Cross Cutting Thrusts: Software Security
Scope: Given a complete and exact trace of execution of an entire system, it is possible to deduce all operations that took place. Such information can even be used to demonstrate that some operation did not happen, which is a highly desirable property to ensure information assurance. Given the importance of execution trace recording, we propose an unobtrusive and efficient mechanism that provides this property for current legacy computing environments, such as Windows and Linux. We propose an approach that does not mandate ad hoc hardware or changes to existing operating systems or applications. Our primitive, XTRec, records the execution trace of the entire system (including the OS and applications) in real-time at the instruction-level. Further, XTRec provides robustness against subversion and integrity of the recorded execution trace.
Outcomes: With the rapid creation of new malware, XTRec offers the useful property to perform forensic analysis in real-time or a posteriori. We have implemented a full prototype of XTRec on the AMD SVM platform running Windows 2003 Server. Our prototype implementation consists of less than 2,000 lines of code and does not involve any changes to existing platform hardware or OS. We have used XTRec to show whether a particular set of code has been executed on a system, or conversely to prove that some malware has not executed on the system. Our initial performance results have been very impressive. An Apache web server running under XTRec only exhibits a 5% slowdown whereas a full-blown MySQL database server exhibits an 18% slowdown. Given the fine-grained information recorded by XTRec, we believe this is an acceptable tradeoff between security and performance for real world deployments. Based on our experimental evaluation we have also identified a hardware change to existing x86 CPUs that will allow arbitrary applications to run XTRec with minimal overheads.