Isolating Cause-Effect Chains in Computer Systems
One of the major tasks in maintaining software systems is understanding how specific effects came to be. This is especially true for effects that cause major harm, and especially challenging for causes that actively prevent discovery. We introduce Malfor, a system that, for any reliably reproducible and observable effect, isolates the processes that cause the effect. We apply Malfor to intrusion analysis-that is, understanding how an intruder gained access to a system-and come up with cause-effect chains that describe how an attack came to be: “An attacker sent a malicious request to the Web server, which gave him a local shell, by which he gained administrator provileges via a security hole in Perl, and thus installed a new administrator account”. Malfor works by experiments. First, we record the interaction of the system being diagnosed. After the effect (the intrusion) has been detected, we replay the recorded events in slightly different configurations to isolate the processes which were relevant for the effect. While intrusion analysis is among the more spectacular uses of Malfor, the underlying techniques can easily be generalized to arbitrary system behaviors.
Full Text: PDF