ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay

ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging a

nd Replay

George W. Dunlap, Samuel T. King, Sukru Cinar, Murtaza A. Basrai, Peter M. Chen

Department of Electrical Engineering and Computer ScienceUniversity of Michigan

OSDI’2002

2006. 11. 29.

Yu, Young Jin

Questions !

• What is the “ReVirt” ?

• Why does it do so ? The goals ?

• Any Relations with VM?

• Work Correctly ? And Performance ?

Questions !

• What is the “ReVirt” ?

• Why does it do so ? The goals ?

• Any Relations with VM?

• Work Correctly ? And Performance ?

Function, Architecture, …

What is the “ReVirt” ?

• Is a Replay Service for Virtual Machines• ReVirt

– logs enough information to replay an execution of a virtual machine inst-by-inst.

– View the entire state of the system at an arbitrary point in history• reconstructing an attack

The ReVirt System

• OS-on-OS structure

• VMM => loadable module + some hooks in the kernel

• Moving Services Beneath a Virtual Machine

Questions !

• What is the “ReVirt” ?

• Why does it do so ? The goals ?

• Any Relations with VM?

• Work Correctly ? And Performance ?

Why beneath VM ?

Why Replaying ?

Current Logging System

To solve the two problems

• To improve integrity,– encapsulates the target system inside a VM, t

hen places the logger beneath this VM.– ReVirt continues to log the actions of intruders

even if they replace the target boot block or the target kernel.

To solve the two problems

• To improve the completeness,– replay the complete, instruction-by-instruction

execution of the VM.– ReVirt adapts techniques such as checkpointin

g, logging, roll-forward recovery.

Questions !

• What is the “ReVirt” ?

• Why does it do so ? The goals ?

• Any Relations with VM?

• Work Correctly ? And Performance ?Any VM technology ?

UMLinux: Linux on Linux

• Linux ported to run on ‘Linux’ arch.– OS-on-OS structure(vs. direct-on-host)

• Guest OS and all applications run within a single host process.

• But the authors were not happy with the original UMLinux.

Original UMLinux

Use VMM as a Kernel module

Modification to

Host OS also…

(+510 lines)

Modified UMLinux

Emulation

• UMLinux provides a software analogy to each peripheral device in a normal computer system.

• How to distinguish between system calls issued by a guest application and those issued by a guest kernel ?

System Call Flow

Guest App. Guest Kernel Host KernelVMM

( int 0x80 )

VMM var.== kernel

access a host device, ...

( int 0x80 )

VMM var.== user

SIGUSR1Emulatesystemcall

Trusted Computing Base for UMLinux

• TCB for an OS-on-OS structure can be much smaller than the complete host OS.– VMM restricts the guest kernel to use fewer th

an 7% of the system calls(host)– network traffic => mostly processed by guest

OS’s TCP and UDP stacks.

Logging and Replaying UMLinux

• Replaying a process requires logging the non-deterministic events that affect the process’s computation.– Non-deterministic events

• Time– We must log the instruction at which the interrupt occurred

• External Input– keyboard, mouse, or network card

• Logging (similar to syslogd)– VMM and kernel hooks add log records to a circular bu

ffer in host kernel memory– user-level daemon(rlogd) consumes the buffer

Questions !

• What is the “ReVirt” ?

• Why does it do so ? The goals ?

• Any Relations with VM?

• Work Correctly ? And Performance ?

• How do we know it’s doing the same thing?

• What’s the overhead of virtualization?

• What’s the overhead of logging?

Experiment Setup

• AMD Athlon 1800+, 256 MB• Samsung SV4084 IDE Disk• Linux 2.4.18 guest/host• VM configured to use 192 MB Ram

Validating ReVirt correctness

• Extensive error checking– At every system call and virtual

interrupt, we log all register values – and verify that these values are the

same during replay

Validating ReVirt correctness

PASSED

Experiment Workload

• POV-Ray raytracer– CPU-intensive

• Kernel build(Linux 2.4.18)– make clean; make dep; make bzImage

• NFS Kernel build– kernel stored on an NFS server

• SPEC Web 99– benchmark that measures web server performance

• Daily use test: 24hrs

Virtualization Overhead

* UMLinux adds very little overhead for compute-intensive applications.

* The overheads for (2,3,4) are higher because they issue more guest kernel calls, each of which must be trapped by the VMM kernel module and reflected back to the guest kernel by sending a signal(SIGUSR1).* The overhead is low enough for normal desktop use.

Logging and Replaying Overhead

* The time overhead of logging is small (at most 8%).

* Log growth rate (**) higher because of the need to log incoming packets* No perceptible time overhead relative to running without logging

* Sometimes much faster because replay skips over periods of idle time