CoVirt and ReVirt
CoVirt Project Home Page (University of Michigan):
The CoVirt project is investigating how to use virtual machines to provide security in an operating-system-independent manner. Virtual-machine security services can work even if an attacker gains complete control over the guest operating system….
Another potential challenge of using virtual machines is that running all applications above the virtual machine hurts performance due to virtualization overhead…
We modified a host OS (Linux) to enable it to better support a virtual-machine monitor. The resulting virtual-machine monitor and modified guest OS (based on UMLinux) runs even kernel-intensive applications at about 14-35% overhead…We have designed and implemented a replay service for virtual machines called ReVirt. ReVirt logs enough information to replay a long-term execution of a virtual machine instruction-by-instruction. This enables it to provide arbitrarily detailed observations about what transpired on the system, even in the presence of non-deterministic attacks and executions…
We designed and implemented a system called BackTracker that will help system administrators understand (and thereby recover from) an intrusion. BackTracker automatically identifies potential sequences of steps that occurred in an intrusion. Starting with a single detection point (e.g. a suspicious file), BackTracker identifies files and processes that could have affected that detection point and displays chains of events in a dependency graph.
