Reference:
2008 Usenix Annual Technical Conference
Abstract:
Analyzing the behavior of running programs has a wide variety of
compelling applications, from intrusion detection and prevention to
bug discovery. Unfortunately, the high runtime overheads imposed by
complex analysis techniques makes their deployment impractical in
most settings. We present a virtual machine based architecture
called Aftersight ameliorates this, providing a flexible and
practical way to run heavyweight analyses on production workloads.
Aftersight decouples analysis from normal execution by logging
nondeterministic VM inputs and replaying them on a separate analysis
platform. VM output can be gated on the results of an analysis for
intrusion prevention or analysis can run at its own pace for
intrusion detection and best effort prevention. Logs can also be
stored for later analysis offline for bug finding or forensics,
allowing analyses that would otherwise be unusable to be applied
ubiquitously. In all cases, multiple analyses can be run in
parallel, added on demand, and are guaranteed not to interfere with
the running workload.
We present our experience implementing Aftersight as part of the
VMware virtual machine platform and using it to develop a realtime
intrusion detection and prevention system, as well as an an offline
system for bug detection, which we used to detect numerous novel and
serious bugs in VMware ESX Server, Linux, and Windows applications.
Full paper: [ps] [pdf] [Bibtex Entry]