Old idea retooled for security
Technology Research News
One of the big challenges in computer security
is securing the operating system, which coordinates a computer's peripherals
and all the other software a computer runs. This is important because
operating systems like Windows and Linux have access at the lowest, or
most fundamental level, to everything else the computer runs.
Research teams from the University of Michigan and Stanford University
are attacking the problem in different ways.
The University of Michigan researchers have proposed a scheme
that puts logging software in a protected place where the operating system
cannot access it. Logging software records computer interactions and can
replay and reverse them.
Meanwhile, Stanford University researchers have designed an operating
system architecture that uses a protected monitoring mechanism to provide
a guarantee that the operating system is executing only the instructions
it is supposed to.
Both schemes tap the decades-old concept of a virtual machine
-- a piece of software that emulates a physical machine -- to isolate
security software from the operating system.
Virtual machines use a layer of software, a virtual machine monitor,
that resides between a computer's hardware and its operating system in
order to shield the operating system from unauthorized access and to prevent
the operating system from directly controlling the hardware. The virtual
machine monitor generates a virtual machine, which looks to the operating
system like an actual computer. The virtual machine can look to the operating
system like the real computer it is running on, like a different computer,
or like a generic abstraction.
The University of Michigan scheme runs the operating system and
applications on a virtual machine, enabling a protected layer of logging
software to reside at a lower level than the virtual machine. The virtual
machine layer isolates the logging software, making it impossible for
an intruder to turn it off.
"We run the existing software inside a virtual machine," said
Peter Chen, an associate professor of electrical engineering and computer
science at the University of Michigan. "If an intrusion occurs within
the target operating system or applications, the virtual machine layer
isolates this intrusion and prevents it from interfering with the logging
functionality," he said.
The researchers' used a modified version of logging software that
was designed to give computers fault tolerance by reversing interactions.
They optimized it for analyzing intrusions. The software enables the researchers
to replay all interactions with the virtual machine. With the logging
functionality intact, "we can replay the intrusion and any damage the
intruder did," said Chen.
The challenge was finding a way to re-create the precise sequence
of instructions, which is not possible using some logging strategies,
said Chen. "x86 processors are complex enough that it is difficult to
track down all sources of non-determinism," he said.
The logging software captures enough information "that we can
replay the exact, instruction-by-instruction sequence of the virtual machine,"
including non-deterministic conditions like encryption key generation,
In re-creating a computer session, the logging software causes
"your mouse cursor [to] move around, your windows and menus to appear
and disappear, your programs to take input and run, all exactly as it
happened during the original run," said Chen.
This enables computer forensics, or the ability to analyze the
computer to figure out what happened, said Chen. "An intruder can at most
obfuscate her actions; she can't stop us from recording them and analyzing
them later," he said.
The system, dubbed ReVirt, is fairly efficient, said Chen. Running
a system as a virtual machine causes about a 30 percent slowdown, and
logging takes a few more percent of resources, he said. It also uses about
a gigabyte of space.
The University of Michigan researchers are working to build "higher-level
forensic tools" that take advantage of having the complete information
from a computer run, said Chen.
The system could eventually be used by agencies like the FBI and
CIA to deal with insider threats, said Chen. "If one of their agents turns
out to be a spy, ReVirt could reveal everything that the spy did on that
computer," he said.
The Stanford University team scheme stresses the concept of high
assurance -- a guarantee that programs will be run in a standard way.
The scheme uses a virtual machine monitor to do so.
The scheme, trusted virtual machine monitor (T-VMM), combines
virtual machines with the notion of attestation.
Attestation is a well-established authentication scheme that allows
application programs, operating systems and hardware devices to attest
their identities to each other through a trusted third party. This assures
that only allowed software has access to the computer and only allowed
network and storage communications have access to the operating system.
T-VMM could be used to extend network firewalls to remote computers.
A distributed firewall would be considerably more secure than regulating
remote access because the firewall could prevent unauthorized communications
from remote computers from getting onto the network at all, according
to the Stanford researchers. The scheme could also be used to limit the
amount of network traffic a computer can generate in order to keep compromised
computers from contributing to distributed denial of service attacks.
The scheme solves a problem posed by network surveillance software
increasingly used by law enforcement, according to the researchers. The
software is examined by a group of experts who certify that the software
does not exceed its legal boundaries. This method does not guarantee,
however, that the software the experts see is the same that is deployed
in the field. In contrast, trusted platforms can prove to a third party
that the software installed on a device is the authorized software, according
to the researchers.
The University of Michigan's ReVirt could be used in practical
applications in three to six years, said Chen.
Chen's research colleague were Samuel T. King and George W. Dunlap.
The work was presented at the 2003 Usenix Technical Conference at San
Antonio, Texas on June 19 to 14, 2003. The research was funded by the
National Science Foundation (SF) and Intel Corporation.
The Stanford University research was carried out by Tal Garfinkel,
Mendel Rosenblum and Dan Boneh and was presented at the Usenix 9th Workshop
on Hot Topics in Operating Systems at Lihue, Hawaii on May 18 to 21, 2003.
The work was funded by the National Science Foundation and the Packard
Timeline: 3-6 years
Funding: Corporate, Government
TRN Categories: Cryptography and Security; Databases and
Information Retrieval; Operating Systems
Story Type: News
Related Elements: Technical paper from Michigan State University,
"Operating System Support for Virtual Machines," proceedings of the 2003
Usenix Technical Conference, San Antonio, Texas, June 9-14 and posted
at http://www.usenix.org/events/usenix03/tech/king.html; Technical paper
from Stanford University, "Flexible OS Support and Applications for Trusted
Computing," presented at the Usenix 9th Workshop on Hot Topics in Operating
Systems, Lihue, Hawaii, May 18-21, 2003 and posted at http://www.usenix.org/events/hotos03/tech/garfinkel.html.
October 8/15, 2003
E-paper closes in on video
Magnetic memory makes
Old idea retooled for
Crystal slows and speeds
CD writer generates
Nanotubes boost storage
large neural nets
Research News Roundup
Research Watch blog
View from the High Ground Q&A
How It Works
News | Blog
Buy an ad link