Recovery is a time-consuming and computationally expensive operation. If an attacker can affect heavily-shared objects on the machine, then many other processes and files can be compromised from accessing them. This would greatly increase the recovery effort. Since intrusions start with a network connection, we argue that the integrity of heavily-shared objects should be protected from the network, in order to minimize the recovery effort. We discuss our prototype Rosie, which is designed with incident response and post-intrusion recovery in mind. Rosie predicts how heavily-shared each file or process is, based on the previous system activities observed. Rosie enforces appropriate mandatory access control and uses techniques such as sandboxing, in order to protect heavily-shared objects’ integrity. Rosie provides an important recovery guarantee that the maximum number of files need to be recovered is at most equal to the dependency threshold, a value that can be adjusted by a system administrator.
Identifer | oai:union.ndltd.org:TORONTO/oai:tspace.library.utoronto.ca:1807/35593 |
Date | 11 July 2013 |
Creators | Chow, Shun Yee |
Contributors | Goel, Ashvin |
Source Sets | University of Toronto |
Language | en_ca |
Detected Language | English |
Type | Thesis |
Page generated in 0.0018 seconds