Riccardo Paccagnella (University of Illinois at Urbana–Champaign), Pubali Datta (University of Illinois at Urbana–Champaign), Wajih Ul Hassan (University of Illinois at Urbana–Champaign), Adam Bates (University of Illinois at Urbana–Champaign), Christopher W. Fletcher (University of Illinois at Urbana–Champaign), Andrew Miller (University of Illinois at Urbana–Champaign), Dave Tian (Purdue University)
System auditing is a central concern when investigating and responding to security incidents. Unfortunately, attackers regularly engage in anti-forensic activities after a break-in, covering their tracks from the system logs in order to frustrate the efforts of investigators. While a variety of tamper-evident logging solutions have appeared throughout the industry and the literature, these techniques do not meet the operational and scalability requirements of system-layer audit frameworks. As such, the vast majority of system logs today remain vulnerable to covert adversarial tampering.
In this work, we introduce Custos, a comprehensive framework for the detection of tampering in system logs. Custos consists of a transparent tamper-evident logging layer and a decentralized auditing protocol. The former uses trusted execution to enable the verification of log integrity with minimal changes to the underlying logging framework, while the latter enables near real-time detection of log integrity violations within an enterprise-class network. Supporting over one million events per second, we show that Custos' log commitment protocol is three orders of magnitude faster than prior secure logging solutions while incurring less than 2% runtime overhead on realistic workloads. Further, we show that Custos' auditing protocol can detect violations even in the presence of a powerful distributed adversary and with minimal (2.7%) network overhead. Custos thus demonstrates a realistic path forward to achieving practical tamper-evident auditing of operating systems.