Visible to the public HARDLOG: Practical Tamper-Proof System Auditing Using a Novel Audit Device

TitleHARDLOG: Practical Tamper-Proof System Auditing Using a Novel Audit Device
Publication TypeConference Paper
Year of Publication2022
AuthorsAhmad, Adil, Lee, Sangho, Peinado, Marcus
Conference Name2022 IEEE Symposium on Security and Privacy (SP)
Keywordsdelays, Hardware-Security, Human Behavior, Linux, OS-Security, performance evaluation, privacy, Prototypes, pubcrawl, Real-time Systems, resilience, Resiliency, Scalability, security, Security Audits, System-Auditing
AbstractAudit systems maintain detailed logs of security-related events on enterprise machines to forensically analyze potential incidents. In principle, these logs should be safely stored in a secure location (e.g., network storage) as soon as they are produced, but this incurs prohibitive slowdown to a monitored machine. Hence, existing audit systems protect batched logs asynchronously (e.g., after tens of seconds), but this allows attackers to tamper with unprotected logs.This paper presents HARDLOG, a practical and effective system that employs a novel audit device to provide fine-grained log protection with minimal performance slowdown. HARDLOG implements criticality-aware log protection: it ensures that logs are synchronously protected in the audit device before an infrequent security-critical event is allowed to execute, but logs are asynchronously protected on frequent non-critical events to minimize performance overhead. Importantly, even on non-critical events, HARDLOG ensures bounded-asynchronous protection: it sends log entries to the audit device within a tiny, bounded delay from their creation using well-known real-time techniques. To demonstrate HARDLOG'S effectiveness, we prototyped an audit device using commodity components and implemented a reference audit system for Linux. Our prototype achieves a bounded protection delay of 15 milliseconds at non-critical events alongside undelayed protection at critical events. We also show that, for diverse real-world programs, HARDLOG incurs a geometric mean performance slowdown of only 6.3%, hence it is suitable for many real-world deployment scenarios.
DOI10.1109/SP46214.2022.9833745
Citation Keyahmad_hardlog_2022