ReVirt is a system logger that moves the operating system into a VM and then runs below the OS. It does this to avoid relying on the integrity of the OS being logged and also to allow replaying non-deterministic events. ReVirt is implemented as a kernel module in the host OS; using an OS-on-OS virtualization strategy, the authors argue that although attackers may gain control of a guest OS, their actions on the host OS are severely restricted, as the implemented VMM allows the guest kernel access to fewer than 7% of system calls.
To log enough information to replay non-deterministic events, the authors record asynchronous virtual interrupts and external input. They suggest cooperative logging as a way to reduce log volume. The authors pass off the overhead associated with kernel-intensive workloads (up to 58%) as being an acceptable tradeoff for security, although they only provide one brief case of how they successfully used ReVirt to find and analyze an intrusion.
No comments:
Post a Comment