Execution replay for intrusion analysis.

Abstract

Computer intrusions are inevitable. When an intrusion happens, forensic analysis is critical to understanding the attack. An administrator needs to determine how the attacker broke in, what he changed, and what privileged information he may have seen. Unfortunately, current security logging systems are incomplete, leaving large gaps in the knowledge of what happened. Execution replay is a practical way to add completeness to forensic logging. To show this, we describe ReVirt, a virtual machine execution replay system capable of security-grade logging. ReVirt can reconstruct the entire past state of the system at any point in time, including memory and disk, and can re-execute. This enables security tools that use ReVirt to gather arbitrarily detailed information about the system before, during, and after an attack. ReVirt adds 0-12% runtime overhead during logging. A single 100 GB disk can log continuously from weeks to years. We also describe SMP-ReVirt, an execution replay system that can log and replay multiprocessor virtual machines. Races between the processors are detected using a concurrent-read, exclusive-write (CREW) protocol enforced with hardware page protections transparently to the virtual machine. This is the first execution replay system to log and replay a multiprocessor kernel outside of simulation. Performance depends heavily on the sharing rate of the workload. Some parallel applications run with overhead around 1%, while some run an order of magnitude slower with the logging enabled. Logging rates depend upon sharing rates. A 300GB disk can log workloads with low sharing rates for several years, and can even log workloads with very high sharing rates for several days.