Re: CoVirt

[George Washington Dunlap III <dunlapg () umich edu>]

This was actually our thought too. =)

What ReVirt actually does is to make the VM go through all the same states 
as before.  At this point, as far as we can tell from extensive testing, 
it works completely.  We don't yet have many analysis tools, but we're 
working on them.  If anyone has any suggestions, we'd love the help.

A couple of interesting aspects of ReVirt:
 * The logs aren't in a format that are easy to scan, because they're 
low-level events at the virtual machine (the exact timing of an interrupt, 
the results of a read() system call).  But it allows you to get whatever 
high-level logging information you want ex-post-facto.
 * Logging / replay is isomorphic to checkpointing.  This has some 
interesting avenues to explore.

A couple of ideas we were kicking around:
 * Set up a study, gathering 'interesting' traces.  It might even be 
possible to sanitize the traces in such a way that they could be used as a 
benchmark for intrusion detection systems.  Currently, IDS systems are 
typically tested on standard data (packet logs, standard security logs, 
etc); the DARPA challenge, for instance.  

While this data has the value of experience behind it, it may not be the
optimal thing to log to find intrusions.  But when some researcher wants
to try looking at some other aspect of the system -- system call pairs, or
stack frames or something -- to test it, they have to build a system and
wait for someone to break in.  Which means that each researcher must 
collect his own data, and unless they happen to log the same data, can't 
compare their detection tools.

Just so you know the state of the project: 
 * Our latest distribution uses UMLinux (now FAUMachine) for our virtual
machine, not Jeff Dike's User-Mode-Linux.  The guest kernel shares the 
address space with the guest process, so the stack is in a different 
place.  We're working on porting our system to UML.
 * The distribution on the website works on Athalons, but may not work
right on your P4, depending on the BIOS.  I have a fix that makes this
robust on the P4, I haven't posted yet, so if you want to try it out,
e-mail me and I'll make that a priority.
 * Our prototype is not security-hardened at all, so there's some work to 
be done before we can use it without risking "reckless endangerment". =)

Peace,
 -George


On Tue, 10 Jun 2003, Alexander Reelsen wrote:

> Hi
>
> http://www.eecs.umich.edu/CoVirt/
>
> This sounds pretty interesting for honeypots and especially for
> information gathering. The description:
>
> --- snip ---
> ReVirt (part of the CoVirt project) is a complete Linux-on-Linux virtual
> machine with replay capability: you can explore the state of the entire
> virtual machine at any point in the past.  For example, if you discover
> an intruder, you can "go back in time" to see how they broke in, watch
> the exploit in progress, and discover what was compromised. The overhead
> of virtualization and logging is only 15-30%, even for kernel-intensive
> applications.
> --- snip ---
>
>
> MfG/Regards, Alexander

-- 
+-------------------+-----------------------------------------
| dunlapg () umich edu | http://www-personal.umich.edu/~dunlapg 
+-------------------+-----------------------------------------
| They spoke into being the work of their hands
|  From the void of the wire and the wood
| They stood on that stage and they sang and they played
|  And they said that it was good
| They said let there be light
|  Let there be love, let there be music
|       - Andrew Peterson, "Let There Be Light"
+------------------------------------------------------------
| Outlaw Junk Email! Support HR 1748 (www.cauce.org)