Hypervisor-based fault tolerance
ACM Transactions on Computer Systems (TOCS) - Special issue on operating system principles
Eraser: a dynamic data race detector for multithreaded programs
ACM Transactions on Computer Systems (TOCS)
When Virtual Is Better Than Real
HOTOS '01 Proceedings of the Eighth Workshop on Hot Topics in Operating Systems
SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Secure program execution via dynamic information flow tracking
ASPLOS XI Proceedings of the 11th international conference on Architectural support for programming languages and operating systems
ReVirt: enabling intrusion analysis through virtual-machine logging and replay
OSDI '02 Proceedings of the 5th symposium on Operating systems design and implementationCopyright restrictions prevent ACM from being able to make the PDFs for this conference available for downloading
Vigilante: end-to-end containment of internet worms
Proceedings of the twentieth ACM symposium on Operating systems principles
Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006
Practical taint-based protection using demand emulation
Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006
Using Valgrind to detect undefined value errors with bit-precision
ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
QEMU, a fast and portable dynamic translator
ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
Optimizing network virtualization in Xen
ATEC '06 Proceedings of the annual conference on USENIX '06 Annual Technical Conference
Panorama: capturing system-wide information flow for malware detection and analysis
Proceedings of the 14th ACM conference on Computer and communications security
Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction
Proceedings of the 14th ACM conference on Computer and communications security
Decoupling dynamic program analysis from execution in virtual environments
ATC'08 USENIX 2008 Annual Technical Conference on Annual Technical Conference
Countering Persistent Kernel Rootkits through Systematic Hook Discovery
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Pointless tainting?: evaluating the practicality of pointer tainting
Proceedings of the 4th ACM European conference on Computer systems
Availability-sensitive intrusion recovery
Proceedings of the 1st ACM workshop on Virtual machine security
SHELF: Preserving Business Continuity and Availability in an Intrusion Recovery System
ACSAC '09 Proceedings of the 2009 Annual Computer Security Applications Conference
LeakProber: a framework for profiling sensitive data leakage paths
Proceedings of the first ACM conference on Data and application security and privacy
Assessing the trustworthiness of drivers
RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
System-Level support for intrusion recovery
DIMVA'12 Proceedings of the 9th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Hi-index | 0.00 |
Analyzing the (harm of) intrusion to enterprise servers is an onerous and error-prone work. Though dynamic taint tracking enables automatic fine-grained intrusion harm analysis for enterprise servers, the significant runtime overhead introduced is generally intolerable in the production workload environment. Thus, we propose PEDA (Production Environment Damage Analysis) system, which decouples the onerous analysis work from the online execution of the production servers. Once compromised, the "has-been-infected" execution is analyzed during high fidelity replay on a separate instrumentation platform. The replay is implemented based on the heterogeneous virtual machine migration. The servers' online execution runs atop fast hardware-assisted virtual machines (such as Xen for near native speed), while the infected execution is replayed atop binary instrumentation virtual machines (such as Qemu for the implementation of taint analysis). From identified intrusion symptoms, PEDA is capable of locating the fine-grained taint seed by integrating the backward system call dependency tracking and one-step-forward taint information flow auditing. Started with the fine-grained taint seed, PEDA applies dynamic taint analysis during the replayed execution. Evaluation demonstrates the efficiency of PEDA system with runtime overhead as low as 5%. The real-life intrusion studies successfully show the comprehensiveness and the precision of PEDA's intrusion harm analysis.