Abstract
Recovering from attacks is hard and gets harder as the time between the initial infection and its detection increases. Which files did the attackers modify? Did any of user data depend on malicious inputs? Can I still trust my own documents or binaries? When malcode has been active for some time and its actions are mixed with those of benign applications, these questions are impossible to answer on current systems. In this paper, we describe DiskDuster, an attack analysis and recovery system capable of recovering from complicated attacks in a semi-automated manner. DiskDuster traces malcode at byte-level granularity both in memory and on disk in a modified version of QEMU. Using taint analysis, DiskDuster also tracks all bytes written by the malcode, to provide a detailed view on what (bytes in) files derive from malicious data. Next, it uses this information to remove malicious actions at recovery time.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Basrai, M., Chen, P.M.: Cooperative Revirt: Adapting message logging for intrusion analysis. Technical Report CSE-TR-504-04, University of Michigan (2004)
Cavallaro, L., Saxena, P., Sekar, R.: On the Limits of Information Flow Techniques for Malware Analysis and Containment. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 143–163. Springer, Heidelberg (2008)
Chen, H., Hsu, F., Li, J., Ristenpart, T., Su, Z.: Back to the future: A framework for automatic malware removal and system repair. In: Proc. of CCS (2006)
Chow, J., Garfinkel, T., Chen, P.M.: Decoupling dynamic program analysis from execution in virtual environments. In: USENIX ATC (June 2008)
Cornell, B., Dinda, P.A., Bustamante, F.E.: Wayback: A user-level versioning file system for Linux. In: Proceedings of USENIX 2004 (Freenix Track) (2004)
Crandall, J., Chong, F.: Minos: Control data attack prevention orthogonal to memory model. In: 37th International Symposium on Microarchitecture (2004)
Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., Lee, W.: Virtuoso: Narrowing the semantic gap in virtual machine introspection. In: S&P (2011)
Dunlap, G.W., King, S.T., Cinar, S., Basrai, M.A., Chen, P.M.: ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay. In: Proc. of the Symposium on Operating Systems Design and Implementation, OSDI (2002)
F-Secure: Email-Worm:W32/Zhelatin.CQ, http://www.f-secure.com/v-descs/email-worm_w32_zhelatin_cq.shtml
Folkerts, A., Portokalidis, G., Bos, H.: Multi-tier Intrusion detection by means of replayable virtual machines. Technical Report IR-CS-47, VU University (2008)
Goel, A., Po, K., Farhadi, K., Li, Z., de Lara, E.: The taser intrusion recovery system. SIGOPS Oper. Syst. Rev. 39, 163–176 (2005)
Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: Antfarm: tracking processes in a virtual machine environment. In: Proceedings of the Annual Conference on USENIX 2006 Annual Technical Conference (2006)
Kang, M.G., McCamant, S., Poosankam, P., Song, D.: DTA++: Dynamic taint analysis with targeted control-flow propagation. In: Proceedings of the 18th Annual Network and Distributed System Security Symposium, NDSS 2011 (2011)
Kim, T., Wang, X., Zeldovich, N., Frans Kaashoek, M.: Intrusion recovery using selective re-execution. In: Proc. of OSDI 2010, Vancouver, Canada (2010)
King, S.T., Chen, P.M.: Backtracking intrusions. ACM Trans. Comput. Syst. 23(1), 51–76 (2005)
Microsoft Malware Protection Center: Backdoor:Win32/Hupigon, http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3AWin32%2FHupigon
Microsoft Malware Protection Center: Trojan:Win32/Alureon.FE, http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Trojan:Win32/Alureon.FE
Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proc. of the 12th Annual Network and Distributed System Security Symposium, NDSS (2005)
Oliveira, D.A.S., Crandall, J.R., Wassermann, G., Felix, S., Zhendong, W., Frederic, S., Chong, T.: ExecRecorder: VM-based full-system replay for attack analysis and system recovery. In: ASID 2006 (2006)
Paleari, R., Martignoni, L., Passerini, E., Davidson, D., Fredrikson, M., Giffin, J., Jha, S.: Automatic generation of remediation procedures for malware infections. In: Proceedings of the 19th USENIX Conference on Security (2010)
Pfoh, J., Schneider, C., Eckert, C.: Exploiting the x86 architecture to derive virtual machine state information. In: Proc. of SECURWARE 2010 (2010)
Porras, P., Saïdi, H., Yegneswaran, V.: A foray into conficker’s logic and rendezvous points. In: Proc. of LEET 2009 (2009)
Portokalidis, G., Slowinska, A., Bos, H.: Argos: an emulator for fingerprinting zero-day attacks. In: ACM SIGOPS EuroSys 2006 (2006)
Portokalidis, G., Homburg, P., Anagnostakis, K., Bos, H.: Paranoid Android: Versatile Protection for Smartphones. In: Proc. of ACSAC (2010)
The Linux-NTFS Project, http://www.linux-ntfs.org
Slowinska, A., Bos, H.: Pointless tainting? evaluating the practicality of pointer tainting. In: Proceedings of ACM SIGOPS EUROSYS (March-April 2009)
Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your botnet is my botnet: analysis of a botnet takeover. In: Proc. of CCS 2009, New York, NY, pp. 635–647 (2009)
Sun, W., Liang, Z., Sekar, R., Venkatakrishnan, V.N.: One-way isolation: An effective approach for realizing safe execution environments. In: Proc. of NDSS (2005)
Symantec: W32.sality, http://www.symantec.com/security_response/writeup.jsp?docid=2006-011714-3948-99
Verbowski, C., Kiciman, E., Kumar, A., Daniels, B., Lu, S., Lee, J., Wang, Y.M., Roussev, R.: Flight Data Recorder: Monitoring persistent-state interactions to improve systems management. In: 7th USENIX OSDI (2006)
VMWare. Vmware workstation 6.5 beta release notes (August 2008), http://www.vmware.com/products/beta/ws/releasenotes_ws65_beta.html
Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: capturing system-wide information flow for malware detection and analysis. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2007 (2007)
Zhang, S., Jia, X., Liu, P., Jing, J.: Cross-layer comprehensive intrusion harm analysis for production workload server systems. In: Proc. of ACSAC 2010 (2010)
Zhu, N., Chiueh, T.: Design, implementation, and evaluation of repairable file service. In: The International Conference on Dependable Systems and Networks (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bacs, A., Vermeulen, R., Slowinska, A., Bos, H. (2013). System-Level Support for Intrusion Recovery. In: Flegel, U., Markatos, E., Robertson, W. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2012. Lecture Notes in Computer Science, vol 7591. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-37300-8_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-37300-8_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-37299-5
Online ISBN: 978-3-642-37300-8
eBook Packages: Computer ScienceComputer Science (R0)