Trustworthy Logging for Virtual Organisations

In order to securely monitor user or system activities and detect malicious attempts across a distributed system, provision of trustworthy audit and logging services is necessary. Existing audit-based monitoring services, however, are often prone to compromise due to the lack of guarantees of log integrity, confidentiality, and availability. This thesis presents several use cases where these properties are essential, conducts a threat analysis on these use cases, and identifies key security requirements from the threats and their risks. Then, this thesis proposes a log generation and reconciliation infrastructure in which the requirements are satisfied and threats are mitigated. Applications usually expose a weak link in the way logs are generated and protected. In the proposed logging system, important application events are involuntarily recorded through a trustworthy logging component operating inside a privileged virtual machine. Virtual machine isolation makes it infeasible for applications to bypass the logging component. Trusted Computing attestation allows users to verify the logging properties of remote systems, and ensure that the collected logs are trustworthy. Despite ongoing research in the area of usable security for distributed systems, there remains a `trust gap' between the users' requirements and current technological capabilities. To bridge this `trust gap', this thesis also proposes two different types of distributed systems, one applicable for a computational system and the other for a distributed data system. Central to these systems is the configuration resolver which maintains a list of trustworthy participants available in the virtual organisation. Users submit their jobs to the configuration resolver, knowing that their jobs will be dispatched to trustworthy participants and executed in protected environments. As a form of evaluation, this thesis suggests how these ideas could be integrated with existing systems, and highlights the potential security enhancements.

[1]  C. A. R. Hoare,et al.  Communicating Sequential Processes (Reprint) , 1983, Commun. ACM.

[2]  George T. Duncan,et al.  Enhancing Access to Microdata while Protecting Confidentiality: Prospects for the Future , 1991 .

[3]  Tim Howes,et al.  Lightweight Directory Access Protocol , 1995, RFC.

[4]  Edward Roback,et al.  SP 800-12. An Introduction to Computer Security: the NIST Handbook , 1995 .

[5]  Gavin Lowe,et al.  Casper: a compiler for the analysis of security protocols , 1997, Proceedings 10th Computer Security Foundations Workshop.

[6]  Tim Howes,et al.  Lightweight Directory Access Protocol (v3) , 1997, RFC.

[7]  Philip S. Yu,et al.  SpeedTracer: A Web Usage Mining and Analysis Tool , 1998, IBM Syst. J..

[8]  Ian T. Foster,et al.  A security architecture for computational grids , 1998, CCS '98.

[9]  R. Bell,et al.  IEC 61508: functional safety of electrical/electronic/ programme electronic safety-related systems: overview , 1999 .

[10]  Bruce Schneier,et al.  Ten Risks of PKI , 2004 .

[11]  Lee Garber,et al.  Denial-of-Service Attacks Rip the Internet , 2000, Computer.

[12]  Mick Bauer,et al.  Paranoid penguin: syslog configuration , 2001 .

[13]  Beng-Hong Lim,et al.  Virtualizing I/O Devices on VMware Workstation's Hosted Virtual Machine Monitor , 2001, USENIX Annual Technical Conference, General Track.

[14]  R. Freeman,et al.  Medical records and public policy: the discursive (re)construction of the patient in Europe , 2001 .

[15]  Vern Paxson,et al.  A high-level programming environment for packet trace anonymization and transformation , 2003, SIGCOMM '03.

[16]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[17]  Ahmad-Reza Sadeghi,et al.  Taming "Trusted Platforms" by Operating System Design , 2003, WISA.

[18]  Andrew Warfield,et al.  Xen and the art of virtualization , 2003, SOSP '03.

[19]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[20]  NetLogger: a toolkit for distributed system performance tuning and debugging , 2003, IFIP/IEEE Eighth International Symposium on Integrated Network Management, 2003..

[21]  Brian Tierney,et al.  NetLogger: A Toolkit for Distributed System Performance Tuning and Debugging , 2003, Integrated Network Management.

[22]  Renato J. O. Figueiredo,et al.  A case for grid computing on virtual machines , 2003, 23rd International Conference on Distributed Computing Systems, 2003. Proceedings..

[23]  Brian Tierney,et al.  On-demand grid application tuning and debugging with the NetLogger activation service , 2003, Proceedings. First Latin American Web Congress.

[24]  Rosario M. Piro,et al.  An economy-based accounting infrastructure for the datagrid , 2003, Proceedings. First Latin American Web Congress.

[25]  Hermann Härtig,et al.  Reducing TCB size by using untrusted components: small kernels versus virtual-machine monitors , 2004, EW 11.

[26]  Ian T. Foster,et al.  From sandbox to playground: dynamic virtual environments in the grid , 2004, Fifth IEEE/ACM International Workshop on Grid Computing.

[27]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[28]  Stefan Stieger,et al.  Scientific LogAnalyzer: A Web-based tool for analyses of server log files in psychological research , 2004, Behavior research methods, instruments, & computers : a journal of the Psychonomic Society, Inc.

[29]  Trent Jaeger,et al.  Attestation-based policy enforcement for remote access , 2004, CCS '04.

[30]  Michael Franz,et al.  Semantic remote attestation: a virtual machine directed approach to trusted computing , 2004 .

[31]  Rizos Sakellariou,et al.  Towards Service Level Agreement Based Scheduling on the Grid , 2004 .

[32]  John Stearley,et al.  Towards informatic analysis of syslogs , 2004, 2004 IEEE International Conference on Cluster Computing (IEEE Cat. No.04EX935).

[33]  Vitaly Shmatikov,et al.  Privacy-Preserving Sharing and Correlation of Security Alerts , 2004, USENIX Security Symposium.

[34]  Ahmad-Reza Sadeghi,et al.  Property-based attestation for computing platforms: caring about properties, not mechanisms , 2004, NSPW '04.

[35]  Dan S. Wallach,et al.  Analysis of an electronic voting system , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[36]  Andrea C. Arpaci-Dusseau,et al.  Deploying Virtual Machines as Sandboxes for the Grid , 2005, WORLDS.

[37]  Nicholas R. Jennings,et al.  The Semantic Grid: Past, Present, and Future , 2005 .

[38]  Geoffrey Strongin Trusted computing using AMD "Pacifica" and "Presidio" secure virtual machine technology , 2005, Inf. Secur. Tech. Rep..

[39]  David W. Chadwick,et al.  A PKI Based Secure Audit Web Server , 2005 .

[40]  Jason Lee,et al.  Essential Grid Workflow Monitoring Elements , 2005, GCA.

[41]  Andrew C. Simpson,et al.  Towards secure Grid‐enabled healthcare , 2005, Softw. Pract. Exp..

[42]  J. Leake,et al.  APEL: An implementation of Grid accounting using R-GMA , 2005 .

[43]  Andrew C. Simpson,et al.  GIMI: generic infrastructure for medical informatics , 2005, 18th IEEE Symposium on Computer-Based Medical Systems (CBMS'05).

[44]  Leon Gommans,et al.  Web services and grid security vulnerabilities and threats analysis and model , 2005, The 6th IEEE/ACM International Workshop on Grid Computing, 2005..

[45]  Elaine Shi,et al.  BIND: a fine-grained attestation service for secure distributed systems , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[46]  David Abramson,et al.  The Grid Economy , 2005, Proceedings of the IEEE.

[47]  Xuxian Jiang,et al.  Virtual distributed environments in a shared infrastructure , 2005, Computer.

[48]  Neil Geddes The National Grid Service of the UK , 2006, 2006 Second IEEE International Conference on e-Science and Grid Computing (e-Science'06).

[49]  Hsien-Hsin S. Lee,et al.  InfoShield: a security architecture for protecting information usage in memory , 2006, The Twelfth International Symposium on High-Performance Computer Architecture, 2006..

[50]  David Del Vecchio,et al.  Flexible and Secure Logging of Grid Data Access , 2006, 2006 7th IEEE/ACM International Conference on Grid Computing.

[51]  Andrew P. Martin,et al.  Towards a secure, tamper-proof grid platform , 2006, Sixth IEEE International Symposium on Cluster Computing and the Grid (CCGRID'06).

[52]  Wenbo Mao Innovations for Grid Security from Trusted Computing , 2006, Security Protocols Workshop.

[53]  Yoshiyasu Takefuji,et al.  A Central and Secured Logging Data Solution for Xen Virtual Machine , 2006, Parallel and Distributed Computing and Networks.

[54]  Murugiah P. Souppaya,et al.  SP 800-92. Guide to Computer Security Log Management , 2006 .

[55]  Reuven M. Lerner At the forge: amazon web services , 2006 .

[56]  Fei Yan,et al.  Daonity: grid security with behaviour conformity from trusted computing , 2006, STC '06.

[57]  Alan L. Cox,et al.  Optimizing network virtualization in Xen , 2006 .

[58]  Vicente Hernández,et al.  Distributed General Logging Architecture for Grid Environments , 2006, VECPAR.

[59]  Andrew C. Simpson,et al.  On tracker attacks in health grids , 2006, SAC.

[60]  Karen Kent,et al.  Guide to Computer Security Log Management , 2006 .

[61]  Ole Agesen,et al.  A comparison of software and hardware techniques for x86 virtualization , 2006, ASPLOS XII.

[62]  Stefan Berger,et al.  vTPM: Virtualizing the Trusted Platform Module , 2006, USENIX Security Symposium.

[63]  Andrew Martin Trusted Delegation for Grid Computing , 2006 .

[64]  Panayiotis Kotzanikolaou,et al.  A Framework for Secure and Verifiable Logging in Public Communication Networks , 2006, CRITIS.

[65]  Kiran Lakkaraju,et al.  FLAIM: A Multi-level Anonymization Framework for Computer and Network Logs , 2006, LISA.

[66]  Rajkumar Buyya,et al.  Market-oriented Grids and Utility Computing: The State-of-the-art and Future Directions , 2008, Journal of Grid Computing.

[67]  Minglu Li,et al.  Grid resource management based on economic mechanisms , 2007, The Journal of Supercomputing.

[68]  Claudia Eckert,et al.  An Approach to a Trustworthy System Architecture Using Virtualization , 2007, ATC.

[69]  Andrew Warfield,et al.  Safe Hardware Access with the Xen Virtual Machine Monitor , 2007 .

[70]  Ahmad-Reza Sadeghi,et al.  Enhancing Grid Security Using Trusted Virtualization , 2007, ATC.

[71]  Wolfgang Emmerich,et al.  The monitorability of service-level agreements for application-service provision , 2007, WOSP '07.

[72]  Andrew P. Martin,et al.  Grid security: Next steps , 2007, Inf. Secur. Tech. Rep..

[73]  Sujata Garera,et al.  An independent audit framework for software dependent voting systems , 2007, CCS '07.

[74]  Haibo Chen,et al.  Daonity - Grid security from two levels of virtualization , 2007, Inf. Secur. Tech. Rep..

[75]  Vijay Varadharajan,et al.  Trust management for trusted computing platforms in web services , 2007, STC '07.

[76]  Paul England,et al.  Practical Techniques for Operating System Attestation , 2008, TRUST.

[77]  Martin Pirker,et al.  Towards Trust Services for Language-Based Virtual Machines for Grid Computing , 2008, TRUST.

[78]  Dongbo Wang,et al.  Trust Maintenance Toward Virtual Computing Environment in the Grid Service , 2008, APWeb.

[79]  Andrew C. Simpson,et al.  A healthcare-driven framework for facilitating the secure sharing of data across organisational boundaries , 2008, HealthGrid.

[80]  Marios D. Dikaiakos,et al.  Data Privacy considerations in Intensive Care Grids , 2008, HealthGrid.

[81]  Ronald L Rivest,et al.  On the notion of ‘software independence’ in voting systems , 2008, Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences.

[82]  Allan Tomlinson,et al.  Securing Grid Workflows with Trusted Computing , 2008, ICCS.

[83]  David A. Wagner,et al.  Replayable Voting Machine Audit Logs , 2008, EVT.

[84]  Christine M. O'Keefe Privacy and the Use of Health Data - Reducing Disclosure Risk , 2008 .

[85]  Calton Pu,et al.  A Secure Information Flow Architecture for Web Service Platforms , 2008, IEEE Transactions on Services Computing.

[86]  Kenneth G. Paterson,et al.  Challenges for Trusted Computing , 2008, IEEE Security & Privacy Magazine.

[87]  David W. Chadwick,et al.  Enforcing "sticky" security policies throughout a distributed application , 2008, MidSec '08.

[88]  Cornelius Namiluko Application Whitelists in Virtual Organisations , 2009 .

[89]  Krishna P. Gummadi,et al.  Towards Trusted Cloud Computing , 2009, HotCloud.

[90]  Gunnar Peterson,et al.  Logging in the Age of Web Services , 2009, IEEE Security & Privacy.

[91]  Richard Wolski,et al.  The Eucalyptus Open-Source Cloud-Computing System , 2009, 2009 9th IEEE/ACM International Symposium on Cluster Computing and the Grid.

[92]  Michael G. Hinchey,et al.  Integrating Formal Analysis and Design to Preserve Security Properties , 2009 .

[93]  H. Fowler,et al.  Detecting change in UK extreme precipitation using results from the climateprediction.net BBC climate change experiment , 2010 .

[94]  Shamal Faily,et al.  Analysing and Visualising Security and Usability in IRIS , 2010, 2010 International Conference on Availability, Reliability and Security.

[95]  Andrew P. Martin,et al.  Managing application whitelists in trusted distributed systems , 2011, Future Gener. Comput. Syst..

[96]  Scott A. Rotondo Trusted Computing Group , 2011, Encyclopedia of Cryptography and Security.

[97]  Qijun Gu,et al.  Denial of Service Attacks , 2012 .