MIT researchers tout network intrusion recovery system
MIT researchers say RETRO will make recovery from system hacks easier
By Layer 8 on Wed, 09/29/10 - 12:40pm.
MIT Computer Science and Artificial Intelligence Laboratory researchers will next week detail a system they say will make it easier for companies to recover from nasty security intrusions.
The system, known as RETRO, lets administrators specify offending actions, such as a TCP connection or an HTTP request from an adversary, that they want to undo. RETRO then repairs the computer's file system by selectively undoing the offending actions-that is, constructing a new system state, as if the offending actions never took place, but all legitimate actions remained. By selectively undoing the adversary's changes while preserving user data, RETRO makes intrusion recovery more practical, the researchers state in a paper to be presented at next week's 9th USENIX Symposium on Operating Systems Design and Implementation.
"Even if the user diligently makes a complete backup of their system every day, recovering from the attack requires rolling back to the most recent backup before the attack, thereby losing any changes made since then. Since many adversaries go to great lengths to prevent the compromise from being discovered, it can take days or weeks for a user to discover that their machine has been broken into, resulting in a loss of all user work from that period of time," the researchers stated.
According to the MIT researchers, RETRO repairs a desktop or server after an adversary compromises it, by undoing a hacker's changes while preserving legitimate user actions, with minimal user involvement. During normal operation, RETRO records an action history graph, which is a detailed dependency graph describing the system's execution.
During repair, RETRO uses the action history graph to undo an unwanted action and its indirect effects by first rolling back its direct effects, and then re-executing legitimate actions that were influenced by that change. To minimize user involvement and re-execution, RETRO uses predicates to selectively re-execute only actions that were semantically affected by the adversary's changes, and uses compensating actions to handle external effects, the researchers stated.
"An important assumption of RETRO is that the attacker does not compromise the kernel. Unfortunately, security vulnerabilities are periodically discovered in the Linux kernel [5, 6], making this assumption potentially dangerous. One solution may be to use virtual machine based techniques, although it is difficult to distinguish kernel objects after a kernel compromise. We plan to explore ways of reducing trust in future work," the researchers added.
Follow Michael Cooney on Twitter: nwwlayer8
Layer 8 Extra
Check out these other hot stories:
NASA takes 2,000lb heart of space telescope on extreme test ride
Smart "E-shirt" monitors your body, helps get your game on
FTC settles privacy violation claims with online data broker
Martian meteorite grabs NASA Mars rover's attention
Air Force teams to build radiation-proof chips for outer space systems
Omnipresent GPS coverage takes another hit
Boeing to build unmanned aircraft can stay aloft for 5 years
US wants big, revolutionary energy storage systems
Three wicked cool car teams split $10M X Prize for advanced, fuel efficient vehicles
Former Yahoo exec. tries to outwit, outplay, outlast Survivor
- About Layer 8
- Layer 8 is written by Michael Cooney, an online news editor with Network World
Most Discussed Posts
-
Network World, Inc
The Connected Enterprise