Title | HARDLOG: Practical Tamper-Proof System Auditing Using a Novel Audit Device |
Publication Type | Conference Paper |
Year of Publication | 2022 |
Authors | Ahmad, Adil, Lee, Sangho, Peinado, Marcus |
Conference Name | 2022 IEEE Symposium on Security and Privacy (SP) |
Keywords | delays, Hardware-Security, Human Behavior, Linux, OS-Security, performance evaluation, privacy, Prototypes, pubcrawl, Real-time Systems, resilience, Resiliency, Scalability, security, Security Audits, System-Auditing |
Abstract | Audit systems maintain detailed logs of security-related events on enterprise machines to forensically analyze potential incidents. In principle, these logs should be safely stored in a secure location (e.g., network storage) as soon as they are produced, but this incurs prohibitive slowdown to a monitored machine. Hence, existing audit systems protect batched logs asynchronously (e.g., after tens of seconds), but this allows attackers to tamper with unprotected logs.This paper presents HARDLOG, a practical and effective system that employs a novel audit device to provide fine-grained log protection with minimal performance slowdown. HARDLOG implements criticality-aware log protection: it ensures that logs are synchronously protected in the audit device before an infrequent security-critical event is allowed to execute, but logs are asynchronously protected on frequent non-critical events to minimize performance overhead. Importantly, even on non-critical events, HARDLOG ensures bounded-asynchronous protection: it sends log entries to the audit device within a tiny, bounded delay from their creation using well-known real-time techniques. To demonstrate HARDLOG'S effectiveness, we prototyped an audit device using commodity components and implemented a reference audit system for Linux. Our prototype achieves a bounded protection delay of 15 milliseconds at non-critical events alongside undelayed protection at critical events. We also show that, for diverse real-world programs, HARDLOG incurs a geometric mean performance slowdown of only 6.3%, hence it is suitable for many real-world deployment scenarios. |
DOI | 10.1109/SP46214.2022.9833745 |
Citation Key | ahmad_hardlog_2022 |