In certain computer security attacks, an outside party compromises one computer application (such as a Web browser) and then uses that application to submit a “system call” to the operating system, effectively asking the operating system to perform a specific function; instead of a routine function, however, the attacker uses the system call to attempt to gain control of the operating system; North Carolina State University researchers offer a solution
Researchers at North Carolina State University have developed a method to restore a computer operating system to its former state if it is attacked.
In certain computer security attacks, an outside party compromises one computer application (such as a Web browser) and then uses that application to submit a “system call” to the operating system, effectively asking the operating system to perform a specific function. Instead of a routine function, however, the attacker uses the system call to attempt to gain control of the operating system.
“Our goal is to give the operating system the ability to survive such attacks,” said Dr. Yan Solihin, an associate professor of electrical and computer engineering at North Carolina State. “Our approach has three components: attack detection, security fault isolation and recovery.”
The concept involves taking a snapshot of the operating system at strategic points in time (such as system calls or interrupts), when it is functioning normally and, then, if the operating system is attacked, to erase everything that was done since the last “good” snapshot was taken — effectively going back in time to before the operating system attack. The mechanism also allows the operating system to identify the source of the attack and isolate it, so that the operating system will no longer be vulnerable to attacks from that application.
The idea of detecting attacks and resetting a system to a safe state is a well-known technique for restoring a system’s normal functions after a failure, but this is the first time researchers have developed a system that also incorporates the security fault isolation component. This critical component prevents the operating system from succumbing to the same attack repeatedly.
The concept of taking snapshots of the operating system and using it to replace the operating system if it is compromised was previously viewed as impractical, since taking these snapshots and running such a system significantly slowed computer operating speeds.
“But we’ve developed hardware support that allows the operating system to incorporate these survivability components more efficiently, so that they take up less time and energy,” Solihin said.
The researchers say the survival system takes up less than five per cent of the operating system’s operating overhead.