skip to main content
10.1145/1095810.1095826acmconferencesArticle/Chapter ViewAbstractPublication PagessospConference Proceedingsconference-collections
Article

The taser intrusion recovery system

Published: 20 October 2005 Publication History

Abstract

Recovery from intrusions is typically a very time-consuming operation in current systems. At a time when the cost of human resources dominates the cost of computing resources, we argue that next generation systems should be built with automated intrusion recovery as a primary goal. In this paper, we describe the design of Taser, a system that helps in selectively recovering legitimate file-system data after an attack or local damage occurs. Taser reverts tainted, i.e. attack-dependent, file-system operations but preserves legitimate operations. This process is difficult for two reasons. First, the set of tainted operations is not known precisely. Second, the recovery process can cause conflicts when legitimate operations depend on tainted operations. Taser provides several analysis policies that aid in determining the set of tainted operations. To handle conflicts, Taser uses automated resolution policies that isolate the tainted operations. Our evaluation shows that Taser is effective in recovering from a wide range of intrusions as well as damage caused by system management errors.

References

[1]
Edward C. Bailey. Maximum RPM. Sams, August 1997.]]
[2]
Paul T. Barham, Austin Donnelly, Rebecca Isaacs, and Richard Mortier. Using magpie for request extraction and workload modelling. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation, pages 259--272, 2004.]]
[3]
Aaron B. Brown and David A. Patterson. Undo for operators: Building an undoable e-mail store. In Proceedings of the USENIX Technical Conference, pages 1--14, 2003.]]
[4]
Jim Chow, Ben Pfaff, Tal Garfinkel, Kevin Christopher, and Mendel Rosenblum. Understanding data lifetime via whole system simulation. In Proceedings of the USENIX Security Symposium, pages 321--336, August 2004.]]
[5]
G. W. Dunlap, S. T. King, S. Cinar, M. Basrai, and P. M. Chen. ReVirt: Enabling intrusion analysis through virtual-machine logging and replay. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation, December 2002.]]
[6]
Tal Garfinkel. Traps and pitfalls: Practical problems in system call interposition based security tools. In Proceedings of the Network and Distributed System Security Symposium, February 2003.]]
[7]
Tal Garfinkel and Mendel Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the Network and Distributed System Security Symposium, February 2003.]]
[8]
Ashvin Goel, Wu-chang Feng, David Maier, Wu-chi Feng, and Jonathan Walpole. Forensix: A robust, high-performance reconstruction system. In Proceedings of the International Workshop on Security in Distributed Computing Systems (SDCS), June 2005. In conjunction with the International Conference on Distributed Computing Systems (ICDCS).]]
[9]
Ian Goldberg, David Wagner, Randi Thomas, and Eric A. Brewer. A secure environment for untrusted helper applications. In Proceedings of the USENIX Security Symposium, 1996.]]
[10]
Bobbie Harder. Microsoft windows system restore. http://msdn.microsoft.com/library/en-us/dnwxp/ html/windowsxpsystemrestore.asp, April 2001.]]
[11]
Gene H. Kim and Eugene H. Spafford. The design and implementation of Tripwire: A file system integrity checker. In Proceedings of the ACM Conference on Computer and Communications Security, pages 18--29, 1994.]]
[12]
Samuel T. King and Peter M. Chen. Backtracking intrusions. In Proceedings of the Symposium on Operating Systems Principles, October 2003.]]
[13]
Puneet Kumar and Mahadev Satyanarayanan. Flexible and safe resolution of file conflicts. In Proceedings of the USENIX Technical Conference, pages 95--106. USENIX, January 1995.]]
[14]
Peng Liu, Paul Ammann, and Sushil Jajodia. Rewriting histories: Recovering from malicious transactions. Distributed and Parallel Databases, 8(1):7--40, 2000.]]
[15]
Toby Miller. Analysis of the knark rootkit. http://www.ossec.net/rootkits/studies/knark.txt, 2001. SecurityFocus.]]
[16]
Nicholas Petreley. Security report: Windows vs Linux. The Register, October 2004. http://www.theregister.co.uk/security/security_report_windows_vs_linux.]]
[17]
Dhruv Pilania and Tzi cker Chiueh. Design, implementation, and evaluation of an intrusion resilient database system. Technical Report TR-124, SUNY, Stony Brook, April 2005.]]
[18]
N. Provos. Improving host security with system call policies. In Proceedings of the USENIX Security Symposium, pages 257--272, August 2003.]]
[19]
Peter Reiher, John S. Heidemann, David Ratner, Gregory Skinner, and Gerald J. Popek. Resolving file conflicts in the Ficus file system. In USENIX Technical Conference, pages 183--195. USENIX, June 1994.]]
[20]
Martin Roesch. Snort - Lightweight intrusion detection for networks. In Proceedings of the USENIX Large Installation Systems Administration Conference, pages 229--238, November 1999.]]
[21]
A. Sabelfeld and A. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21(1), January 2003.]]
[22]
Douglas S. Santry, Michael J. Feeley, Norman C. Hutchinson, Alistair C. Veitch, Ross W. Carton, and Jacob Ofir. Deciding when to forget in the Elephant file system. In Proceedings of the Symposium on Operating Systems Principles, pages 110--123, December 1999.]]
[23]
sd and devik. Linux on-the-fly kernel patching without LKM. Phrack issue 58, December 2001.]]
[24]
Secunia. Secunia vulnerability report. http://www.secunia.com.]]
[25]
Craig A. N. Soules, Garth R. Goodson, John D. Strunk, and Gregory R. Ganger. Metadata efficiency in versioning file systems. In Proceedings of the USENIX Conference on File and Storage Technologies, pages 43--58, 2003.]]
[26]
John D. Strunk, Garth R. Goodson, Michael L. Scheinholtz, Craig A. N. Soules, and Gregory R. Ganger. Self-securing storage: Protecting data in compromised systems. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation, pages 165--180, 2000.]]
[27]
G. Edward Suh, Jae W. Lee, David Zhang, and Srinivas Devadas. Secure program execution via dynamic information flow tracking. ACM SIGARCH Computer Architecture News, 32(5):85--96, 2004.]]
[28]
Weiqing Sun, Zhenkai Liang, R. Sekar, and V.N. Venkatakrishnan. One-way Isolation: An Effective Approach for Realizing Safe Execution Environments. In Proceedings of the Network and Distributed System Security Symposium, February 2005.]]
[29]
Douglas B. Terry, Marvin M. Theimer, Karin Petersen, Alan J. Demers, Mike J. Spreitzer, and Carl H. Hauser. Managing update conflicts in Bayou, a weakly connected replicated storage system. In Proceedings of the 15th Symposium on Operating Systems Principles, pages 172--183, December 1995.]]
[30]
Andy Watson and Paul Benn. Multiprotocol Data Access: NFS, CIFS, and HTTP. Technical Report TR3014, Network Appliance, Inc., 1999. http://www.netapp.com/tech_library/3014.html.]]
[31]
Chris Wright, Crispin Cowan, Stephen Smalley, James Morris, and Greg Kroah-Hartman. Linux Security Modules: General security support for the Linux kernel. In Proceedings of the USENIX Security Symposium, pages 17--31, 2002.]]
[32]
Huagang Xie and et. al. Linux intrusion detection system (LIDS) project. http://www.lids.org/.]]
[33]
Ningning Zhu and Tzi-Cker Chiueh. Design, implementation, and evaluation of repairable file service. In Proceedings of the IEEE Dependable Systems and Networks, pages 217--226, June 2003.]]

