From Patches to HoneyPatches Lightweight Attacker Misdirection Deception and Disinformation - PDF document

formwellenoughforattackersthatattackfailuresarenotplacarded,and(3)oerhighcompatibilitywithsoftwarethatboastsaggressivemulti-processing,multi-threading,andactiveconnectionmigrationacrossIPs.Solutionsmustbesucientlymodularandgenericthatadministratorsrequireonlyasu-percial,high-levelunderstandingofeachpatch'sstructureandsemanticstoreformulateitasaneectivehoney-patch.Specically,weenvisionthefollowingpracticalrequirements:1.Remoteforkingofattackersessionsmusthappenlive,withnoperceptibledisruptioninthetargetapplication;establishedconnectionsmustnotbebroken.2.Decoydeploymentmustbefast,toavoidoeringovert,reliabletimingchannelsthatadvertisethehoney-patch.3.Allsensitivedatamustberedactedbeforethedecoyresumesexecution.Together,theserequirementsmotivatethreemaindesigndecisions.First,therequiredtimeperformanceprecludessystem-levelcloning(e.g.,VMcloning[13])forsessionforking;instead,weemployalighter-weight,ner-grainedalternativebasedonprocessmigrationthroughcheckpoint-restart[41].Toscaletomanyconcurrentattacks,weuseanOS-levelvirtualizationtechniquetodeployforkedprocessestodecoycontainers,whichcanbecreated,deployed,anddestroyedordersofmagnitudefasterthanothervirtualizationtechniques,suchasfullvirtualizationorpara-virtualization[60].Second,ourapproachtoremotesessionforkingbenetsfromthesynergybetweenmainstreamLinuxkernelAPIsanduser-spacetools,allowingforasmallfreezingtimeofthetargetapplication.Tomaintainestablishedconnectionswhenforking,wehaveconceivedandimplementedaconnectionrelocationprocedurethatallowsfortransparentsessionmigration.Third,toguaranteethatsuccessfulexploitsdonotaordattackersaccesstosensitivedatastoredinapplicationmemory,wehaveimplementedamemoryredactionandlight-weightsyn-chronizationmechanismduringforking.Thiscensorssensitivedatafromprocessmemorybeforetheforked(unpatched)ses-sionresumes.Forkeddecoyshostadeceptivelesystemthatomitsallsecrets,andthatcanbelacedwithdisinformationtofurtherdeceive,delay,andmisdirectattackers.2.3ThreatModelAttackersinourmodelsubmitmaliciousinputs(HTTPrequests)intendedtoprobeandexploitknownvulnerabilitiesonvictimwebservers.Oursystemdoesnotdefendagainstexploitsofpreviouslyunknown(i.e.,zero-day)vulnerabilities;suchprotectionisoutsideourscope.Althoughtheexploitedvulnerabilitiesareknown,weassumethattheattackpayloadsmightbecompletelyuniqueandthereforeunknowntodefenders.Suchpayloadsmighteludenetwork-levelmonitors,andarethereforebestdetectedatthesoftwarelevelatthepointofexploit.Wealsoassumethatattackersmightuseonepayloadforreconnaissancebutreserveanotherforthenalattack.Misleadingtheattackerintolaunchingthenalattackisthereforeusefulfordiscoveringthenalattackpayload,whichcandivulgeattackerstrategiesandgoalsnotdiscerniblefromthereconnaissancepayloadalone.Attackerrequestsareprocessedbyaserverpossessingstrictlyuser-levelprivileges,andmustthereforeleveragewebserverbugsandkernel-suppliedservicestoperformmaliciousactions,suchascorruptingthelesystemoraccessingotherusers'memorytoaccesscondentialdata.Thedefender'sabilitytothwarttheseandfutureattacksstemsfromhisabilitytode