research-article

Cross-layer comprehensive intrusion harm analysis for production workload server systems

Authors:

Shengzhi Zhang,

Jiwu JingAuthors Info & Claims

ACSAC '10: Proceedings of the 26th Annual Computer Security Applications Conference

Pages 297 - 306

https://doi.org/10.1145/1920261.1920306

Published: 06 December 2010 Publication History

Abstract

Analyzing the (harm of) intrusion to enterprise servers is an onerous and error-prone work. Though dynamic taint tracking enables automatic fine-grained intrusion harm analysis for enterprise servers, the significant runtime overhead introduced is generally intolerable in the production workload environment. Thus, we propose PEDA (Production Environment Damage Analysis) system, which decouples the onerous analysis work from the online execution of the production servers. Once compromised, the "has-been-infected" execution is analyzed during high fidelity replay on a separate instrumentation platform. The replay is implemented based on the heterogeneous virtual machine migration. The servers' online execution runs atop fast hardware-assisted virtual machines (such as Xen for near native speed), while the infected execution is replayed atop binary instrumentation virtual machines (such as Qemu for the implementation of taint analysis). From identified intrusion symptoms, PEDA is capable of locating the fine-grained taint seed by integrating the backward system call dependency tracking and one-step-forward taint information flow auditing. Started with the fine-grained taint seed, PEDA applies dynamic taint analysis during the replayed execution. Evaluation demonstrates the efficiency of PEDA system with runtime overhead as low as 5%. The real-life intrusion studies successfully show the comprehensiveness and the precision of PEDA's intrusion harm analysis.

References

[1]

Intel i/o apic datasheet. http://www.intel.com/design/chipsets/datashts/290566.htm.

[2]

Linux null pointer dereference. http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0174.html.

[3]

F. Bellard. Qemu, a fast and portable dynamic translator. USENIX Annual Technical Conference, 2005.

Digital Library

[4]

T. C. Bressoud and F. B. Schneider. Hypervisor-based fault tolerance. ACM Transactions on Computer Systems, pages 80--107, 1996.

Digital Library

[5]

P. M. Chen and B. D. Noble. When virtual is better than real. HotOS, 2001.

Digital Library

[6]

J. Chow, T. Garfinkel, and P. M. Chen. Decoupling dynamic program analysis from execution in virtual environments. USENIX Annual Technical Conference, 2008.

Digital Library

[7]

M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante end-to-end containment of internet worms. SOSP, 2005.

Digital Library

[8]

G. W. Dunlap, S. T. King, S. Cinar, M. A. Basrai, and P. M. Chen. Revirt: enabling intrusion analysis through virtual-machine logging and replay. Proceedings of the 5th OSDI, pages 211--224, 2002.

Digital Library

[9]

A. Ho, M. Fetterman, C. Clark, A. Warfield, and S. Hand. Practical taint-based protection using demand emulation. Eurosys, 2006.

Digital Library

[10]

X. Jiang, X. Wang, and D. Xu. Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction. Proceedings of the 14th ACM CCS, pages 128--138, 2007.

Digital Library

[11]

S. T. King and P. M. Chen. Backtracking intrusions. SOSP, 2003.

Digital Library

[12]

A. Menon, A. L. Cox, and W. Zwaenepoel. Optimizing network virtualization in xen. USENIX Annual Technical Conference, 2006.

Digital Library

[13]

G. Portokalidis, A. Slowinska, and H. Bos. Argos: an emulator for fingerprinting zero-day attacks. EUROSYS, 2006.

Digital Library

[14]

S. Savage, M. Burrows, G. Nelson, P. Sobalvarro, and T. Anderson. Eraser: A dynamic data race detector for multithreaded programs. ACM Transactions on Computer Systems, pages 391--411, 1997.

Digital Library

[15]

J. Seward and N. Nethercote. Using valgrind to detect undefined value errors with bit-precision. USENIX Annual Technical Conference, 2005.

Digital Library

[16]

A. Slowinska and H. Bos. Pointless tainting?: Evaluating the practicality of pointer tainting. Eurosys, 2009.

Digital Library

[17]

G. E. Suh, J. W. Lee, D. Zhang, and S. Devada. Secure program execution via dynamic information flow tracking. ASPLOS, 2004.

Digital Library

[18]

Z. Wang, X. Jiang, W. Cui, and X. Wang. Countering persistent kernel rootkits through systematic hook discovery. RAID, 2008.

Digital Library

[19]

X. Xiong, X. Jia, and P. Liu. Shelf: Preserving business continuity and availability in an intrusion recovery system. ACSAC, 2009.

Digital Library

[20]

M. Xu, V. Malyugin, J. Sheldon, G. Venkitachalam, and B. Weissman. Retrace: Collecting execution trace with virtual machine deterministic replay. MoBS, 2007.

[21]

H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: capturing system-wide information flow for malware detection and analysis. CCS, 2007.

