ANN ARBOR—When hackers break into corporate networks, millions of dollars of damage can be done in a brief amount of time. Records can be deleted or altered, business plans can be exposed, and companies are sometimes unclear about what parts of their system have been compromised. Faced with a crime scene with few clues, system administrators often find themselves wishing for a way to travel back in time and watch the crime unfold. New research performed at the University of Michigan might help them do it. “What we have created is a way to turn back time—at least from a computing perspective—and watch history unfold exactly as it did before,” said Peter Chen, associate professor of electrical engineering and computer science at the University of Michigan. “Not only can we turn back the clock on an attack to undo the damage, we can also go back to any point during the attack to observe exactly how the intruder breached the system.” According to Chen, several commercial products can record all changes made to a hard drive, allowing users to restore their systems to a previous backup point. But none of these products allow system administrators to replay an intruder’s actions step by step. For example, a hacker could break into a company’s computer system and vandalize its corporate web site. Because these actions involve changes to the hard drive, they are easy to log and repair. But what vulnerability did the hacker exploit to break into the system, and what else did the intruder do while he had access to the system? Did he sneak a peek at the company’s database of consumer credit card numbers? Were top-secret business plans compromised? Knowing precisely what a hacker did could help system administrators identify the damage and also help prevent future attacks. Dubbed ReVirt, the Michigan project hides the system’s actual hardware and operating system behind a virtual machine. Actually a software program that emulates a systems hardware, the virtual machine then runs a guest operating system that runs applications and interacts with users. By creating this additional abstraction layer and forcing users to interact with a guest operating system, ReVirt is able to completely log all events that happen on the virtual machine at both the operating system and virtual machine level. The owner can also restore the system to any point in time recorded by the logs. System loggers are nothing new for most enterprise-level operating systems, but traditional loggers have two weaknesses. First, they rely on the integrity of the operating system being logged. Because traditional system logs are rarely kept secure, smart hackers will often doctor or delete these logs to hide their tracks. Second, they rarely save sufficient information to replay and analyze attacks. Most logging efforts only record specific events such as logins. But resourceful hackers often exploit unexpected weaknesses in systems that fly under the radar. In contrast, the ReVirt logging system operates from beyond the reach of potential hackers, and the logs it creates are properly isolated from the user. All human input, interrupts and network messages can be logged. Chen estimates that several months of logging data could be stored on one 100-gigabyte hard disk and the resulting overhead would be minimal. “It’s like having a security camera behind bullet proof glass that can see everything going on during a bank robbery,” said Chen. “Not only can we repair the damage, but we can study in detail what the hacker did, and we can learn how to improve our security in the future.” Experts estimate that the average corporate network is attacked 12 to 15 times a year and that up to 98 percent of attacks might go undetected. According to a recent USA Today article, losses from computer crime are expected to soar 25 percent this year to $2.8 billion in the United States alone. Faced with a rising number of attacks, companies need better tools to understand the nature of these break-ins and help them repair the damage. In 2002, the University of Michigan College of Engineering also unveiled a way of securing sensitive information on laptops if they are removed from the proximity of their owners. Other computer security projects are underway. The U-M College of Engineering is consistently ranked among the top engineering schools in the world. The College is composed of 11 academic departments: aerospace engineering; atmospheric, oceanic and space sciences; biomedical engineering; chemical engineering; civil and environmental engineering; electrical engineering and computer science; industrial and operations engineering; materials science and engineering; mechanical engineering; naval architecture and marine engineering; and nuclear engineering and radiological sciences. Each year the College enrolls over 7,000 undergraduate and graduate students and grants about 1,200 undergraduate degrees and 800 masters and doctoral degrees.

Related links:

Professor Peter Chen

Article on the 2002 security project

College of Engineering home page link

Phone: (734) 647-7087
E-mail: njlao@umich.edu