Old idea retooled for security
By
Kimberly Patch,
Technology Research NewsOne of the big challenges in computer security is securing the operating system, which coordinates a computer's peripherals and all the other software a computer runs. This is important because operating systems like Windows and Linux have access at the lowest, or most fundamental level, to everything else the computer runs.
Research teams from the University of Michigan and Stanford University are attacking the problem in different ways.
The University of Michigan researchers have proposed a scheme that puts logging software in a protected place where the operating system cannot access it. Logging software records computer interactions and can replay and reverse them.
Meanwhile, Stanford University researchers have designed an operating system architecture that uses a protected monitoring mechanism to provide a guarantee that the operating system is executing only the instructions it is supposed to.
Both schemes tap the decades-old concept of a virtual machine -- a piece of software that emulates a physical machine -- to isolate security software from the operating system.
Virtual machines use a layer of software, a virtual machine monitor, that resides between a computer's hardware and its operating system in order to shield the operating system from unauthorized access and to prevent the operating system from directly controlling the hardware. The virtual machine monitor generates a virtual machine, which looks to the operating system like an actual computer. The virtual machine can look to the operating system like the real computer it is running on, like a different computer, or like a generic abstraction.
The University of Michigan scheme runs the operating system and applications on a virtual machine, enabling a protected layer of logging software to reside at a lower level than the virtual machine. The virtual machine layer isolates the logging software, making it impossible for an intruder to turn it off.
"We run the existing software inside a virtual machine," said Peter Chen, an associate professor of electrical engineering and computer science at the University of Michigan. "If an intrusion occurs within the target operating system or applications, the virtual machine layer isolates this intrusion and prevents it from interfering with the logging functionality," he said.
The researchers' used a modified version of logging software that was designed to give computers fault tolerance by reversing interactions. They optimized it for analyzing intrusions. The software enables the researchers to replay all interactions with the virtual machine. With the logging functionality intact, "we can replay the intrusion and any damage the intruder did," said Chen.
The challenge was finding a way to re-create the precise sequence of instructions, which is not possible using some logging strategies, said Chen. "x86 processors are complex enough that it is difficult to track down all sources of non-determinism," he said.
The logging software captures enough information "that we can replay the exact, instruction-by-instruction sequence of the virtual machine," including non-deterministic conditions like encryption key generation, he said.
In re-creating a computer session, the logging software causes "your mouse cursor [to] move around, your windows and menus to appear and disappear, your programs to take input and run, all exactly as it happened during the original run," said Chen.
This enables computer forensics, or the ability to analyze the computer to figure out what happened, said Chen. "An intruder can at most obfuscate her actions; she can't stop us from recording them and analyzing them later," he said.
The system, dubbed ReVirt, is fairly efficient, said Chen. Running a system as a virtual machine causes about a 30 percent slowdown, and logging takes a few more percent of resources, he said. It also uses about a gigabyte of space.
The University of Michigan researchers are working to build "higher-level forensic tools" that take advantage of having the complete information from a computer run, said Chen.
The system could eventually be used by agencies like the FBI and CIA to deal with insider threats, said Chen. "If one of their agents turns out to be a spy, ReVirt could reveal everything that the spy did on that computer," he said.
The Stanford University team scheme stresses the concept of high assurance -- a guarantee that programs will be run in a standard way. The scheme uses a virtual machine monitor to do so.
The scheme, trusted virtual machine monitor (T-VMM), combines virtual machines with the notion of attestation.
Attestation is a well-established authentication scheme that allows application programs, operating systems and hardware devices to attest their identities to each other through a trusted third party. This assures that only allowed software has access to the computer and only allowed network and storage communications have access to the operating system.
T-VMM could be used to extend network firewalls to remote computers. A distributed firewall would be considerably more secure than regulating remote access because the firewall could prevent unauthorized communications from remote computers from getting onto the network at all, according to the Stanford researchers. The scheme could also be used to limit the amount of network traffic a computer can generate in order to keep compromised computers from contributing to distributed denial of service attacks.
The scheme solves a problem posed by network surveillance software increasingly used by law enforcement, according to the researchers. The software is examined by a group of experts who certify that the software does not exceed its legal boundaries. This method does not guarantee, however, that the software the experts see is the same that is deployed in the field. In contrast, trusted platforms can prove to a third party that the software installed on a device is the authorized software, according to the researchers.
The University of Michigan's ReVirt could be used in practical applications in three to six years, said Chen.
Chen's research colleague were Samuel T. King and George W. Dunlap. The work was presented at the 2003 Usenix Technical Conference at San Antonio, Texas on June 19 to 14, 2003. The research was funded by the National Science Foundation (SF) and Intel Corporation.
The Stanford University research was carried out by Tal Garfinkel, Mendel Rosenblum and Dan Boneh and was presented at the Usenix 9th Workshop on Hot Topics in Operating Systems at Lihue, Hawaii on May 18 to 21, 2003. The work was funded by the National Science Foundation and the Packard Foundation.
Timeline: 3-6 years
Funding: Corporate, Government
TRN Categories: Cryptography and Security; Databases and Information Retrieval; Operating Systems
Story Type: News
Related Elements: Technical paper from Michigan State University, "Operating System Support for Virtual Machines," proceedings of the 2003 Usenix Technical Conference, San Antonio, Texas, June 9-14 and posted at http://www.usenix.org/events/usenix03/tech/king.html; Technical paper from Stanford University, "Flexible OS Support and Applications for Trusted Computing," presented at the Usenix 9th Workshop on Hot Topics in Operating Systems, Lihue, Hawaii, May 18-21, 2003 and posted at http://www.usenix.org/events/hotos03/tech/garfinkel.html.
Advertisements:
October 8/15, 2003
Page One
E-paper closes in on video
Magnetic memory makes logic
Old idea retooled for security
Crystal slows and speeds light
News briefs:
Process orders nanowire arrays
CD writer generates holograms
Nanotubes boost storage
Nanotubes harvest electrons
Bacteria make more electricity
Design enables large neural nets
News:
Research News Roundup
Research Watch blog
Features:
View from the High Ground Q&A
How It Works
RSS Feeds:
News
| Blog
| Books 
Ad links:
Buy an ad link
| Advertisements:
|
 |
Ad links: Clear History
Buy an ad link
|
TRN
Newswire and Headline Feeds for Web sites
|
© Copyright Technology Research News, LLC 2000-2006. All rights reserved.
