Undo computing

The goal of the undo computing project is to help users and administrators restore system integrity after an intrusion, by retroactively undoing changes made by an adversary during the attack, along with any side effects, while preserving legitimate user actions.

The key problem in undoing the attack is to undo only the attacker's changes, and to preserve all legitimate user changes, with minimal user involvement. Our approach is to record a system-wide dependency graph that tracks dependencies between computations in the system over time, such as processes and system calls, during normal operation. When an intrusion is detected, the administrator uses the dependency graph to track down the attack to its source, such as the attacker's initial network connection. Then, given the source, we first undo the attack's direct effects, and then use the dependency graph to recursively re-execute legitimate computations, such as processes or system calls, that might have been affected by the attack, in order to undo the attack's indirect effects while preserving legitimate changes.

People

Publications

Taesoo Kim, Xi Wang, Nickolai Zeldovich, and M. Frans Kaashoek.
Intrusion Recovery Using Selective Re-execution.
In Proceedings of the 9th Symposium on Operating Systems Design and Implementation (OSDI), Vancouver, Canada, October 2010.
Xi Wang and Nickolai Zeldovich and M. Frans Kaashoek.
Retroactive auditing.
In Proceedings of the 2nd Asia-Pacific Workshop on Systems, Shanghai, China, July 2011.
Ramesh Chandra, Taesoo Kim, Meelap Shah, Neha Narula, and Nickolai Zeldovich.
Intrusion Recovery for Database-backed Web Applications.
In Proceedings of the 23rd ACM Symposium on Operating Systems Principles (SOSP), Cascais, Portugal, October 2011.
Taesoo Kim, Ramesh Chandra, and Nickolai Zeldovich.
Recovering from intrusions in distributed systems with Dare.
In Proceedings of the 3rd Asia-Pacific Workshop on Systems, Seoul, South Korea, July 2012.
Taesoo Kim, Ramesh Chandra, and Nickolai Zeldovich.
Efficient patch-based auditing for web application vulnerabilities.
In Proceedings of the 10th Symposium on Operating Systems Design and Implementation (OSDI), Hollywood, CA, October 2012.
Ramesh Chandra, Taesoo Kim, and Nickolai Zeldovich.
Asynchronous intrusion recovery for interconnected web services.
In Proceedings of the 24th ACM Symposium on Operating Systems Principles (SOSP), Farmington, PA, November 2013.
Haogang Chen, Taesoo Kim, Xi Wang, M. Frans Kaashoek, and Nickolai Zeldovich.
Identifying information disclosure in web applications with retroactive auditing.
In Proceedings of the 11th Symposium on Operating Systems Design and Implementation (OSDI), Broomfield, CO, October 2014.