ectattackerstofullyisolateddecoysandperformcounterreconnaissance(e.g.,attackattributionandinformationgathering).2.4BackgroundApacheHTTPhasbeenthemostpopularwebserversinceApril1996[4].Itsmarketshareincludes54.5%ofallactivewebsites(thesecond,Nginx,has11.97%)and55.45%ofthetop-millionwebsites(againstNginxwith15.91%)[42].Itisarobust,commercial-grade,feature-richopen-sourcesoftwareproductcomprisedof2.27MSLOCmostlyinC[44],andhasbeentestedonmillionsofwebserversaroundtheworld.Thesecharacteristicsmakeitahighlychallenging,interesting,andpractical agshipcasestudytotestourapproach.ProcessCheckpoint-restart.Processmigrationthroughcheckpoint-restartistheactoftransferringarunningprocessbetweentwonodesbydumpingitsstateonthesourceandresumingitsexecutiononthedestination.(Amechanismtotransferthestatebetweennodesisassumed.)Recently,therehasbeengrowinginterestinthisproblem,especiallyforhigh-performancecomputing[27,57].Asaresult,severalemergingtoolshavebeendevelopedtosupportperformance-criticalprocesscheckpoint-restart(e.g.,BLCR[20],DMTCP[3],andCRIU[18]).Processcheckpoint-restartplaysapivotalroleinmakingthehoney-patchconceptviable.Inthiswork,wehaveextendedCRIU(Checkpoint/RestoreInUserspace)[18]withmemoryredactionandtransparentrelocationofTCPconnectionstorestoreactiveattackersessionsindecoyswithoutdisruptingthesourcewebserver.LinuxContainers.OS-levelvirtualizationallowsmultipleguestnodes(containers)tosharethekerneloftheircontrol-linghost.Linuxcontainers(LXC)[39]implementOS-levelvirtualization,withresourcemanagementviaprocesscontrolgroupsandfullresourceisolationviaLinuxnamespaces.Thisensuresthateachcontainer'sprocesses,lesystem,network,andusersremainmutuallyisolated.Forourpurposes,LXCoersalightweightsandboxthatweleverageforattackersessionisolation.Forecientcontainermanagement,weusetheoverlaylesystemtodeploycon-tainersbackedbyaregulardirectory(thetemplate)toclonenewoverlayfscontainers(decoys),mountingthetemplate'srootlesystemasaread-onlylowermountandanewprivatedeltadirectoryasaread-writeuppermount.Thetemplateusedtoclonedecoysisacopyofthetargetcontainerinwhichallsensitivelesarereplacedwithdisinformation.3.ARCHITECTUREThearchitectureofRedHerringisshowninFig.1.CentraltothesystemisareverseproxythatactsasatransparentproxybetweenusersandinternalserversdeployedasLXCcontainers.Thetargetcontainerhoststhehoney-patchedwebserverinstance,andthendecoysformthepoolofephemeralcontainersmanagedbytheLXCController.Thedecoysserveastemporaryenvironmentsforattackersessions.EachcontainerrunsaCR-Service(Checkpoint/Restore)daemon,whichexposesaninterfacecontrolledbytheCR-Controllerforremotecheckpointandrestore.Honey-patch.Thehoney-patchmechanismisencapsulatedinatinyClibrary,allowingforlow-couplingbetweentargetapplicationandhoney-patchinglogic.ThelibraryexposesthreeAPIfunctions: Figure3:Attackersessionforking.Numbersindicatethesequentialstepstakentoforkanattackersession.detectingattacks.Thereisalsonosessioncaching.Thismakesitextremelyinnocuousandlightweight.Weimplementedtheproxyasatransport-layerreverseproxytoreduceroutingoverheadandsupportthevarietyofprotocolsoperatingaboveTCP,includingSSL/TLS.Asanorchestrator,theproxylistensforforkrequestsandcoordinatestheattackersessionforkingasshowninFig.3.Underlegitimateload,theproxysimplyroutesuserrequeststothetargetandroutesserverresponsestousers.However,attackinputselicitthefollowingalternatework ow:Step1:Theattackerprobestheserverwithacraftedrequest(denotedbyGET/maliciousinFig.3).Step2:Thereverseproxytransparentlyroutestherequesttothebackendtargetwebserver.Step3:Therequesttriggersthehoney-patch(i.e.,whenthehoney-patchdetectsanattemptedexploitofthepatchedvulnerability)andissuesaforkrequesttothereverseproxy.Step4:Theproxy'sCR-Controllerprocessestherequest,acquiresadecoyfromtheLXCPool,andissuesacheckpointRPCrequesttothetarget'sCR-Service.TheCR-Service4.1:checkpointstherunningwebserverinstancetothe/imgsdirectory;and4.2:signalstheattackersessionwithaterminationcode,gracefullyterminatingit.Step5:Uponcheckpointcompletion,theCR-Controllercommandsthedecoy'sCR-Servicetorestorethedumpedwebserverimagesonthedecoy.TheCR-Servicethen5.1:restoresacloneofthewebserverfromthedumpimageslocatedinthe/imgsdirectory;and5.2:signalstheattackersessionwitharesumecode,andcleansthedumpdatafrom/imgs.Step6:Theattackersessionresumesonthedecoy,andaresponseissentbacktothereverseproxy.Step7:Thereverseproxyroutestheresponsetotheattacker.Throughoutthiswork ow,theattacker'ssessionforkingiscompletelytransparenttotheattacker.Toavoidanysubstantialoverheadfortransferringlesbetweentargetanddecoys,weadoptthestrategyofbind-mountingeachdecoy's/imgsfoldertothetarget's/imgsdirectory.Afterthesessionhasbeenforkedtothedecoy,itbehaveslikeanunpatchedserver,makingitappearthatnoredirectionhastakenplaceandtheoriginalprobedserverisvulnerable.4.SESSIONREMOTEFORKINGAtthecoreofourarchitectureisthecapabilityofremoteforkinganattackersessiontoadecoythroughcheckpointandrestoreofthetargetserver.Tothisend,wehaveextendedCRIU[18]withamemoryredactionprocedureperformedduringcheckpointtoprotectsensitivedataoflegitimateusers,andatransparentconnectionrelocationmechanismtorestoreTCPconnectionsinthedestinationdecoywithoutstoppingthetargetserver.WenamethisextendedversionCRIUm.4.1CheckpointThecheckpointproceduretakesplaceinthetargetcontainerandisinitiatedwhentheCR-Servicereceivesacheckpointrequest.Therequestincludestheprocessgroupleader$pgid,attackerprocess$pid,andattackerthread$tid.TheCR-ServicepassesthisinformationtoourCRIUmcheckpointinterface,whichinturn:(1)usesthe/proclesystemtocollectledescriptors(/proc/$pgid/fdand/proc/$pgid/fdinfo),pipeparameters,andmemorymaps(/proc/$pgid/maps)fortheprocessgroup;(2)walksthrough/proc/$pgid/task/andgatherschildprocessesrecursivelytobuildtheprocesstree;(3)locksthenetworkbyaddingnetlterrulesandcollectingsocketinformation;(4)usesptrace(withPTRACE_SEIZE)toattachtoeachchild(withoutstoppingit)andcollectVMAareas,thetask'sledescriptornumbers,andcoreparameterssuchasregisters;(5)injectsaBLOBcodeintothechildaddressspacetocollectstateinformationsuchasmemorypages;(6)performsmemoryredactionusing$pidand$tid;(7)usesptracetoremovetheinjectedcodefromthechildprocessandcontinuesuntilallchildrenhavebeentraced;(8)unlocksnetworkusingnetlter,andnishestheprocedurebywritingtheprocesstreeimagelesto/imgs/$tid/.Atthispoint,CRIUmreturnstothecaller,thewebserverisrunning