Logo des Repositoriums
 
Konferenzbeitrag

Isolating Cause-Effect Chains in Computer Systems

Vorschaubild

Volltext URI

Dokumententyp

Text/Conference Paper

Zusatzinformation

Datum

2007

Zeitschriftentitel

ISSN der Zeitschrift

Bandtitel

Verlag

Gesellschaft für Informatik e. V.

Zusammenfassung

One of the major tasks in maintaining software systems is understanding how specific effects came to be. This is especially true for effects that cause major harm, and especially challenging for causes that actively prevent discovery. We introduce Malfor, a system that, for any reliably reproducible and observable effect, isolates the processes that cause the effect. We apply Malfor to intrusion analysis—that is, understanding how an intruder gained access to a system—and come up with cause-effect chains that describe how an attack came to be: “An attacker sent a malicious request to the Web server, which gave him a local shell, by which he gained administrator provileges via a security hole in Perl, and thus installed a new administrator account”. Malfor works by experiments. First, we record the interaction of the system being diagnosed. After the effect (the intrusion) has been detected, we replay the recorded events in slightly different configurations to isolate the processes which were relevant for the effect. While intrusion analysis is among the more spectacular uses of Malfor, the underlying techniques can easily be generalized to arbitrary system behaviors.

Beschreibung

Neuhaus, Stephan; Zeller, Andreas (2007): Isolating Cause-Effect Chains in Computer Systems. Software Engineering 2007 – Fachtagung des GI-Fachbereichs Softwaretechnik. Bonn: Gesellschaft für Informatik e. V.. PISSN: 1617-5468. ISBN: 978-3-88579-199-7. pp. 169-180. Regular Research Papers. Hamburg. 27.-30.03.2007

Schlagwörter

Zitierform

DOI

Tags