[lemona commit] r432 - wiki

1 view
Skip to first unread message

codesite...@google.com

unread,
Nov 13, 2008, 8:28:49 PM11/13/08
to lemon...@googlegroups.com
Author: laurent.malvert
Date: Thu Nov 13 17:27:45 2008
New Revision: 432

Modified:
wiki/Workshop20081031.wiki

Log:
Edited wiki page through web user interface.

Modified: wiki/Workshop20081031.wiki
==============================================================================
--- wiki/Workshop20081031.wiki (original)
+++ wiki/Workshop20081031.wiki Thu Nov 13 17:27:45 2008
@@ -945,7 +945,7 @@


http://lemona.googlecode.com/svn/docs/images/architecture/lemona-architecture-5.png

-*Lemona* is a compound of several components (Figure
[http://lemona.googlecode.com/svn/docs/images/architecture/lemona-architecture-5.png
4] and Figure 5), separated in three categories:
+*Lemona* is a compound of several components (Figure
[http://lemona.googlecode.com/svn/docs/images/architecture/lemona-architecture-2.png
3] and Figure
[http://lemona.googlecode.com/svn/docs/images/architecture/lemona-architecture-5.png
4]), separated in three categories:


http://lemona.googlecode.com/svn/docs/images/architecture/lemona-architecture-components.png

@@ -1293,19 +1293,32 @@

= Conclusion =

- NOTE: Conclusions will be drawn once the results have been collected
- and tested. Some limitations exist from the ground up and they are
- listed below. We also reference future work and ideas we might deal
- with in future versions of *Lemona*, but which are currently out of
- the scope of our research project.
+Our paper posed the general environment of computer forensics
+analysis, and introduced *Lemona*, our solution for a monitoring
+architecture relying on open standards and implementations, and aiming
+towards the post-mortem investigation of compromised systems.
+
+As we demonstrated with the presentation of *Lemona*'s performance and
+settings, its design allows it to theoretically trace and record the
+complete activity at the lowest architectural level of an operating
+system, permitting a global review of the system's life, while
+managing to impact the system with an acceptable overhead, thus
+remaining satisfyingly usable and available.
+
+In the long run, *Lemona* will not only allow a forensics investigator
+to determine how and when an attack occured, but also offer the
+possibility to review the compromised or exploited resources and
+reconstruct the system based on the fine-grained and exhaustive
+records it generates, replaying the compromised system's lifecycle
+step by step.


== Limitations ==

-*Lemona*, though designed to be a more complete monitoring facility than
-the existing solutions, is not foolproof. These are the various (we
-could think of so far) to circumvent its surveillance, or render it
-inefficient.
+*Lemona*, though designed to be a more complete monitoring facility
+than the existing solutions, is of course not foolproof. These are the
+various ways that we could think of so far to circumvent its
+surveillance, or render it inefficient.

=== Break the Pipe or Break the Storage Point ===

@@ -1338,6 +1351,17 @@
components. This is technically possible, but we have not implemented
such a feature so far.

+This problem can also occur if *Lemona* is running on a machine with a
+very high traffic load, such as a web-server hosting a corporate or
+e-commerce website. The combination of the *Lemona*'s auditing
+throughput and the normal server load might reach the bandwidth
+limitation, and *Lemona*'s reporting could be delayed, thus allowing
+an attacker to exploit a vulnerability and crash the system without it
+showing in the logs.
+
+A correct adjustement to the load-balancing taking into consideration
+the web-server's network load theoretically overcomes this problem.
+
=== Break Lemona ===

It is actually possible that an attacker, who would succeed in
@@ -1356,8 +1380,9 @@

== Future Work ==

-There are countless possible improvements to *Lemona*, some of which are
-listed below.
+There are countless possible improvements to *Lemona*, 3 of which are
+listed below. It could benefit of numerous other variants, which are
+currently being studied.

=== IDS/IPS Integration ===

@@ -1390,8 +1415,17 @@
then be compared to a database of preset forms matching the exploits'
database.

-Those are only two of the many improvements *Lemona* could benefit of,
-and numerous other variants are already being studied.
+== Design Decisions ==
+
+*Lemona* is a brand new project and its design is still morphing, both
+at the low and high levels of the architecture. *Lemona* is not
+designed for performance at the moment because of the radical changes
+it goes through on a regular basis.
+
+We consider revisiting our design to integrate more dynamic and
+generic solutions, that would alleviate both the burden of the
+developers to integrate new patches and the amount of complexity
+required to set up the system.


---------------------------------------------------------------------------
@@ -1447,11 +1481,28 @@

== Appendix A ==

-Performance Results published by *Forensix* `[9]` for a
+Performance Results published by *Forensix* `[9]` for a test based on
+a Linux Kernel compilation.

|| || Auditing Off || Auditing on Network Off || Auditing on
Network On ||
|| total time || 232.2s || 247.1s (6%) || 252.0s
(8%) ||
|| system Time|| 14.0s || 26.3 ||
30.7s ||
+
+== Appendix B ==
+
+Test _index.html_ file:
+
+{{{
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
+<html>
+<head>
+<title>Webserver test</title>
+</head>
+<body>
+This is a webserver test page.
+</body>
+</html>
+}}}


---------------------------------------------------------------------------

Reply all
Reply to author
Forward
0 new messages