,andtheattackerthreadwaitstobesignaled.TheCR-Servicethensendsaterminationsignaltotheattackerthread,whichterminatesitselfgracefullyinthetargetwebserver.Thissuccessfullycompletesthecheckpointrequest,andtheCR-ServicesendsasuccessstatusresponsetotheCR-Controller.Wenextexaminethememoryredactionstepingreaterdetail,toexplainhowsensitive,in-memorydataissafelyreplacedwithdecoydataduringthefork.MemoryRedaction.Weresessioncloningperformedinthetypical,rotefashionofcopyingallbytes,attackerswhosuccessfullyhijackdecoyscouldpotentiallyviewanyconden-tialdatacopiedfromthememoryspaceoftheoriginalprocess(e.g.,inamulti-threadedsetting).Sophisticatedattackscouldthusgleansensitiveinformationaboutotheruserspreviouslyorconcurrentlyconnectedtotheoriginalserverprocess,if suchinformationisclonedwiththeprocess.Inwebservers,suchsensitiveinformationincludesIPaddressesofotherusers,requesthistories,andinformationaboutencryptedconnections.Itisthereforeimportanttoredactthesesecretsduringcloning.Wethereforeintroduceamemoryredactionprocedurethatreplacessensitivedatawithspeciallyforged,anonymousdataduringcloning.Sinceeveryserverapplicationhasdierentformsofsensitivedatastoredinslightlydierentways,oursolutionisageneral-purposetoolthatmustbespecializedtoeachserverproductbyanadministratorpriortodeployment.InthecaseofApache,wefocusonredactionofuserrequestdata,sessiondata,andSSLcontextdata,whichApacherecordsinafewdatastructuresstoredinmemoryforeachusersession.Forinstance,Apache'srequest_recstructstoresrequesthistories.Otherserversstoresuchdatainsimilarways,butweomittheirdiscussionduetolimitedspace.Abruteforcestrategyformemoryredactionistosearchtheentireprocessmemoryspacetomatchandreplacesensitivedata.Suchastrategydoesnotperformwell.Instead,weleveragethefactthatmostsecurity-relevantdataarestoredinstructvariablesinheaporstackmemory,allowingustonarrowthesearchspacesignicantly.Freedmemoryisincludedinthesearch.Foreciency,ourredactorreplacesthesestructureswithanonymousdatahavingexactlythesamelengthandcharacteristics.Forexample,IPaddressesinrequest_recarereplacedwithstringshavingthesamelengththatarealsovalidIPaddresses,butrandomlygenerated.Thisyieldsarealistic,consistentprocessimagethatcancontinuerunningwithouterrors(savepossiblyforeectsoftheattack).Theredactionisimplementedasastepofthecheckpointprocedure,sothattheimagelestemporarilycreatedduringprocesscheckpointandsharedwithdecoysdonotcontainanysensitiveinformationthatcouldbepotentiallyabusedbyattackers.Secretsareredactedfromallsession-specicstructuresexcepttheattacker's,allowingtheattacker'ssessiontocontinueuninterrupted.WeinitiallyimplementedmemoryredactionasaseparateoperationappliedtotheimagelesgeneratedbyCRIU.WhilethisseemedattractiveforavoidingmodicationofCRIU,itexhibitedpoorperformanceduetoreadingandwritingtheimagelesmultipletimes.OurrevisedimplementationthereforerealizesredactionasastreamingoperationwithinCRIU'scheckpointingalgorithm.In-liningitwithincheck-pointingavoidsreloadingtheprocesstreeimagesintomemoryforredaction.Inaddition,redactingsecretsbeforedumpingtheprocessimagesavoidseverplacingsecretsondisk.4.2RestoreUponsuccessfulcompletionofacheckpointoperation,theCR-Controllersendsarequesttothedecoy'sCR-Serviceintowhichtheattackersessionistobeforked.Inadditionto$pgid,$pid,and$tid,thebodyoftherestorerequestcontainsacallbackportthathasbeendynamicallyassignedbythereverseproxytoholdthenewback-endconnectionassociatedwiththeattackersession.Oncetherequestisparsed,theCR-ServicepassesthisinformationasparameterstotheCRIUmrestoreinterface,which(1)readsthecorrespondingprocesstreefrom/imgs/$tid/;(2)usestheclonesystemcalltostarteachdumpedprocessfoundintheprocesstreewithitsoriginalprocessID;(3)restoresledescriptorsandpipestotheiroriginalstates,andexecutesrelocationofESTABLISHEDsocketconnections;(4)injectsaBLOBcodeintotheprocessaddressspacetorecreatethememorymapfromthedumpeddata; Figure4:ProcedureforTCPconnectionrelocation(5)removestheinjectedbinary,andresumestheexecutionoftheapplicationviathert_sigreturnsystemcall.Atthispoint,CRIUmreturnstothecaller,theforkedinstanceisrunningonthedecoy,andtheattackerthreadwaitstobesignaled.TheCR-Servicesendsaresumesignaltotheattackerthread,whichallowsittoresumerequestprocessing.Thiscompletestherestorerequest,andtheCR-ServicesendsasuccessresponsetotheCR-Controller.Subsequentattackerrequestsarerelayedtothedecoyinsteadofthetarget,asdiscussedinx3.Next,wediscussdetailsoftheTCPconnectionrelocationprocedure.EstablishedConnectionRelocation.Targetanddecoysarefullyisolatedcontainersrunningonseparatenamespaces.Asaresult,eachcontainerisassignedauniqueIPintheinternalnetwork,whichaectshowwemoveactiveconnectionsfromthetargettoadecoy.SinceCRIUwasnotimplementedwiththisusecaseinmind,weextendedittosupportrelocationofTCPconnectionsduringprocessrestoration.Inwhatfollows,weexplainhowweapproachedthisproblem.Thereverseproxyalwaysrouteslegitimateuserconnectionstothetarget;hence,thereisnoneedtorestorethestateofconnectionsfortheseuserswhenrestoringthewebserveronadecoy.Wesimplyrestorelegitimateconnectionsto\drainer"sockets,sincewehavenointerestinmaintaininglegitimateuserinteractionwiththedecoys.Thisensuresthattheassociatedusersessionsarerestoredtocompletionwithoutinterruptingtheoverallapplicationrestoration.Conversely,theattackerconnectionmustberestoredtoitsdumpedstatewhenswitchingtheattackersessiontoadecoy.Thisisimportanttoavoidconnectiondisruptionandtoallowtransparentsessionmigration(fromtheperspectiveoftheattacker).Toaccomplishthis,ourproxydynamicallyestablishesanewback-endTCPconnectionbetweenproxyanddecoycontainersinordertoholdtheattackersessioncommunication.Moreover,amechanismbasedonTCPrepairoptions[16]isemployedtotransferthestateoftheoriginalattacker'ssessionsocket(boundtothetargetIPaddress)intothenewlycreatedsocket(boundtothedecoyIPaddress).Figure4describestheconnectionrelocationmechanism,implementedasastepoftheattacker'ssessionrestoreprocess.Atprocesscheckpoint,thestateinformationoftheoriginalsocketskisdumpedtogetherwiththeprocessimage(notshowninthegure).Thisincludesconnectionbounds,previ-ouslynegotiatedsocketoptions,sequencenumbers,receivingandsendingqueues,andconnectionstate.Duringprocessrestore,werelocatetheconnectiontotheassigneddecoyby(1)connectinganewsockettsktotheproxy$portgivenintherestorerequest,(2)settingtsktorepairmodeandsilentlyclosingthesocket(i.e.,noFINorRSTpackagesaresenttothe (a)315ms,n=10 (b)0:635;n=10 (c)0:31:2;2594Figure6:Performancebenchmarks.