Log-Based Recovery Scheme for Executing Untrusted Programs

Abstract

In this paper, a recovery scheme for safe execution of untrusted programs is presented. In this scheme, when the effects of untrusted program execution is undesirable, system can be easily rolled back to the initial state where the checkpoint is set before the program executed. In high level security systems, only the trustworthy programs, whose names are listed in a whitelist, are allowed to execute. However forbidding all the anonymous programs is unacceptable. In order to reduce the risk of running the uncertified program, many solutions has been proposed to solve the problem, most of which can be categorized into three kinds: detection, protection or recovery. As a recovery scheme, the system doesn't change the program and its context at runtime, and just monitors the process of its execution, records the access it made to system resources, and simultaneously backs up the modification it made to file system. When the record shows the effect of the program is unexpected, the administrator can undo what the program has modified to the file system according to the record. We have implemented a prototype system for Linux operating system using Linux Security Modules (LSM), which can be integrated into other security modules seamlessly. Key advantages of our scheme are that it requires no changes to the untrusted programs or its execution context; it doesn't do anything to hinder the execution process, and only has negligible performance overhead.