TY - GEN
T1 - CUSTOS
T2 - 27th Annual Network and Distributed System Security Symposium, NDSS 2020
AU - Paccagnella, Riccardo
AU - Datta, Pubali
AU - Ul Hassan, Wajih
AU - Bates, Adam
AU - Fletcher, Christopher W.
AU - Miller, Andrew
AU - Tian, Dave
N1 - Publisher Copyright:
© 2020 27th Annual Network and Distributed System Security Symposium, NDSS 2020. All Rights Reserved.
PY - 2020
Y1 - 2020
N2 - System auditing is a central concern when investigating and responding to security incidents. Unfortunately, attackers regularly engage in anti-forensic activities after a break-in, covering their tracks from the system logs in order to frustrate the efforts of investigators. While a variety of tamper-evident logging solutions have appeared throughout the industry and the literature, these techniques do not meet the operational and scalability requirements of system-layer audit frameworks. In this work, we introduce CUSTOS, a practical framework for the detection of tampering in system logs. CUSTOS consists of a tamper-evident logging layer and a decentralized auditing protocol. The former enables the verification of log integrity with minimal changes to the underlying logging framework, while the latter enables near real-time detection of log integrity violations within an enterprise-class network. CUSTOS is made practical by the observation that we can decouple the costs of cryptographic log commitments from the act of creating and storing log events, without trading off security, leveraging features of off-the-shelf trusted execution environments. Supporting over one million events per second, we show that CUSTOS' tamper-evident logging protocol is three orders of magnitude (1000×) faster than prior solutions and incurs only between 2% and 7% runtime overhead over insecure logging on intensive workloads. Further, we show that CUSTOS' auditing protocol can detect violations in near real-time even in the presence of a powerful distributed adversary and with minimal (3%) network overhead. Our case study on a real-world APT attack scenario demonstrates that CUSTOS forces anti-forensic attackers into a “lose-lose” situation, where they can either be covert and not tamper with logs (which can be used for forensics), or erase logs but then be detected by CUSTOS.
AB - System auditing is a central concern when investigating and responding to security incidents. Unfortunately, attackers regularly engage in anti-forensic activities after a break-in, covering their tracks from the system logs in order to frustrate the efforts of investigators. While a variety of tamper-evident logging solutions have appeared throughout the industry and the literature, these techniques do not meet the operational and scalability requirements of system-layer audit frameworks. In this work, we introduce CUSTOS, a practical framework for the detection of tampering in system logs. CUSTOS consists of a tamper-evident logging layer and a decentralized auditing protocol. The former enables the verification of log integrity with minimal changes to the underlying logging framework, while the latter enables near real-time detection of log integrity violations within an enterprise-class network. CUSTOS is made practical by the observation that we can decouple the costs of cryptographic log commitments from the act of creating and storing log events, without trading off security, leveraging features of off-the-shelf trusted execution environments. Supporting over one million events per second, we show that CUSTOS' tamper-evident logging protocol is three orders of magnitude (1000×) faster than prior solutions and incurs only between 2% and 7% runtime overhead over insecure logging on intensive workloads. Further, we show that CUSTOS' auditing protocol can detect violations in near real-time even in the presence of a powerful distributed adversary and with minimal (3%) network overhead. Our case study on a real-world APT attack scenario demonstrates that CUSTOS forces anti-forensic attackers into a “lose-lose” situation, where they can either be covert and not tamper with logs (which can be used for forensics), or erase logs but then be detected by CUSTOS.
UR - http://www.scopus.com/inward/record.url?scp=85180624916&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85180624916&partnerID=8YFLogxK
U2 - 10.14722/ndss.2020.24065
DO - 10.14722/ndss.2020.24065
M3 - Conference contribution
AN - SCOPUS:85180624916
T3 - 27th Annual Network and Distributed System Security Symposium, NDSS 2020
BT - 27th Annual Network and Distributed System Security Symposium, NDSS 2020
PB - The Internet Society
Y2 - 23 February 2020 through 26 February 2020
ER -