(a)EectofpayloadsizeonmaliciousHTTPrequestround-triptime.(b)EectofconcurrentattacksonlegitimateHTTPrequestround-triptimeonasingle-nodeVM.(c)Stresstestillustratingrequestthroughputfora3-node,load-balancedRedHerringsetup(workload5Krequests).measuredthroughputrangingfrom169to312requestspersecond.Intypicalproductionsettingswewouldexpectthisdelaytobeamortizedbythenetworklatency(usuallyontheorderofseveraltensofmilliseconds).Thisresultisimportantbecauseitdemonstratesthathoney-patchingcanberealizedforlarge-scale,performancecriticalsoftwareapplicationswithminimaloverheadsforlegitimateusers.6.3WebServersComparisonWealsotestedRedHerringonLighttpd[38]andNg-inx[43],webserverswhosedesignsaresignicantlydierentfromApache.Themostnotabledierenceliesinthepro-cessingmodeloftheseservers,whichemploysnon-blockingsystemscalls(e.g.,select,poll,epoll)toperformasynchronousI/OoperationsforconcurrentprocessingofmultipleHTTPrequests.Incontrast,Apachedispatcheseachrequesttoachildprocessorthread[45].Oursuccesswiththesethreetypesofserverevidencestheversatilityofourapproach.Figure7showsourresults.IncomparisontoApache,sessionforkingperformedconsiderablybetteronLighttpdandNginx(rangingbetween0.092secondswithoutmemoryredactionand0.156secondswithredaction).Thisismainlybecausetheseservershavesmallerprocessimages,reducingtheamountofstatetobecollectedandredactedduringcheckpointing.7.DISCUSSIONSelectivehoney-patching.Ourworkevaluatesthefeasi-bilityofhoney-patchingasrealisticapplication,butraisesinterestingquestionsabouthowtoevaluatethestrategicadvantagesordisadvantagesofhoney-patchingvariousspecicvulnerabilities.Forexample,somepatchesclosevulnerabilitiesbyaddingnew,legitimatesoftwarefunctionalities.Convertingsuchpatchestohoney-patchesmightbeinadvisable,sinceitmighttreatusesofthosenewfunctionalitiesasattacks.Ingeneral,honey-patchingshouldbeappliedjudiciouslybasedonanassessmentofattackeranddefenderrisk.Futurework Figure7:MaliciousHTTPrequestround-triptimesfordierentwebservers(611ms;n=20)shouldconsiderhowtoreliablyconductsuchassessments.Similarly,honey-patchingcanbeappliedselectivelytosimulatedierentsoftwareversionsandachieveversioningconsistency.Automation.Ourimplementationapproachoersasemi-manualprocessfortransformingpatchesintohoney-patches.Anobviousnextstepistoautomatethisbyincorporatingitintoarewritingtoolorcompiler.Oneinterestingchal-lengeconcernsthequestionofhowtoauditorvalidatethesecretredactionstepforarbitrarysoftware.Futureresearchshouldconsiderfacilitatingthisbyapplyinglanguage-basedinformation owanalyses(cf.,[47]).ActiveDefense.Honey-patchingenhancesthecurrentrealmofweaponizedsoftwarebyplacingdefendersinafavorablepositiontodeployoensivetechniquesforreactingtoattacks.Forexample,decoysprovidetheidealenvironmentforim-plementingstealthytrapstodisinformattackersandreportpreciselywhatattacksaredoinginreal-time[17],andfurtherinsightintotheattackers'modusoperandicanbegainedbyforgingandactingupondecoydata.ThereisexistingworkinthisdirectioninDARPA'sMission-orientedResilientClouds(MRC)program[55].Deception.Theeectivenessofahoney-patchiscontingentuponthedeceptivenessofdecoyenvironments.Priorworkhasinvestigatedtheproblemofhowtogenerateandmaintainconvincinghoney-dataforeectiveattackerdeception(e.g.,[11,48,54,62]),butthereareotherpotentialavenuesofdeceptiondiscoverythatmustbeconsidered.Responsetimesareoneobviouschannelofpossiblediscoverythatmustbeconsidered.Cloningisecientbutstillintroducesnon-zeroresponsedelayforattackers.Bycollectingenoughtimingstatistics,attackersmighttrytodetectresponsedelaystodiscernhoney-patches.Ourongoingworkisfocusingonimprovingtheeciencyofthememoryredactionstep,whichisthesourceofmostofthethisdelay.Inaddition,RedHerring'sdeceptivenessagainstdiscoverythroughresponsedelaysisaidedbytheplethoraofnoisylatencysourcesthatmostwebserversnaturallyexperience,whichtendtoeclipsetherelativelysmalldelaysintroducedbyhoney-patching[49].Unpatched,vulnerableserversoftenrespondslowertomaliciousinputsthantonormaltrac[25,58],justlikehoney-patchedservers.Thissuggeststhatdetectinghoney-patchesbyprobingfordelayedresponsestoattacksmayyieldmanyfalsepositivesforattackers.Ifcriminalsreacttotheriseofhoney-patchingbycautiouslyavoidingattacksagainstserversthatrespondslightlyslowerwhenattacked,manyotherwisesuccessfulattackswillhavebeenthwarted. virtualenvironments.InProc.IEEEInt.Conf.ClusterComputing(CLUSTER),pages197{206,2010.[28]Google.ProtocolBuers.https://code.google.com/p/protobuf,2014.[29]Google.Webmetrics.https://developers.google.com/speed/articles/web-metrics,2014.[30]T.Jackson,B.Salamat,A.Homescu,K.Manivannan,G.Wagner,A.Gal,S.Brunthaler,C.Wimmer,andM.Franz.Compiler-generatedsoftwarediversity.InS.Jajodia,A.K.Ghosh,V.Swarup,C.Wang,andX.S.Wang,editors,MovingTargetDefense{CreatingAsymmetricUncertaintyforCyberThreats,pages77{98.Springer,2011.[31]J.Jang,A.Agrawal,andD.Brumley.ReDeBug:FindingunpatchedcodeclonesinentireOSdistributions.InProc.IEEESym.Security&Privacy(S&P),pages48{62,2012.[32]X.Jiang,D.Xu,andY.-M.Wang.Collapsar:AVM-basedhoneyfarmandreversehoneyfarmarchitecturefornetworkattackcaptureanddetention.J.ParallelandDistributedComputing{SpecialIssueonSecurityinGridandDistributedSystems,66(9):1165{1180,2006.[33]W.Kandek.Yearclosing{December2013patchTuesday.Qualys:LawsofVulnerabilities,Dec.2013.[34]S.Kulkarni,M.Mutalik,P.Kulkarni,andT.Gupta.Honeydoop{asystemforon-demandvirtualhighinteractionhoneypots.InProc.Int.Conf.forInternetTechnologyandSecuredTransactions(ICITST),pages743{747,2012.[35]I.Kuwatly,M.Sraj,Z.A.Masri,andH.Artail.Adynamichoneypotdesignforintrusiondetection.InProc.IEEE/ACSInt.Conf.PervasiveServices(ICPS),pages95{104,2004.[36]H.A.Lagar-Cavilla,J.A.Whitney,A.M.Scannell,P.Patchin,S.M.Rumble,E.deLara,M.Brudno,andM.Satyanarayanan.SnowFlock:Rapidvirtualmachinecloningforcloudcomputing.InProc.ACMEuropeanConf.ComputerSystems(EuroSys),pages1{12,2009.[37]T.K.Lengyel,J.Neumann,S.Maresca,B.D.Payne,andA.Kiayias.Virtualmachineintrospectioninahybridhoneypotarchitecture.InProc.USENIXWork.CyberSecurityExperimentationandTest(CSET),2012.[38]Lighttpd.Lighttpdserverproject.http://www.lighttpd.net,2014.[39]LXC.Linuxcontainers.http://linuxcontainers.org,2014.[40]M.MaurerandD.Brumley.Tachyon:Tandemexecutionforecientlivepatchtesting.InProc.USENIXSecuritySym.,pages617{630,2012.