TY - GEN
T1 - Bezoar
T2 - NOMS 2008 - IEEE/IFIP Network Operations and Management Symposium: Pervasive Management for Ubiquitous Networks and Services
AU - De Oliveira, Daniela A.S.
AU - Crandall, Jedidiah R.
AU - Wassermann, Gary
AU - Ye, Shaozhi
AU - Wu, S. Felix
AU - Su, Zhendong
AU - Chong, Frederic T.
PY - 2008
Y1 - 2008
N2 - System availability is difficult for systems to maintain in the face of Internet worms. Large systems have vulnerabilities, and if a system attempts to continue operation after an attack, it may not behave properly. Traditional mechanisms for detecting attacks disrupt service and current recovery approaches are application-based and cannot guarantee recovery in the face of exploits that corrupt the kernel, involve multiple processes or target multithreaded network services. This paper presents Bezoar, an automated full-system virtual machine-based approach to recover from zero-day control-flow hijacking attacks. Bezoar tracks down the source of network bytes in the system and after an attack, replays the checkpointed run while ignoring inputs from the malicious source. We evaluated our proof-of-concept prototype on six notorious exploits for Linux and Windows. In all cases, it recovered the full system state and resumed execution. Bezoar incurs low overhead to the virtual machine: less than 1% for the recovery and log components and approximately 1.4X for the memory monitor component that tracks down network bytes, for five SPEC INT 2000 benchmarks.
AB - System availability is difficult for systems to maintain in the face of Internet worms. Large systems have vulnerabilities, and if a system attempts to continue operation after an attack, it may not behave properly. Traditional mechanisms for detecting attacks disrupt service and current recovery approaches are application-based and cannot guarantee recovery in the face of exploits that corrupt the kernel, involve multiple processes or target multithreaded network services. This paper presents Bezoar, an automated full-system virtual machine-based approach to recover from zero-day control-flow hijacking attacks. Bezoar tracks down the source of network bytes in the system and after an attack, replays the checkpointed run while ignoring inputs from the malicious source. We evaluated our proof-of-concept prototype on six notorious exploits for Linux and Windows. In all cases, it recovered the full system state and resumed execution. Bezoar incurs low overhead to the virtual machine: less than 1% for the recovery and log components and approximately 1.4X for the memory monitor component that tracks down network bytes, for five SPEC INT 2000 benchmarks.
UR - http://www.scopus.com/inward/record.url?scp=51849133701&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=51849133701&partnerID=8YFLogxK
U2 - 10.1109/NOMS.2008.4575125
DO - 10.1109/NOMS.2008.4575125
M3 - Conference contribution
AN - SCOPUS:51849133701
SN - 9781424420667
T3 - NOMS 2008 - IEEE/IFIP Network Operations and Management Symposium: Pervasive Management for Ubiquitous Networks and Services
SP - 121
EP - 128
BT - NOMS 2008 - IEEE/IFIP Network Operations and Management Symposium
Y2 - 7 April 2008 through 11 April 2008
ER -