1. System Support for Rapid Recovery and Attack Resistance A Friday ATC-NY Talk by Todd Deshane

4. "New methods are being invented, new tricks, and every year it gets worse... We are losing the battle... Most companies don't know they have been attacked." - Bruce Schneier "The average top executive doesn't understand security, but we have to change that... Security is an imperative. It's no longer just a good idea." - Allen Kerr "Virus incidences had surged between 2003, when they detected just over 10,000, and 2006, when they found 80,000. Criminal activity accounted for most of that increase." - Kaspersky Labs Motivation

5. "Very sophisticated tools are commercially available in black markets... This has made [the Internet] more attractive for organized crime: [criminals] no longer have to be geeks." - James Lewis "Although security awareness continues to improve, hackers and malicious code authors are releasing threats faster than ever before, with approximately 200 per cent more malicious threats per day than two years ago." - Stuart McClure (2006)‏ "Over one third [of IT Companies] were hit by a denial-of-service attack while over 44 percent had experienced either a pharming or cache poisoning attack." - 2007 Secure64 Survey Motivation

6. Ooooh! I got some pics from my buddy Joe :)‏ John is a typical desktop user that uses his computer to communicate with friends on IM and email, and surf the web. Motivation

7. Without the Rapid Recovery System 010010000100000101000011010010110100010101 Credit Card Numbers, Email Contacts, Passwords

8. With the Rapid Recovery System John tries to load the pictures in his photo VM, but the action is denied, since the “pics” are actually executables. An error message is displayed to John.

9. With the Rapid Recovery System John really wants to see the pics, so he ignores the error and copies the “pics” to his Internet VM and clicks on them. The executable runs and it instantly tries to run its built-in IRC server and starts scanning for personal data.

10. Either of these actions cause the Internet VM to be reset. The built-in firewall of the Rapid Recovery System disallows the Internet VM to create a server. An error message appears when the Internet VM restarts. John finds out that these were not pics. With the Rapid Recovery System

22. Internet Hardware Xen Hypervisor NIC NET-VM Internal Network VMA 1 VMA 2 VMA N Isolated Network FS-VM Disk Domain 0 Management Management System Architecture Management

27. Evaluation: Performance

29. Internet Hardware Xen Hypervisor NIC NET-VM Internal Network VMA 1 VMA 2 VMA N Isolated Network FS-VM Disk Domain 0 Management Management System Architecture Management

35. Questions/Comments?

37. Backup Slides This won't fit in the presentation, but if there are questions, some of these slides might help

38. Virtualization Motivation Backup Slides More virtualization basics and why to use virtualization

40. VMM with a Picture

44. Performance Backup Slides Xen vs. VMware performance

45. System Performance

46. Guest Configuration File Backup Slides More details of the syntax

47. Plan: File System Rule Language # Example file system rule set for an email client. fs_rule = [ 'id=1, read, 1024, 5' ] # read at most 1024 bytes of data in 5 seconds fs_rule = [ 'id=2, append, 1024, 3' ] # append at most 1024 bytes of data in 3 seconds. fs_rule = [ 'id=3, write, 320, 3' ] # write at most 320 bytes in 3 seconds # The email mount point is accessible to the email client, and fs_rules # with id=1 and id=2 are applied disk = [ 'fsvm:/mnt/email, /home/user/mail,fs_rule=1:2' ] # The email mount point is accessible to the email client, and fs_rules # with id=1 and id=3 are applied. disk = [ 'fsvm:/mnt/email, /home/user/attachments,fs_rule=1:3' ]

48. Plan: Network Rule Language #Email client example continued network_rule = ['id=1, iptables, file=/etc/iptables/email_client'] network_rule = ['id=2, snort, file=/etc/snort/rules/email_client'] vif = [ 'rate=2Mb/s, network_rule=1:2' ]

49. Attacks Backup Slides More details/example attacks looked at