Hi, I was inspired by a mode of operation supported by VMWare. You can have a base disk image shared by multiple virtual machine (vm) instances. That base image is never altered by a vm instance. Instead, each vm instance writes changes to its own "redo" log. Future hard disk reads from that vm instance incorporate both the base image and the appropriate redo log to present the current disk image for that specific virtual machine. This is described here (thanks to Duane for providing this link on the honeypots mailing list) http://www.vmware.com/support/reference/common/disk_sharing.html Could this basic concept be used to easily make self-fixing client/server applications that efficiently and automatically recover from most attacks, even before those attacks have been discovered? Here is what I imagine. The physical architectures of most production client/server systems are layered. For example, your basic web application might have a web server running Apache, connected to an application server running some J2EE or .Net business logic, connected to a database server for persistence. The only one of these whose disk image really should evolve over time is the database server, and even here you often put the static RDBMS software on one partition and the changeable datafiles on another partition. It is only the partition with the volatile datafiles that must be allowed to change from one boot to the next. Other paritions may need to be writable for, say, swap space, but these changes could be eliminated on each reboot. When someone cracks this system, they will probably change an image that shouldn't be changed. E.g., they might leverage a buffer overflow in IIS or Apache to install a trojan or a backdoor on the more exposed web server. But what if the web server ran off a base image, writing changes to a "delta" or "redo" partition? And then what if every night it automatically erased the redo partition and rebooted? The downtime involved for each machine would be minimal, because it is only deleting data - rather than restoring from backup. In a system with redundant web servers for load balancing or high availability, this could be scheduled in a way such that the system is always accessible. This base/redo partition concept could be implemented at the same level as a feature of hardware RAID, allowing for greater performance, reliability, and hack resistance. This concept could also be applied to the application servers, and even the database server partitions (except for those partitions which contain the table data files, of course.) Does anyone do this already? Or is this a new concept? Or has this concept been discussed before and abandoned for some reasons that I don't yet know? I use the physical architecture of a basic web application as an example in this post, but this concept could of course be applied to most server systems. It would allow for the hardware-separation of volatile and non-volatile disk images. It would be analogous to performing nightly ghosting operations, only it would be more efficient and involve less (or no) downtime. Thanks for any opinions, Ben
This archive was generated by hypermail 2b30 : Wed Sep 04 2002 - 10:58:41 PDT