A New Way to Hack the Hackers

by Kim Roth

It's hard to find a systems administrator these days who hasn't had at least one brush with a hacker. In fact, most organizations have been plagued by continual assaults on their technology infrastructure. The 42,500 security breaches reported in just the first quarter of 2003 are nearly double those reported for the entire year 2000 (21,700).

A system break-in can have far-reaching effects, from a disruption in services to customers to corrupted or stolen software and data. And these consequences carry a hefty price tag: The 2003 Computer Crime and Security Survey, conducted by the Computer Security Institute (CSI) and the San Francisco Federal Bureau of Investigation's Computer Intrusion Squad, found that losses among 250 of roughly 500 survey respondents totaled over $200 million, or nearly $1 million per organization.

ReVirt: a System Once Removed

Quantifying the Loss A recent USA Today article reported that losses associated with computer crime are projected to climb by 25 percent, to nearly $3 billion this year in the United States. Only 47 percent of the CSI/FBI study participants were able to quantify the financial losses associated with their computer system breaches, despite 92 percent reporting attacks. It’s not easy to calculate, as there are both tangible and intangible costs, including: Lost business due to system unavailability and lost or damaged data Lost business due to the erosion of customer confidence (new legislation in California and potentially around the U.S. requires that companies inform customers if its system has been hacked and their data stolen) Lost staff productivity during system ‘down time’ Labor and other costs associated with system recovery, which may include outside consulting, overtime for IT staff, new hardware and software and data recovery costs Costs associated with the collection of forensic evidence for use in the prosecution of the hacker Legal fees for prosecution as well as liability cases brought against the target company if it was unable to fulfill its obligations Increases in insurance premiums, or costs of a standalone “network risk” policy (between $5,000 and $30,000 annually for $1 million in coverage) Competitor access to proprietary company and customer data

Researchers at the College of Engineering have developed a solution: ReVirt, which Peter Chen, associate professor, Electrical Engineering and Computer Science, and his team are currently using in their ongoing research on computer security and forensics. It's a multitalented layer of software that, for one thing, has the ability to encapsulate the target operating system and its applications in a "virtual machine," which is software that faithfully emulates the computer on which it runs. The effect of using a virtual machine is to put the real hardware and applications behind an electronic equivalent of a two-way mirror. As the hacker interacts with the real machine, he "sees" himself interacting with the virtual machine. So, whereas ReVirt can't interrupt an assault (just as a surveillance camera can't interrupt a bank robbery), it does hide the real computer, which works underneath the virtual machine - behind the mirror - logging every action the intruder takes before, during and after an attack, without his knowledge. According to Chen, the resulting log reveals "some important information, such as how they broke into your system in the first place, whether they left any back doors open or Trojan horses to make it easier to break in again, and whether they damaged or stole any data." These are key pieces of information that allow administrators to reconstruct the crime step-by-step, begin the recovery process and prevent future breaches.

Software that logs system events isn't new, but currently available software has two main limitations, which Chen and his students set out to overcome with ReVirt. First, current programs rely on the integrity of the operating system they're meant to protect. Therefore, if a hacker compromises the operating system, which isn't uncommon in an attack, subsequent logging won't likely yield a useful record of events. Thanks to the "layer of abstraction" the virtual machine provides, ReVirt logs data even if an intruder damages or replaces the operating system. Current logging programs also don't provide sufficient information to recreate all types of attacks, which can leave administrators unable to assess the vulnerabilities that allowed the hacker to break in or the damage that was done during the intrusion.

New Applications for Existing Technology

Two papers inspired the work on ReVirt, which began about two years ago. The first, by Bressoud and Schneider, reported their use of virtual machines and logging to enable systems to tolerate faults (unexpected malfunctions of hardware or software), but didn't address intrusions. The second, by Ganger, addressed the need to reenact intrusions but didn't address the need to record all events, not just hard-disk activity.

Chen and his students began exploring virtual machines for logging attacks. As luck would have it, hackers attacked their computers while the team was in the midst of its work. "In cleaning up," said George Dunlap, a student of Chen's and ReVirt's main author, "we found that the forensic side of computer security - trying to figure out how they broke in, what they saw and what they changed - was very much ad-hoc; it required a lot of expertise, a lot of time, a lot of Sherlock-Holmes-style educated guessing. So we tried to see how we could use virtual machines to solve the problem, and ReVirt was one of the outcomes."

Though ReVirt will be used by systems administrators, it offers potential benefits to just about everyone. According to Dunlap, the analysis done by researchers who study occurrences of hacking to look for new exploits and their patterns of behavior "indirectly helps everyone with a computer connected to the Internet because these researchers then build better security systems."

ReVirt hasn't been distributed widely or commercially, yet, but users would likely include public or private organizations that require high levels of security - the FBI or financial institutions, for instance. The current prototype virtual machine is only for Linux. The team is looking for a commercial virtual-machine vendor to incorporate ideas from ReVirt. -E

Kimberlee Roth is a freelance writer who has contributed to the Chicago Tribune, the Chronicle of Philanthropy, The Washington Post and the Gale Group E-Commerce Sourcebook (forthcoming)