Secure Reincarnation of Compromised Servers Using Xen Based Time-Forking Virtual Machines

Abstract

Mission-critical telecom servers are being ported from their safe PSTN haven to the Internet to cator to the VoIP user base increasing failures due to greater susceptibility to attacks. Virtual machines are becoming increasing popular for deploying servers because they allow checkpointing and live migration facilities. The challenges are dealing with non-virtual state elements, like ongoing network communications that can't be check-pointed, and recovering state changed between failure and the last check-point. Other complications include dependence on human intervention and precise timing so as not to revert to an un-healthy VM already in the state of compromise. This paper describes a Xen based middleware that pervasively detects terminated VM servers and reincarnates them in a safe state such that they don't lose connectivity to their network clients. It also attempts to isolate messages that caused the failure and generates rules to disallow them from effecting the newly reincarnated VM in the future. Since it essentially allows a VM to start a new life from a point in time before it got compromised, we dubbed it: a time-forking virtual machine (TFVM) following the Copenhagen school's "many worlds theory" that postulates that every historical event forks a new universe for every possible outcome. Currently TFVM works in the context of our particular application but we discuss how to extend our model to allow reincarnation of generalized services