250 likes | 470 Views
OSDI’2002. ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay. George W. Dunlap, Samuel T. King, Sukru Cinar, Murtaza A. Basrai, Peter M. Chen Department of Electrical Engineering and Computer Science University of Michigan. 2006. 11. 29. Yu, Young Jin.
E N D
OSDI’2002 ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay George W. Dunlap, Samuel T. King, Sukru Cinar, Murtaza A. Basrai, Peter M. Chen Department of Electrical Engineering and Computer Science University of Michigan 2006. 11. 29. Yu, Young Jin
Questions ! • What is the “ReVirt” ? • Why does it do so ? The goals ? • Any Relations with VM? • Work Correctly ? And Performance ?
Questions ! • What is the “ReVirt” ? • Why does it do so ? The goals ? • Any Relations with VM? • Work Correctly ? And Performance ? Function, Architecture, …
What is the “ReVirt” ? • Is a Replay Service for Virtual Machines • ReVirt • logs enough information to replay an execution of a virtual machine inst-by-inst. • View the entire state of the system at an arbitrary point in history • reconstructing an attack
The ReVirt System • OS-on-OS structure • VMM => loadable module + some hooks in the kernel • Moving Services Beneath a Virtual Machine
Questions ! • What is the “ReVirt” ? • Why does it do so ? The goals ? • Any Relations with VM? • Work Correctly ? And Performance ? Why beneath VM ? Why Replaying ?
To solve the two problems • To improve integrity, • encapsulates the target system inside a VM, then places the logger beneath this VM. • ReVirt continues to log the actions of intruders even if they replace the target boot block or the target kernel.
To solve the two problems • To improve the completeness, • replay the complete, instruction-by-instruction execution of the VM. • ReVirt adapts techniques such as checkpointing, logging, roll-forward recovery.
Questions ! • What is the “ReVirt” ? • Why does it do so ? The goals ? • Any Relations with VM? • Work Correctly ? And Performance ? Any VM technology ?
UMLinux: Linux on Linux • Linux ported to run on ‘Linux’ arch. • OS-on-OS structure(vs. direct-on-host) • Guest OS and all applications run within a single host process. • But the authors were not happy with the original UMLinux.
Modified UMLinux Use VMM as a Kernel module Modification to Host OS also… (+510 lines)
Emulation • UMLinux provides a software analogy to each peripheral device in a normal computer system. • How to distinguish between system calls issued by a guest application and those issued by a guest kernel ?
Trusted Computing Base for UMLinux • TCB for an OS-on-OS structure can be much smaller than the complete host OS. • VMM restricts the guest kernel to use fewer than 7% of the system calls(host) • network traffic => mostly processed by guest OS’s TCP and UDP stacks.
Logging and Replaying UMLinux • Replaying a process requires logging the non-deterministic events that affect the process’s computation. • Non-deterministic events • Time • We must log the instruction at which the interrupt occurred • External Input • keyboard, mouse, or network card • Logging (similar to syslogd) • VMM and kernel hooks add log records to a circular buffer in host kernel memory • user-level daemon(rlogd) consumes the buffer
Questions ! • What is the “ReVirt” ? • Why does it do so ? The goals ? • Any Relations with VM? • Work Correctly ? And Performance ? • How do we know it’s doing the same thing? • What’s the overhead of virtualization? • What’s the overhead of logging?
Experiment Setup • AMD Athlon 1800+, 256 MB • Samsung SV4084 IDE Disk • Linux 2.4.18 guest/host • VM configured to use 192 MB Ram
Validating ReVirt correctness • Extensive error checking • At every system call and virtual interrupt, we log all register values • and verify that these values are the same during replay
Experiment Workload • POV-Ray raytracer • CPU-intensive • Kernel build(Linux 2.4.18) • make clean; make dep; make bzImage • NFS Kernel build • kernel stored on an NFS server • SPEC Web 99 • benchmark that measures web server performance • Daily use test: 24hrs
Virtualization Overhead * UMLinux adds very little overhead for compute-intensive applications. * The overheads for (2,3,4) are higher because they issue more guest kernel calls, each of which must be trapped by the VMM kernel module and reflected back to the guest kernel by sending a signal(SIGUSR1). * The overhead is low enough for normal desktop use.
Logging and Replaying Overhead * The time overhead of logging is small (at most 8%). * Log growth rate (**) higher because of the need to log incoming packets * No perceptible time overhead relative to running without logging * Sometimes much faster because replay skips over periods of idle time