Litcius/Paper detail

Validating the Integrity of Audit Logs Against Execution Repartitioning Attacks

Carter Yagemann, Mohammad A. Noureddine, Wajih Ul Hassan, Simon P. Chung, Adam Bates, Wenke Lee

202117 citationsDOI

Abstract

Provenance-based causal analysis of audit logs has proven to be an invaluable method of investigating system intrusions. However, it also suffers from dependency explosion, whereby long-running processes accumulate many dependencies that are hard to unravel. Execution unit partitioning addresses this by segmenting dependencies into units of work, such as isolating the events that processed a single HTTP request. Unfortunately, we discover that current designs have a semantic gap problem due to how system calls and application log messages are used to infer complex internal program states. We demonstrate how attackers can modify existing code exploits to control event partitioning, breaking links in the attack and framing innocent users. We also show how our techniques circumvent existing program and log integrity defenses.

Topics & Concepts

Computer scienceExploitDependency (UML)AuditDependency graphData integrityFraming (construction)Audit trailComputer securitySoftware engineeringTheoretical computer scienceGraphManagementStructural engineeringEngineeringEconomicsSecurity and Verification in ComputingAdvanced Malware Detection TechniquesNetwork Security and Intrusion Detection