Shiqing Ma, "Kernel-Supported Cost-Effective Audit Logging for Causality Tracking"
CERIAS Weekly Security Seminar - Purdue University
English - September 26, 2018 20:30 - 109 MB Video - ★★★★ - 6 ratingsTechnology Education Courses infosec security video seminar cerias purdue information sfs research education Homepage Download Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
The Linux Audit system is widely used as a causality tracking
system in real-world deployments for problem diagnosis and forensic
analysis. However, it has poor performance. We perform a
comprehensive analysis on the Linux Audit system and find that it
suffers from high runtime and storage overheads due to the large
volume of redundant events. To address these shortcomings, we
propose an in-kernel cache-based online log-reduction system to
enable high-performance audit logging. It features a multi-layer
caching scheme distributed in various kernel data structures, and
uses the caches to detect and suppress redundant events. Our
technique is designed to reduce the runtime overhead caused by
transferring, processing, and writing logs, as well as the space
overhead caused by storing them on disk. Compared to existing log
reduction techniques that first generate the huge raw logs before
reduction, our technique avoids generating redundant events at the
first place. Our experimental results of the prototype KCAL
(Kernel-supported Cost-effective Audit Logging) on one-month
real-world workloads show that KCAL can reduce the runtime overhead
from 40+% to 15-%, and reduce space consumption by 90% on average.
KCAL achieves such a large reduction with 4% CPU consumption on
average, whereas a state-of-the-art user space log-reduction
technique has to occupy a processor with 95+% CPU consumption all
the time.