CUSTOS: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution

Riccardo Paccagnella, Pubali Datta, Wajih Ul Hassan, Adam Bates Yuile, Christopher W. Fletcher, Andrew Miller, Dave Tian

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

System auditing is a central concern when investigating and responding to security incidents. Unfortunately, attackers regularly engage in anti-forensic activities after a break-in, covering their tracks from the system logs in order to frustrate the efforts of investigators. While a variety of tamper-evident logging solutions have appeared throughout the industry and the literature, these techniques do not meet the operational and scalability requirements of system-layer audit frameworks. In this work, we introduce CUSTOS, a practical framework for the detection of tampering in system logs. CUSTOS consists of a tamper-evident logging layer and a decentralized auditing protocol. The former enables the verification of log integrity with minimal changes to the underlying logging framework, while the latter enables near real-time detection of log integrity violations within an enterprise-class network. CUSTOS is made practical by the observation that we can decouple the costs of cryptographic log commitments from the act of creating and storing log events, without trading off security, leveraging features of off-the-shelf trusted execution environments. Supporting over one million events per second, we show that CUSTOS' tamper-evident logging protocol is three orders of magnitude (1000×) faster than prior solutions and incurs only between 2% and 7% runtime overhead over insecure logging on intensive workloads. Further, we show that CUSTOS' auditing protocol can detect violations in near real-time even in the presence of a powerful distributed adversary and with minimal (3%) network overhead. Our case study on a real-world APT attack scenario demonstrates that CUSTOS forces anti-forensic attackers into a “lose-lose” situation, where they can either be covert and not tamper with logs (which can be used for forensics), or erase logs but then be detected by CUSTOS.

Original languageEnglish (US)
Title of host publication27th Annual Network and Distributed System Security Symposium, NDSS 2020
PublisherThe Internet Society
ISBN (Electronic)1891562614, 9781891562617
DOIs
StatePublished - 2020
Event27th Annual Network and Distributed System Security Symposium, NDSS 2020 - San Diego, United States
Duration: Feb 23 2020Feb 26 2020

Publication series

Name27th Annual Network and Distributed System Security Symposium, NDSS 2020

Conference

Conference27th Annual Network and Distributed System Security Symposium, NDSS 2020
Country/TerritoryUnited States
CitySan Diego
Period2/23/202/26/20

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Control and Systems Engineering
  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of 'CUSTOS: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution'. Together they form a unique fingerprint.

Cite this