MIT researchers tout network intrusion recovery system

MIT researchers say RETRO will make recovery from system hacks easier

MIT Computer Science and Artificial Intelligence Laboratory researchers will next week detail a system they say will make it easier for companies to recover from nasty security intrusions.

The system, known as RETRO, lets administrators specify offending actions, such as a TCP connection or an HTTP request from an adversary, that they want to undo. RETRO then repairs the computer's file  system by selectively undoing the offending actions-that is, constructing a new system state, as if the offending actions never took place, but all legitimate actions remained.  By selectively undoing the adversary's changes while preserving user data, RETRO makes intrusion recovery more practical, the researchers state in a paper to be presented at next week's 9th USENIX Symposium on Operating Systems Design and Implementation.

What's up with encryption?

"Even if the user diligently makes a complete backup of their system every day, recovering from the attack requires rolling back to the most recent backup before the attack, thereby losing any changes made since then. Since many adversaries go to great lengths to prevent the compromise from being discovered, it can take days or weeks for a user to discover that their machine has been broken into, resulting in a loss of all user work from that period of time," the researchers stated.

According to the MIT researchers, RETRO repairs a desktop or server after an adversary compromises it, by undoing a hacker's changes while preserving legitimate user actions, with minimal user involvement. During normal operation, RETRO records an action history graph, which is a detailed dependency graph describing the system's execution.

During repair, RETRO uses the action history graph to undo an unwanted action and its indirect effects by first rolling back its direct effects, and then re-executing legitimate actions that were influenced by that change. To minimize user involvement and re-execution, RETRO uses predicates to selectively re-execute only actions that were semantically affected by the adversary's changes, and uses compensating actions to handle external effects, the researchers stated.

"An important assumption of RETRO is that the attacker does not compromise the kernel. Unfortunately, security vulnerabilities are periodically discovered in the Linux kernel [5, 6], making this assumption potentially dangerous. One solution may be to use virtual machine based techniques, although it is difficult to distinguish kernel objects after a kernel compromise. We plan to explore ways of reducing trust in future work," the researchers added.

Follow Michael Cooney on Twitter: nwwlayer8  

Layer 8 Extra

Check out these other hot stories:

NASA takes 2,000lb heart of space telescope on extreme test ride

Smart "E-shirt" monitors your body,  helps get your game on

FTC settles privacy violation claims with online data broker

Martian meteorite grabs NASA Mars rover's attention

Air Force teams to build radiation-proof chips for outer space systems

Omnipresent GPS coverage takes another hit

Boeing to build unmanned aircraft can stay aloft for 5 years

US wants big, revolutionary energy storage systems

Three wicked cool car teams split $10M X Prize for advanced, fuel efficient vehicles

Former Yahoo exec. tries to outwit, outplay, outlast Survivor

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.