Digital Library

[22]

S. Zhang, X. Xiong, X. Jia, and P. Liu. Availability-sensitive intrusion recovery. VMSec, 2009.

Digital Library

[23]

N. Zhu and T. Chiueh. Design, implementation, and evaluation of repairable file service. DSN, 2003.

Cited By

Sun XDai JSinghal ALiu P(2017)Enterprise-Level Cyber Situation AwarenessTheory and Models for Cyber Situation Awareness10.1007/978-3-319-61152-5_4(66-109)Online publication date: 7-Jul-2017
https://doi.org/10.1007/978-3-319-61152-5_4
Bauman EAyoade GLin Z(2015)A Survey on Hypervisor-Based MonitoringACM Computing Surveys10.1145/277511148:1(1-33)Online publication date: 10-Aug-2015
https://dl.acm.org/doi/10.1145/2775111
Xiaoyan Sun Jun Dai Peng Liu (2013)SKRM: Where security techniques talk to each other2013 IEEE International Multi-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support (CogSIMA)10.1109/CogSIMA.2013.6523841(163-166)Online publication date: Mar-2013
https://doi.org/10.1109/CogSIMA.2013.6523841
Show More Cited By

Index Terms

Cross-layer comprehensive intrusion harm analysis for production workload server systems
1. Security and privacy
  1. Systems security
    1. Information flow control
    2. Operating systems security

Recommendations

A Survey on Intrusion Detection and Prevention Systems
Abstract
In the digital world, malicious activities that violate the confidentiality, integrity, or availability of data and devices are known as intrusions. An intrusion detection system (IDS) analyses the activities of a single system or a network to ...
Rule generalisation in intrusion detection systems using SNORT

Intrusion Detection Systems (IDSs) provide an important layer of security for computer systems and networks. An IDS's responsibility is to detect suspicious or unacceptable system and network activity and to alert a systems administrator to this ...
Virtualization layer security challenges and intrusion detection/prevention systems in cloud computing: a comprehensive review

Virtualization plays a vital role in the construction of cloud computing. However, various vulnerabilities are existing in current virtualization implementations, and thus there are various security challenges at virtualization layer. In this paper, we ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '10: Proceedings of the 26th Annual Computer Security Applications Conference

December 2010

419 pages

ISBN:9781450301336

DOI:10.1145/1920261

Conference Chair:
Carrie Gates
CA Labs
,
Program Chairs:
Michael Franz
University of California, Irvine
,
John McDermott
Naval Research Lab

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 December 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

ACSAC '10

Sponsor:

ACSA

ACSAC '10: 2010 Annual Computer Security Applications Conference

December 6 - 10, 2010

Texas, Austin, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
199
Total Downloads

Downloads (Last 12 months)3
Downloads (Last 6 weeks)0

Reflects downloads up to 27 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Sun XDai JSinghal ALiu P(2017)Enterprise-Level Cyber Situation AwarenessTheory and Models for Cyber Situation Awareness10.1007/978-3-319-61152-5_4(66-109)Online publication date: 7-Jul-2017
https://doi.org/10.1007/978-3-319-61152-5_4
Bauman EAyoade GLin Z(2015)A Survey on Hypervisor-Based MonitoringACM Computing Surveys10.1145/277511148:1(1-33)Online publication date: 10-Aug-2015
https://dl.acm.org/doi/10.1145/2775111
Xiaoyan Sun Jun Dai Peng Liu (2013)SKRM: Where security techniques talk to each other2013 IEEE International Multi-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support (CogSIMA)10.1109/CogSIMA.2013.6523841(163-166)Online publication date: Mar-2013
https://doi.org/10.1109/CogSIMA.2013.6523841
Dai JSun XLiu PGiacobe N(2012)Gaining Big Picture Awareness through an Interconnected Cross-Layer Situation Knowledge Reference ModelProceedings of the 2012 International Conference on Cyber Security10.1109/CyberSecurity.2012.18(83-92)Online publication date: 14-Dec-2012
https://dl.acm.org/doi/10.1109/CyberSecurity.2012.18
Bacs AVermeulen RSlowinska ABos H(2012)System-Level support for intrusion recoveryProceedings of the 9th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-642-37300-8_9(144-163)Online publication date: 26-Jul-2012
https://dl.acm.org/doi/10.1007/978-3-642-37300-8_9
Zhang SLiu P(2012)Assessing the trustworthiness of driversProceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses10.1007/978-3-642-33338-5_3(42-63)Online publication date: 12-Sep-2012
https://dl.acm.org/doi/10.1007/978-3-642-33338-5_3
Yu JZhang SLiu PLi ZSandhu RBertino E(2011)LeakProberProceedings of the first ACM conference on Data and application security and privacy10.1145/1943513.1943525(75-84)Online publication date: 21-Feb-2011
https://dl.acm.org/doi/10.1145/1943513.1943525
Zhang SJia XLiu PJing J(2011)PEDAIEEE Transactions on Information Forensics and Security10.1109/TIFS.2011.21620626:4(1323-1334)Online publication date: 1-Dec-2011
https://dl.acm.org/doi/10.1109/TIFS.2011.2162062

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents