Validating the Integrity of Audit Logs Against Execution Repartitioning Attacks

Provenance-based causal analysis of audit logs has proven to be an invaluable method of investigating system intrusions. However, it also suffers from dependency explosion, whereby long-running processes accumulate many dependencies that are hard to unravel. Execution unit partitioning addresses this by segmenting dependencies into units of work, such as isolating the events that processed a single HTTP request. Unfortunately, we discover that current designs have a semantic gap problem due to how system calls and application log messages are used to infer complex internal program states. We demonstrate how attackers can modify existing code exploits to control event partitioning, breaking links in the attack and framing innocent users. We also show how our techniques circumvent existing program and log integrity defenses. We then propose a new design for execution unit partitioning that leverages additional runtime data to yield verified partitions that resist manipulation. Our design overcomes the technical challenges of minimizing additional overhead while accurately connecting low level code instructions to high level audit events, in part with the use of commodity hardware processor tracing. We implement a prototype of our design for Linux, MARSARA, and extensively evaluate it on 14 real-world programs, targeted with expertly crafted exploits. MARSARA's verified partitions successfully capture all the attack provenances while only reintroducing 2.82% of false dependencies, in the worst case, with an average overhead of 8.7%. Using a new metric called Partitioning Attack Surface, we show that MARSARA eliminates 47,642 more repartitioning gadgets per program than integrity defenses like CFI, demonstrating our prototype's effectiveness and the novelty of the attacks it prevents.

[1]  Bruce Schneier,et al.  Secure audit logs to support computer forensics , 1999, TSEC.

[2]  Patrick D. McDaniel,et al.  Hi-Fi: collecting high-fidelity whole-system provenance , 2012, ACSAC '12.

[3]  Wenke Lee,et al.  How to Make ASLR Win the Clone Wars: Runtime Re-Randomization , 2016, NDSS.

[4]  Ding Li,et al.  NoDoze: Combatting Threat Alert Fatigue with Automated Provenance Triage , 2019, NDSS.

[5]  Xiao Yu,et al.  You Are What You Do: Hunting Stealthy Malware via Data Provenance Analysis , 2020, NDSS.

[6]  Xiangyu Zhang,et al.  Accurate, Low Cost and Instrumentation-Free Security Audit Logging for Windows , 2015, ACSAC.

[7]  Andreas Haeberlen,et al.  Differential Provenance: Better Network Diagnostics with Reference Events , 2015, HotNets.

[8]  Hanspeter Pfister,et al.  What Makes a Visualization Memorable? , 2013, IEEE Transactions on Visualization and Computer Graphics.

[9]  Andreas Haeberlen,et al.  The Good, the Bad, and the Differences: Better Network Diagnostics with Differential Provenance , 2016, SIGCOMM.

[10]  Somesh Jha,et al.  MCI : Modeling-based Causality Inference in Audit Logging for Attack Investigation , 2018, NDSS.

[11]  Thomas Moyer,et al.  Transparent Web Service Auditing via Network Provenance Functions , 2017, WWW.

[12]  Herbert Bos,et al.  ASLR on the Line: Practical Cache Attacks on the MMU , 2017, NDSS.

[13]  Mathias Payer,et al.  Control-Flow Integrity , 2017, ACM Comput. Surv..

[14]  Michael Chow,et al.  Eidetic Systems , 2014, OSDI.

[15]  Thomas Moyer,et al.  Take Only What You Need: Leveraging Mandatory Access Control Policy to Reduce Provenance Storage Costs , 2015, TaPP.

[16]  Jaehong Park,et al.  A provenance-based access control model , 2012, 2012 Tenth Annual International Conference on Privacy, Security and Trust.

[17]  Herbert Bos,et al.  Framing Signals - A Return to Portable Shellcode , 2014, 2014 IEEE Symposium on Security and Privacy.

[18]  Chao Zhang,et al.  Practical Control Flow Integrity and Randomization for Binary Executables , 2013, 2013 IEEE Symposium on Security and Privacy.

[19]  Mu Zhang,et al.  NodeMerge: Template Based Efficient Data Reduction For Big-Data Causality Analysis , 2018, CCS.

[20]  Kevin Liao,et al.  Logging to the Danger Zone: Race Condition Attacks and Defenses on System Audit Frameworks , 2020, CCS.

[21]  Kevin W. Hamlen,et al.  CONFIRM: Evaluating Compatibility and Relevance of Control-flow Integrity Protections for Modern Software , 2019, USENIX Security Symposium.

[22]  Trent Jaeger,et al.  GRIFFIN: Guarding Control Flows Using Intel Processor Trace , 2017, ASPLOS.

[23]  Thomas Moyer,et al.  Trustworthy Whole-System Provenance for the Linux Kernel , 2015, USENIX Security Symposium.

[24]  Alexander Koch,et al.  Practical and Robust Secure Logging from Fault-Tolerant Sequential Aggregate Signatures , 2017, ProvSec.

[25]  Bruce Schneier,et al.  Cryptographic Support for Secure Logs on Untrusted Machines , 1998, USENIX Security Symposium.

[26]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[27]  Dan S. Wallach,et al.  Efficient Data Structures For Tamper-Evident Logging , 2009, USENIX Security Symposium.

[28]  Daniel Marino,et al.  Tactical Provenance Analysis for Endpoint Detection and Response Systems , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[29]  Thomas Moyer,et al.  Towards Scalable Cluster Auditing through Grammatical Inference over Provenance Graphs , 2018, NDSS.

[30]  Xi Wang,et al.  Intrusion Recovery Using Selective Re-execution , 2010, OSDI.

[31]  Mihir Bellare,et al.  Forward Integrity For Secure Audit Logs , 1997 .

[32]  Technologie NIST Special Publication 800-53 , 2010 .

[33]  Alessandro Orso,et al.  RAIN: Refinable Attack Investigation with On-demand Inter-Process Information Flow Tracking , 2017, CCS.

[34]  Úlfar Erlingsson,et al.  Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM , 2014, USENIX Security Symposium.

[35]  Xi Chen,et al.  A Tough Call: Mitigating Advanced Code-Reuse Attacks at the Binary Level , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[36]  Dan Feng,et al.  Evaluation of a Hybrid Approach for Efficient Provenance Storage , 2013, TOS.

[37]  Fengyuan Xu,et al.  High Fidelity Data Reduction for Big Data Security Dependency Analyses , 2016, CCS.

[38]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[39]  Latifur Khan,et al.  SGX-Log: Securing System Logs With SGX , 2017, AsiaCCS.

[40]  Krzysztof Z. Gajos,et al.  Evaluation of Filesystem Provenance Visualization Tools , 2013, IEEE Transactions on Visualization and Computer Graphics.

[41]  Adriane Chapman,et al.  Efficient provenance storage , 2008, SIGMOD Conference.

[42]  Samuel T. King,et al.  Backtracking intrusions , 2003, SOSP '03.

[43]  Ben Niu,et al.  Modular control-flow integrity , 2014, PLDI.

[44]  Andreas Haeberlen,et al.  Let SDN Be Your Eyes: Secure Forensics in Data Center Networks , 2014 .

[45]  V. N. Venkatakrishnan,et al.  SLEUTH: Real-time Attack Scenario Reconstruction from COTS Audit Data , 2018, USENIX Security Symposium.

[46]  FengDan,et al.  Evaluation of a Hybrid Approach for Efficient Provenance Storage , 2013 .

[47]  V. N. Venkatakrishnan,et al.  HOLMES: Real-Time APT Detection through Correlation of Suspicious Information Flows , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[48]  Ashish Gehani,et al.  Towards Automated Collection of Application-Level Data Provenance , 2012, TaPP.

[49]  Kent E. Seamons,et al.  Logcrypt: Forward Security and Public Verification for Secure Audit Logs , 2005, IACR Cryptol. ePrint Arch..

[50]  Xiangyu Zhang,et al.  LogGC: garbage collecting audit log , 2013, CCS.

