TY - GEN
T1 - ExecRecorder
T2 - ASID'06: 1st Workshop on Architectural and System Support for Improving Software Dependability
AU - De Oliveira, Daniela A.S.
AU - Crandall, Jedidiah R.
AU - Wassermann, Gary
AU - Wu, S. Felix
AU - Su, Zhendong
AU - Chong, Frederic T.
PY - 2006
Y1 - 2006
N2 - Log-based recovery and replay systems are important for system reliability, debugging and postmortem analysis/recovery of malware attacks. These systems must incur low space and performance overhead, provide full-system replay capabilities, and be resilient against attacks. Previous approaches fail to meet these requirements: they replay only a single process, or require changes in the host and guest OS, or do not have a fully-implemented replay component. This paper studies full-system replay for uniprocessors by logging and replaying architectural events. To limit the amount of logged information, we identify architectural nondeterministic events, and encode them compactly. Here we present ExecRecorder, a full-system, VM-based, log and replay framework for post-attack analysis and recovery. ExecRecorder can replay the execution of an entire system by checkpointing the system state and logging architectural nondeterministic events, and imposes low performance overhead (less than 4% on average). In our evaluation its log files grow at about 5.4 GB/hour (arithmetic mean). Thus it is practical to log on the order of hours or days between checkpoints. It can also be integrated naturally with an IDS and a post-attack analysis tool for intrusion analysis and recovery.
AB - Log-based recovery and replay systems are important for system reliability, debugging and postmortem analysis/recovery of malware attacks. These systems must incur low space and performance overhead, provide full-system replay capabilities, and be resilient against attacks. Previous approaches fail to meet these requirements: they replay only a single process, or require changes in the host and guest OS, or do not have a fully-implemented replay component. This paper studies full-system replay for uniprocessors by logging and replaying architectural events. To limit the amount of logged information, we identify architectural nondeterministic events, and encode them compactly. Here we present ExecRecorder, a full-system, VM-based, log and replay framework for post-attack analysis and recovery. ExecRecorder can replay the execution of an entire system by checkpointing the system state and logging architectural nondeterministic events, and imposes low performance overhead (less than 4% on average). In our evaluation its log files grow at about 5.4 GB/hour (arithmetic mean). Thus it is practical to log on the order of hours or days between checkpoints. It can also be integrated naturally with an IDS and a post-attack analysis tool for intrusion analysis and recovery.
KW - Malware
KW - Recovery
KW - Replay
KW - Virtual machines
KW - Worms
UR - http://www.scopus.com/inward/record.url?scp=34547167419&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=34547167419&partnerID=8YFLogxK
U2 - 10.1145/1181309.1181320
DO - 10.1145/1181309.1181320
M3 - Conference contribution
AN - SCOPUS:34547167419
SN - 1595935762
SN - 9781595935762
T3 - ASID'06: 1st Workshop on Architectural and System Support for Improving Software Dependability
SP - 66
EP - 71
BT - ASID'06
Y2 - 21 October 2006 through 21 October 2006
ER -