Cited By

View all
  • (2025)FineGCP: Fine-grained dependency graph community partitioning for attack investigationComputers & Security10.1016/j.cose.2024.104311151(104311)Online publication date: Apr-2025
  • (2024)ROCAS: Root Cause Analysis of Autonomous Driving Accidents via Cyber-Physical Co-mutationProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695530(1620-1632)Online publication date: 27-Oct-2024
  • (2024)Context-Aware Intrusion Detection in Industrial Control SystemsProceedings of the 2024 Workshop on Re-design Industrial Control Systems with Security10.1145/3689930.3695212(1-7)Online publication date: 20-Nov-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
SOSP '05: Proceedings of the twentieth ACM symposium on Operating systems principles
October 2005
259 pages
ISBN:1595930795
DOI:10.1145/1095810
  • cover image ACM SIGOPS Operating Systems Review
    ACM SIGOPS Operating Systems Review  Volume 39, Issue 5
    SOSP '05
    December 2005
    290 pages
    ISSN:0163-5980
    DOI:10.1145/1095809
    Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 20 October 2005

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. file systems
  2. intrusion analysis
  3. intrusion recovery
  4. snapshots

Qualifiers

  • Article

Conference

SOSP05
Sponsor:

Acceptance Rates

Overall Acceptance Rate 174 of 961 submissions, 18%

Upcoming Conference

SOSP '25
ACM SIGOPS 31st Symposium on Operating Systems Principles
October 13 - 16, 2025
Seoul , Republic of Korea

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)25
  • Downloads (Last 6 weeks)4
Reflects downloads up to 17 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2025)FineGCP: Fine-grained dependency graph community partitioning for attack investigationComputers & Security10.1016/j.cose.2024.104311151(104311)Online publication date: Apr-2025
  • (2024)ROCAS: Root Cause Analysis of Autonomous Driving Accidents via Cyber-Physical Co-mutationProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695530(1620-1632)Online publication date: 27-Oct-2024
  • (2024)Context-Aware Intrusion Detection in Industrial Control SystemsProceedings of the 2024 Workshop on Re-design Industrial Control Systems with Security10.1145/3689930.3695212(1-7)Online publication date: 20-Nov-2024
  • (2024)LTA: Control-Driven UAV Testing and Bug Localization with Flight Record DecompositionProceedings of the 22nd ACM Conference on Embedded Networked Sensor Systems10.1145/3666025.3699350(450-463)Online publication date: 4-Nov-2024
  • (2024)A PT-based approach to construct efficient provenance graph for threat alert investigationITM Web of Conferences10.1051/itmconf/2024600001660(00016)Online publication date: 9-Jan-2024
  • (2023)Sanare: Pluggable Intrusion Recovery for Web ApplicationsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.313947220:1(590-605)Online publication date: 1-Jan-2023
  • (2023)MIRES: Intrusion Recovery for Applications Based on Backend-As-a-ServiceIEEE Transactions on Cloud Computing10.1109/TCC.2022.317898211:2(2011-2027)Online publication date: 1-Apr-2023
  • (2023)μVerum: Intrusion Recovery for Microservice ApplicationsIEEE Access10.1109/ACCESS.2023.329811311(78457-78470)Online publication date: 2023
  • (2022)A Survey of Host-Based Advanced Persistent Threat Detection TechnologyComputer Science and Application10.12677/CSA.2022.12102412:01(233-251)Online publication date: 2022
  • (2022)System-Auditing, Data Analysis and Characteristics of Cyber Attacks for Big Data SystemsProceedings of the 31st ACM International Conference on Information & Knowledge Management10.1145/3511808.3557185(4872-4876)Online publication date: 17-Oct-2022
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media