Home

Brainstorming session.

1. What is the use of the Backup VM? - Preserve history, increase parallelism?
2. Which checkpoints to save/forget? Can we intelligently choose which checkpoints to save?
3. What is a scan? What types of scan can we be doing?
4. What all ca we scan?
   • Static known good pages?
   • Canaries on Kernel Data structure - Need help from the kernel.
   • Process white/black list.
5. What can we do after a detection of an attack?
   • Rollback to checkpoint before the attack (Primary or Backup).
   • Repeat to see if the attack was transient (more carefully rescan).
   • Need an easy way to get back to the start of the (previous) checkpoint.
   • Run in sandbox after rolling back.
   • Run a detailed network traffic inspection.
   • Flag attacked pages and watch when it is written to (using LIBBDVMI).
   • Get a stack trace?
6. Why is suspend/resume expensive? What code is executed when a remus suspend is called? How is it different from pause/unpause?