[MA] Securing process execution by verifying the inner process state through recording and replaying on different platforms

  • Name:

    Securing process execution by verifying the inner process state through recording and replaying on different platforms

  • Venue:

    Bldg. 50.34

    Room 252


  • Date:


  • Time:


  • While computer systems are ubiquitous and prevalent in our daily lives, they are not free from bugs and misbehavior.
    Those can either be existent in hard- or software components and may thus influence the application and data we use on the systems.
    Among other, causes for bugs and misbehavior are increasing design complexity, smaller hardware fabrication sizes, or expanding software complexity.
    Furthermore, intentionally inserted backdoors are a conceivable scenario, too.
    Eventually, it requires trusting the vendors that their hard- and software components operate as expected and that they are free from bugs and backdoors.
    This work introduces a novel approach for verifying the correctness of an application execution without being dependent on trusting the vendors.
    The approach named "securing process execution by recording and replaying the inner process state (SPERRIPS)" verifies the correctness of application execution across two different systems on the abstraction level of system calls (syscalls).
    Therefore, the application is executed and traced on two different systems to detect possible deviations in their executions.
    An execution is correct and verified if it runs identical on both systems and if there are only acceptable differences in the execution.
    In the case of unacceptable differences, the application execution will be aborted.
    This work introduces acceptable and unacceptable differences on the example of the syscalls of the cat application while respecting, among others, different system environments, activated Address Space Layout Randomization, and nested structures.
    Potentially detected unacceptable differences indicate misbehavior, rooted in a component below the considered abstraction level of syscalls in one of the two systems.
    In particular, this affects either hardware components or internal operating system kernel procedures.

    This thesis proposes both a conception and an implementation of SPERRIPS.
    The implementation has been evaluated with four different applications, namely echo, hostname, cat, and ping.
    It demonstrates the feasibility of the approach to successfully verify application executions?
    correctness and detect differences in their executions.
    All side-effects on application execution through intentionally inserted malicious Linux kernel modifications have been detected.