The ghost of intrusions past Ashlesha Joshi Peter M. Chen Security vulnerabilities are constantly being introduced, discovered, exploited, and patched in everyday software. As organizations rely more on their computer systems, breakins due to software bugs are causing an increasing amount of damage. Consequently, software vendors are releasing patches sooner after a vulnerability becomes known, and system administrators are placing more emphasis on applying patches quickly. Although prompt patching shrinks one window of vulnerability in the system, another large window of vulnerability exists that has been largely ignored-- the time from when a bug is introduced in the installed software to when the bug is discovered and patched. Our goal is to provide a system that allows an administrator to check whether his machine has been compromised through a given vulnerability during the time period from when the vulnerability is introduced to when it is discovered and patched. Ideally, this check should be exploit-generic, meaning that the compromise is detected regardless of the actual program used to trigger it or the subsequent damage done. To be able to detect past intrusions, we log the machine's execution using ReVirt so that we may take advantage of machine replay. After a bug has been discovered, we replay the system's execution, and while replaying, evaluate a predicate that detects if the machine has been broken into. Predicates examine some aspect of the machine's state to determine whether the vulnerability has been triggered. For example, if the buggy code fails to check a buffer's size and then copies something into the buffer, our predicate simply checks the buffer's size itself and raises an alarm if it is too small for the data being copied. In addition, we can use exactly the same strategy to detect intrusions during live execution, after the vulnerability has been discovered, but before the patch is applied. This allows system administrators to delay applying patches if they have concerns about the resulting downtime or instability. Thus far, we have written predicates and detected breakins due to several kernel bugs, including recent race condition and buffer overflow vulnerabilities. We are in the early stages of extending our system to work for application bugs as well.