[51]  Peng Ning,et al.  Efficient, Compromise Resilient and Append-Only Cryptographic Schemes for Secure Audit Logging , 2012, Financial Cryptography.

[52]  Wei An,et al.  T-Tracker: Compressing System Audit Log by Taint Tracking , 2018, 2018 IEEE 24th International Conference on Parallel and Distributed Systems (ICPADS).

[53]  David A. Wagner,et al.  Control-Flow Bending: On the Effectiveness of Control-Flow Integrity , 2015, USENIX Security Symposium.

[54]  Robert O'Callahan,et al.  Engineering Record and Replay for Deployability , 2017, USENIX Annual Technical Conference.

[55]  Qi Wang,et al.  Fear and Logging in the Internet of Things , 2018, NDSS.

[56]  Mohammad A. Noureddine,et al.  OmegaLog: High-Fidelity Attack Investigation via Transparent Multi-layer Log Analysis , 2020, NDSS.

[57]  Xiangyu Zhang,et al.  ProTracer: Towards Practical Provenance Tracing by Alternating Between Logging and Tainting , 2016, NDSS.

[58]  Wenke Lee,et al.  ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks , 2015, CCS.

[59]  Mu Zhang,et al.  Towards a Timely Causality Analysis for Enterprise Security , 2018, NDSS.

[60]  Roel Peeters,et al.  Balloon: A Forward-Secure Append-Only Persistent Authenticated Data Structure , 2015, ESORICS.

[61]  Andreas Haeberlen,et al.  Secure network provenance , 2011, SOSP.

[62]  Chen Chen,et al.  Distributed Provenance Compression , 2017, SIGMOD Conference.

[63]  Andreas Haeberlen,et al.  One Primitive to Diagnose Them All: Architectural Support for Internet Diagnostics , 2017, EuroSys.

[64]  Gene Tsudik,et al.  A new approach to secure logging , 2008, TOS.

[65]  Wajih Ul Hassan,et al.  Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution , 2020, NDSS.

[66]  Jian Zhang,et al.  Steps Toward Managing Lineage Metadata in Grid Clusters , 2009, Workshop on the Theory and Practice of Provenance.

[67]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.

[68]  Dan Boneh,et al.  Hacking Blind , 2014, 2014 IEEE Symposium on Security and Privacy.

[69]  Somesh Jha,et al.  Kernel-Supported Cost-Effective Audit Logging for Causality Tracking , 2018, USENIX Annual Technical Conference.

[70]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[71]  Zhenkai Liang,et al.  Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[72]  Trent Jaeger,et al.  ACCESSPROV: Tracking the Provenance of Access Control Decisions , 2017, TaPP.

[73]  Li Chen,et al.  Barnum: Detecting Document Malware via Control Flow Anomalies in Hardware Traces , 2019, ISC.

[74]  Mingwei Zhang,et al.  Control Flow Integrity for COTS Binaries , 2013, USENIX Security Symposium.

[75]  Xiangyu Zhang,et al.  LDX: Causality Inference by Lightweight Dual Execution , 2016, ASPLOS.

[76]  Peng Ning,et al.  BAF: An Efficient Publicly Verifiable Secure Audit Logging Scheme for Distributed Systems , 2009, 2009 Annual Computer Security Applications Conference.

[77]  Ashish Gehani,et al.  SPADE: Support for Provenance Auditing in Distributed Environments , 2012, Middleware.

[78]  Fei Wang,et al.  MPI: Multiple Perspective Attack Investigation with Semantic Aware Execution Partitioning , 2017, USENIX Security Symposium.

[79]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.

[80]  Trent Jaeger,et al.  Taming the Costs of Trustworthy Provenance through Policy Reduction , 2017, ACM Trans. Internet Techn..

[81]  Yulai Xie,et al.  A hybrid approach for efficient provenance storage , 2012, CIKM '12.

[82]  Xiangyu Zhang,et al.  High Accuracy Attack Provenance via Binary-based Execution Partition , 2013, NDSS.

[83]  William R. Harris,et al.  Enforcing Unique Code Target Property for Control-Flow Integrity , 2018, CCS.