Logging to the Danger Zone: Race Condition Attacks and Defenses on System Audit Frameworks

Riccardo Paccagnella; Kevin Liao; Dave Tian; Adam Bates

doi:10.1145/3372297.3417862

What is it about?

System logs are considered the most valuable artifact when investigating cyberattacks. To be useful, however, they must include a trace of what the hackers did during their cyberattack. This paper describes a race condition vulnerability that can be exploited by hackers to leave no traces about their cyberattack in the system logs. Unfortunately, the paper finds that existing defenses (even state-of-the-art tamper-evident logging frameworks) do not protect against this attack. The paper then describes a new defense design that can protect against this attack, and introduces a system called KennyLoggings that implements this design. KennyLoggings is the first system logging framework to provide "synchronous integrity" by guaranteeing tamper evidence of log events upon their occurrence. Finally, the paper evaluates KennyLoggings' performance and discusses how it can work in conjunction with existing logging frameworks.

Photo by Anushka Arun on Unsplash

Why is it important?

1. It shows that the increasingly common threat of anti-forensic attackers in operating systems is worse than we thought. Hackers can undetectably intercept and conceal their attack traces even in the presence of state-of-the-art secure logging systems! 2. It presents the first system to guarantee tamper evidence for all the log events that lead to full system compromise. This property gives investigators insight into the window of time during which existing defenses are vulnerable.

Perspectives

In my view, one of the most fascinating discoveries of this paper was learning that using modern, fast cryptographic primitives, we could achieve synchronous integrity with practical performance. The fact that we could achieve both goals for system logging (with thousands of log events per second) was not obvious at the outset of our investigation. Check out the paper to see how we were able to do it!
Riccardo Paccagnella
University of Illinois at Urbana-Champaign

This page is a summary of: Logging to the Danger Zone: Race Condition Attacks and Defenses on System Audit Frameworks, October 2020, ACM (Association for Computing Machinery),
DOI: 10.1145/3372297.3417862.
You can read the full text:

Read

Resources

Contributors

The following have contributed to this page

Riccardo Paccagnella
University of Illinois at Urbana-Champaign

Vulnerability allows hackers to hide attacks from investigators. Here is how to protect yourself.

What is it about?

Why is it important?

Perspectives

Resources

Presentation

Slides

Paper

Contributors

Discover more

Medical Research

Life Sciences

Physical Sciences

Technology and Engineering

Environmental Research

Arts and Humanities

Social Sciences

Business and Management

Vulnerability allows hackers to hide attacks from investigators. Here is how to protect yourself.

What is it about?

Featured Image

Why is it important?

Perspectives

Read the Original

Resources

Presentation

Slides

Paper

Contributors

Share this page:

Discover more

Medical Research

Life Sciences

Physical Sciences

Technology and Engineering

Environmental Research

Arts and Humanities

Social Sciences

Business and Management