Revirt: Enabling Intrusion Analysis through Virtual-Machine Logging

Current system loggers have two problems: they depend on the
integrity of the operating system being logged, and they do not save
sufficient information to replay and analyze attacks that include any
non-deterministic events. ReVirt removes the dependency on the target
operating system by moving it into a viertual machine and logging below
the virtual machine. This allows ReVirt to replay the system's execution
before, during, and after an intruder compromises the system, even in the
presence of non-deterministic attacks and executions. ReVirt adds
reasonable time and space overhead. Overheads due to virtualization are
imperceptible for interactive use and CPU-bound workloads, and 15-58% for
kernel-intensive workloads. Logging adds 0-8% overhead, and logging traffic for our workloads can be stored on a single disk for several
months.

Bio: George Dunlap is a 5th-year PhD student working for Peter Chen. He's
interested mainly in operating systems functionality and security, but
also in networks, debugging… anything that gets him in the 'guts' of
things, so to speak. He expects to graduate Fall 2003.