ExecRecorder: VM-based full-system replay for attack analysis and system recovery

Daniela A.S. De Oliveira, Jedidiah R. Crandall, Gary Wassermann, S. Felix Wu, Zhendong Su, Frederic T. Chong

Research output: Chapter in Book/Report/Conference proceedingConference contribution

30 Scopus citations

Abstract

Log-based recovery and replay systems are important for system reliability, debugging and postmortem analysis/recovery of malware attacks. These systems must incur low space and performance overhead, provide full-system replay capabilities, and be resilient against attacks. Previous approaches fail to meet these requirements: they replay only a single process, or require changes in the host and guest OS, or do not have a fully-implemented replay component. This paper studies full-system replay for uniprocessors by logging and replaying architectural events. To limit the amount of logged information, we identify architectural nondeterministic events, and encode them compactly. Here we present ExecRecorder, a full-system, VM-based, log and replay framework for post-attack analysis and recovery. ExecRecorder can replay the execution of an entire system by checkpointing the system state and logging architectural nondeterministic events, and imposes low performance overhead (less than 4% on average). In our evaluation its log files grow at about 5.4 GB/hour (arithmetic mean). Thus it is practical to log on the order of hours or days between checkpoints. It can also be integrated naturally with an IDS and a post-attack analysis tool for intrusion analysis and recovery.

Original languageEnglish (US)
Title of host publicationASID'06
Subtitle of host publicationFirst Workshop on Architectural and System Support for Improving Software Dependability, in conjunction with ASPLOS 2006
Pages66-71
Number of pages6
DOIs
StatePublished - 2006
Externally publishedYes
EventASID'06: 1st Workshop on Architectural and System Support for Improving Software Dependability - San Jose, CA, United States
Duration: Oct 21 2006Oct 21 2006

Publication series

NameASID'06: 1st Workshop on Architectural and System Support for Improving Software Dependability

Conference

ConferenceASID'06: 1st Workshop on Architectural and System Support for Improving Software Dependability
CountryUnited States
CitySan Jose, CA
Period10/21/0610/21/06

Keywords

  • Malware
  • Recovery
  • Replay
  • Virtual machines
  • Worms

ASJC Scopus subject areas

  • Hardware and Architecture
  • Information Systems
  • Software

Fingerprint Dive into the research topics of 'ExecRecorder: VM-based full-system replay for attack analysis and system recovery'. Together they form a unique fingerprint.

Cite this