I did something crudely along those lines for VMS VAX maybe 13 years ago; there is at least one product that does it for PC though I don't recall its name. It is also handy for cases where you have a CD image of some filesystem (or some other image of a filesystem) that is intrinsically readonly but whose filesystem will not accept (or is not graceful) readonly storage. It is also more or less necessary if you want to work with WORM file structures, which are older still. There have been a number of filesystems for those dating back to the early 1980s if not before. A generic facility of the type you mention is also one way to implement snapshots on top of an existing filesystem. The written information must (obviously!) be seekable so you can provide the illusion that you wrote to the storage. A device level implementation is however perfectly adequate. It does not, of course, distinguish for you what should have been changed and what should not. If you truly know a device (or perhaps a partition) must not be written, it can be simpler to either return error on writes, or to just return a fake success on writes yet discard the data. (NTFS lives with the latter strategy just fine from my experiments. I have not tried it on extf3 or reiser.) BTW, think about your mention of RAID and consider the complexity of writing to RAID4 or RAID5... I would contend that with cheaper storage these days, it makes little sense to use RAID, save for shadowing and possibly striping. Those at least do not have the complexity and slowup dangers that higher RAID levels have, and there is not a need to save the cost of disk so much where a single disk may hold 200 gigs and up. Why not dedicate another whole disk to fault recovery and lose the complexity and slow write (sometimes) of RAID? Glenn Everhart -----Original Message----- From: bmord@icon-nicholson.com [mailto:bmord@icon-nicholson.com] Sent: Tuesday, September 03, 2002 3:04 PM To: Webappsec Securityfocus.Com; SECPROG Securityfocus Subject: use of base image / delta image for automated recovery from attacks Hi, I was inspired by a mode of operation supported by VMWare. You can have a base disk image shared by multiple virtual machine (vm) instances. That base image is never altered by a vm instance. Instead, each vm instance writes changes to its own "redo" log. Future hard disk reads from that vm instance incorporate both the base image and the appropriate redo log to present the current disk image for that specific virtual machine. This is described here (thanks to Duane for providing this link on the honeypots mailing list) http://www.vmware.com/support/reference/common/disk_sharing.html Could this basic concept be used to easily make self-fixing client/server applications that efficiently and automatically recover from most attacks, even before those attacks have been discovered? Here is what I imagine. The physical architectures of most production client/server systems are layered. For example, your basic web application might have a web server running Apache, connected to an application server running some J2EE or .Net business logic, connected to a database server for persistence. The only one of these whose disk image really should evolve over time is the database server, and even here you often put the static RDBMS software on one partition and the changeable datafiles on another partition. It is only the partition with the volatile datafiles that must be allowed to change from one boot to the next. Other paritions may need to be writable for, say, swap space, but these changes could be eliminated on each reboot. When someone cracks this system, they will probably change an image that shouldn't be changed. E.g., they might leverage a buffer overflow in IIS or Apache to install a trojan or a backdoor on the more exposed web server. But what if the web server ran off a base image, writing changes to a "delta" or "redo" partition? And then what if every night it automatically erased the redo partition and rebooted? The downtime involved for each machine would be minimal, because it is only deleting data - rather than restoring from backup. In a system with redundant web servers for load balancing or high availability, this could be scheduled in a way such that the system is always accessible. This base/redo partition concept could be implemented at the same level as a feature of hardware RAID, allowing for greater performance, reliability, and hack resistance. This concept could also be applied to the application servers, and even the database server partitions (except for those partitions which contain the table data files, of course.) Does anyone do this already? Or is this a new concept? Or has this concept been discussed before and abandoned for some reasons that I don't yet know? I use the physical architecture of a basic web application as an example in this post, but this concept could of course be applied to most server systems. It would allow for the hardware-separation of volatile and non-volatile disk images. It would be analogous to performing nightly ghosting operations, only it would be more efficient and involve less (or no) downtime. Thanks for any opinions, Ben ********************************************************************** This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you **********************************************************************
This archive was generated by hypermail 2b30 : Wed Sep 04 2002 - 13:05:35 PDT