Bezoar: Automated virtual machine-based full-system recovery from control-flow hijacking attacks
Oliveira, D.
Crandall, J.R.
Wassermann, G.
Shaozhi Ye
Wu, S.F.
Zhendong Su
Chong, F.T.
California Univ., Davis, CA;
This paper appears in: Network Operations and Management Symposium, 2008. NOMS 2008. IEEE
Publication Date: 7-11 April 2008
On page(s): 121-128
Location: Salvador, Bahia,
ISSN: 1542-1201
ISBN: 978-1-4244-2065-0
INSPEC Accession Number: 10178515
Digital Object Identifier: 10.1109/NOMS.2008.4575125
Current Version Published: 2008-08-26
Abstract
System availability is difficult for systems to maintain in the face of Internet worms. Large systems have vulnerabilities, and if a system attempts to continue operation after an attack, it may not behave properly. Traditional mechanisms for detecting attacks disrupt service and current recovery approaches are application-based and cannot guarantee recovery in the face of exploits that corrupt the kernel, involve multiple processes or target multithreaded network services. This paper presents Bezoar, an automated full-system virtual machine-based approach to recover from zero-day control-flow hijacking attacks. Bezoar tracks down the source of network bytes in the system and after an attack, replays the checkpointed run while ignoring inputs from the malicious source. We evaluated our proof-of-concept prototype on six notorious exploits for Linux and Windows. In all cases, it recovered the full system state and resumed execution. Bezoar incurs low overhead to the virtual machine: less than 1% for the recovery and log components and approximately 1.4X for the memory monitor component that tracks down network bytes, for five SPEC INT 2000 benchmarks.
Index
Terms
Available to subscribers and IEEE members.
References
Available to subscribers and IEEE members.
Citing Documents
Available to subscribers and IEEE members.
Cart
