Turning back the clock

Many readers already know about the new Automated System Recovery feature of Windows XP. The system keeps a log file with records of all changes to disk at specified times or after specified events. The log files enable you, in theory, to revert to a previous state of your hard disk(s), thus reversing the effects of bad installations, harmful software, or some kinds of hardware accidents.

Wouldn’t it be wonderful to be able to log more than a static copy of your hard disk at specified times so that you could actually replay events? Such functionality would be invaluable in forensic investigations of attacks on systems or in analyzing accidents causing harm to data or configuration. Knowing the details of such changes could greatly improve the chances of correcting the damage and developing methods for fighting similar attacks.

Professor Peter Chen of the Advanced Computer Architecture Laboratory at the University of Michigan has proposed using a virtual machine called ReVirt to log all significant events to disk, permitting not only reversion to any given point in time, but also replay of the events in a computer attack. Chen estimates that a 100G-byte hard disk could easily store several months’ worth of log files with minimal overhead. Chen and his colleagues published an article whose abstract is as follows:

“Current system loggers have two problems: they depend on the integrity of the operating system being logged, and they do not save sufficient information to replay and analyze attacks that include any non-deterministic events. ReVirt removes the dependency on the target operating system by moving it into a virtual machine and logging below the virtual machine. This allows ReVirt to replay the system’s execution before, during, and after an intruder compromises the system, even if the intruder replaces the target operating system. ReVirt logs enough information to replay a long-term execution of the virtual machine instruction-by-instruction. This enables it to provide arbitrarily detailed observations about what transpired on the system, even in the presence of non-deterministic attacks and executions. ReVirt adds reasonable time and space overhead. Overheads due to virtualization are imperceptible for interactive use and CPU-bound workloads, and 13 – 58% for kernel-intensive workloads. Logging adds 0 – 8% overhead, and logging traffic for our workloads can be stored on a single disk for several months.”

https://portal.acm.org/citation.cfm?id=844148&jmp=citings&coll=GUIDE&dl=ACM

(Full text in PDF available free for ACM Digital Library subscribers or by online purchase, for $5.)

I am looking forward to hearing more about Professor Chen’s work and hope that it will lead to products that we will be able to use easily and well in analyzing and defending against damage to our systems.