The ghost of intrusions past

1. The ghost of intrusions past Ashlesha Joshi Peter M. Chen University of Michigan 7 December 2004

2. Vulnerability Introduced Vulnerability Discovered Vulnerability Patched Vulnerability Patched Motivation time • Red time interval: window of vulnerability during which exploit is possible • Prompt patching makes this interval smaller, but cannot eliminate it • What to do in what’s left of window of vulnerability?

3. Vulnerability Introduced Vulnerability Discovered Vulnerability Patched Solution • Use VM replay and VM introspection to detect the triggering of a vulnerability • As machine replays, examine its state to determine if vulnerability gets triggered time

4. Example • Consider a race condition: • Predicate: (v does not satisfy the condition at line 4) • Who writes the predicate? 1 if (variable v does not satisfy condition) 2 return error 3 Do other stuff 4 Use variable v // condition not rechecked

5. Vulnerability Introduced Vulnerability Discovered Patch Applied Patch Available Summary and Status • Can use same VM introspection technique during live execution, not just replay • Already can write and evaluate predicates for kernel bugs • Currently extending to work for application bugs too time