Survivor: A Fine-Grained Intrusion Response and Recovery Approach for Commodity Operating Systems

TL;DR

This paper introduces Survivor, a novel intrusion survivability framework for commodity operating systems that employs fine-grained recovery and response strategies to maintain core functionalities during ongoing intrusions.

Contribution

It presents a new approach combining per-service responses and degraded mode operation to enhance intrusion survivability in Linux systems.

Findings

Effectively removes intrusion effects in tested scenarios.

Selects appropriate responses to maintain core service functions.

Maintains system availability with minimal performance overhead.

Abstract

Despite the deployment of preventive security mechanisms to protect the assets and computing platforms of users, intrusions eventually occur. We propose a novel intrusion survivability approach to withstand ongoing intrusions. Our approach relies on an orchestration of fine-grained recovery and per-service responses (e.g., privileges removal). Such an approach may put the system into a degraded mode. This degraded mode prevents attackers to reinfect the system or to achieve their goals if they managed to reinfect it. It maintains the availability of core functions while waiting for patches to be deployed. We devised a cost-sensitive response selection process to ensure that while the service is in a degraded mode, its core functions are still operating. We built a Linux-based prototype and evaluated the effectiveness of our approach against different types of intrusions. The results show that our solution removes the effects of the intrusions, that it can select appropriate responses, and that it allows services to survive when reinfected. In terms of performance overhead, in most cases, we observed a small overhead, except in the rare case of services that write many small files asynchronously in a burst, where we observed a higher but acceptable overhead.