Automatic intrusion recovery with system-wide history
title_fullStr Automatic intrusion recovery with system-wide history
title_full_unstemmed Automatic intrusion recovery with system-wide history
title_short Automatic intrusion recovery with system-wide history
title_sort automatic intrusion recovery with system wide history
topic Electrical Engineering and Computer Science.
url http://hdl.handle.net/1721.1/91107
work_keys_str_mv AT kimtaesoophdmassachusettsinstituteoftechnology automaticintrusionrecoverywithsystemwidehistory