[41]D.S.Miloicic,F.Douglis,Y.Paindaveine,R.Wheeler,andS.Zhou.Processmigration.ACMComputingSurveys,32(3):241{299,2000.[42]Netcraft.AretherereallylotsofvulnerableApachewebservers?http://news.netcraft.com/archives/2014/02/07,2014.[43]Nginx.Nginxserverproject.http://nginx.org,2014.[44]Ohloh.ApacheHTTPserverstatistics.http://www.ohloh.net/p/apache,2014.[45]V.S.Pai,P.Druschel,andW.Zwaenepoel.Flash:Anecientandportablewebserver.InProc.Conf.USENIXAnnualTechnicalConference(ATEC),pages15{15,1999.[46]N.ProvosandT.Holz.VirtualHoneypots:FromBotnetTrackingtoIntrusionDetection.Addison-WesleyProfessional,2007.[47]A.SabelfeldandA.C.Myers.Language-basedin-formation owsecurity.IEEEJ.SelectedAreasinCommunications,21(1):5{19,2003.[48]M.B.SalemandS.J.Stolfo.Decoydocumentdeploymentforeectivemasqueradeattackdetection.InProc.Int.Conf.DetectionofIntrusionsandMalware,andVulnerabilityAssessment,pages35{54,2011.[49]S.Souders.Theperformancegoldenrule.http://www.stevesouders.com/blog/2012/02/10/the-performance-golden-rule,Feb.2012.[50]L.Spitzner.Honeypots:TrackingHackers.Addison-WesleyLongman,2002.[51]Y.Sun,Y.Luo,X.Wang,Z.Wang,B.Zhang,H.Chen,andX.Li.FastlivecloningofvirtualmachinebasedonXen.InProc.IEEEConf.HighPerformanceComputingandCommunications(HPCC),pages392{399,2009.[52]The111thUnitedStatesCongress.Anactentitledthepatientprotectionandaordablecareact.PublicLaw111-148,124Stat.119,Mar.2010.[53]TheEconomicTimes.NewtechniqueRedHerringghts`Heartbleed'virus.TheTimesofIndia,Apr.15,2014.[54]J.Voris,N.Boggs,andS.J.Stolfo.Lostintranslation:Improvingdecoydocumentsviaautomatedtranslation.InProc.IEEESym.Security&PrivacyWorkshops(S&PW),pages129{133,2012.[55]J.Voris,J.Jermyn,A.D.Keromytis,andS.J.Stolfo.Baitandsnitch:Defendingcomputersystemswithdecoys.InProc.Conf.CyberInfrastructureProtection(CIP),2012.[56]M.Vrable,J.Ma,J.Chen,D.Moore,E.Vandekieft,A.C.Snoeren,G.M.Voelker,andS.Savage.Scalability,delity,andcontainmentinthePotemkinvirtualhoneyfarm.InProc.ACMSym.OperatingSystemsPrinciples(SOSP),pages148{162,2005.[57]C.Wang,F.Mueller,C.Engelmann,andS.L.Scott.Proactiveprocess-levellivemigrationinHPCenvi-ronments.InProc.ACM/IEEEConf.Supercomputing,2008.[58]J.Wang,X.Liu,andA.A.Chien.Empiricalstudyoftoleratingdenial-of-serviceattackswithaproxynetwork.InProc.USENIXSecuritySym.,pages51{64,2005.[59]R.Wartell,V.Mohan,K.W.Hamlen,andZ.Lin.Binarystirring:Self-randomizinginstructionaddressesoflegacyx86binarycode.InProc.ACMConf.ComputerandCommunicationsSecurity(CCS),pages157{168,2012.[60]A.Whitaker,R.S.Cox,M.Shaw,andS.D.Gribble.Constructingserviceswithinterposablevirtualhard-ware.InProc.Sym.NetworkedSystemsDesignandImplementation(NSDI),pages169{182,2004.[61]V.Yegneswaran,P.Barford,andD.Plonka.Onthedesignanduseofinternetsinksfornetworkabusemonitoring.InProc.Int.Sym.RecentAdvancesinIntrusionDetection(RAID),pages146{165,2004.[62]J.Yuill,D.Denning,andF.Feer.Usingdeceptiontohidethingsfromhackers:Processes,principles,andtechniques.J.InformationWarfare,5(3):26{40,2006.[63]W.Zheng,R.Bianchini,G.J.Janakiraman,J.R.Santos,andY.Turner.JustRunIt:Experiment-basedmanagementofvirtualizeddatacenters.InProc.USENIXAnnualTechnicalConf.,2009.