Lecture: IntroVirt

Detecting Past and Present Intrusions through Vulnerability-Specific Predicates, SOSP 2005

Discussion lead: Niel Lebeck & Shrainik Jain

Questions

• What is the relationship between a patch for a vulnerability and a predicate checking for exploitation of that vulnerability?

• How does IntroVirt deal with the problem of target state changing between when a predicate checks that state and when the checked code executes?

• Name one type of vulnerability that can be patched, and one type of vulnerability that cannot be patched but that can be checked in a predicate.

• Discuss how IntroVirt supports predicates for applications. Do you think this approach will always work?

• Provide a list of questions you would like to discuss in class. Feel free to provide any comments on the paper and related topics (e.g., which parts you like and which parts you find confusing).

Background

• replay
  • applications
    • time-traveling debugging
    • auditing & intrusion detection
    • repair
    • primary-backup replication
  • challenges
    • faithfulness/non-determinism
    • storage requirement
    • recording slowdown
    • replay performanc
    • checkpointing
  • approaches/tools for replay
    • security camera, flight recorder (black box)
    • hardware: perf counters, FDR1 (ISCA’03)
    • Windows Error Reporting (SOSP’09)
    • app/protocol: /var/log/httpd/*log, Replayer (CCS’06)
    • event tracing: Windows ETW, LTTng, SystemTap
    • virtual machine: ReVirt (OSDI’02), IntroVirt (SOSP’05)
    • process: ptrace, rr, Flashback (ATC’04)
    • library: liblog (ATC’06), Jockey (AADEBUG’05)
    • distributed systems: Friday/Mace/WiDS (NSDI’07)
    • symbolic execution: bbr (FSE’09), ODR (SOSP’09)
    • language: DejaVu (Java, OOPSLA’00), Mugshot (JS, NSDI’10)
  • application support for replay
• gdb
  • ptrace, sw breakpoints (int 3), hw breakpoints (DRx)
  • how would you generalize it to a while-system debugger