The system, known as RETRO, lets administrators specify offending actions, such as a TCP connection or an HTTP request from an adversary, that they want to undo. RETRO then repairs the computer's file system by selectively undoing the offending actions-that is, constructing a new system state, as if the offending actions never took place, but all legitimate actions remained. By selectively undoing the adversary's changes while preserving user data, RETRO makes intrusion recovery more practical, the researchers state in a paper to be presented at next week's 9th USENIX Symposium on Operating Systems Design and Implementation.
"Even if the user diligently makes a complete backup of their system every day, recovering from the attack requires rolling back to the most recent backup before the attack, thereby losing any changes made since then. Since many adversaries go to great lengths to prevent the compromise from being discovered, it can take days or weeks for a user to discover that their machine has been broken into, resulting in a loss of all user work from that period of time," the researchers stated.
According to the MIT researchers, RETRO repairs a desktop or server after an adversary compromises it, by undoing a hacker's changes while preserving legitimate user actions, with minimal user involvement. During normal operation, RETRO records an action history graph, which is a detailed dependency graph describing the system's execution.
During repair, RETRO uses the action history graph to undo an unwanted action and its indirect effects by first rolling back its direct effects, and then re-executing legitimate actions that were influenced by that change. To minimize user involvement and re-execution, RETRO uses predicates to selectively re-execute only actions that were semantically affected by the adversary's changes, and uses compensating actions to handle external effects, the researchers stated.
"An important assumption of RETRO is that the attacker does not compromise the kernel. Unfortunately, security vulnerabilities are periodically discovered in the Linux kernel [5, 6], making this assumption potentially dangerous. One solution may be to use virtual machine based techniques, although it is difficult to distinguish kernel objects after a kernel compromise. We plan to explore ways of reducing trust in future work," the researchers added.
Follow Michael Cooney on Twitter: nwwlayer8
Layer 8 Extra
Check out these other hot stories: