Rongrong Huang,Jiwu Shu,Da Xiao,Kang Chen

2009-01-01

Journal of Computer Research and Development

Abstract:Network file systems facilitate data sharing but also introduce new vulnerabilities.Audit logs that trace the changes of file system data to prevent fraudulent manipulation of data have great value in evaluating system security.Current systems cannot satisfy the requirement of users because they fail to ensure the security of audit logs.The powerful insider adversary can modify the audit logs covertly to erase evidence of illegal modification directly via device drivers.A data integrity protection method is presented for network file systems based on secure audit logs.Every file and directory has an authenticator to ensure the integrity of data.All changes to data are traced and the corresponding audit logs are generated.At a later time,an auditor may verify the data of a file according to the authenticators and audit logs.A trusted hardware is introduced to manage audit key and to enable the generation and trustworthiness of authenticators and audit logs.A prototype of Nfsd-log is implemented based on the NFS server in Linux and its performance iS evaluated. SSH-build benchmark test shows that the total time overhead of Nfsd-log only increase by 9.2% comparing with original NFS server.

Lu Jun,Liu Daxin,Ding Dayong

DOI: https://doi.org/10.3969/j.issn.1000-386X.2006.06.016

2006-01-01

Abstract:This paper summarized methods of detecting file modification.We put forward log-watching one another by using affixed log for defending internal attack.Watching log and affixed log watch each other,so they can inspect malicious attack from internal skill attacker.To multilevel-log method,log-watching method economizes more resource and system spending.It is more efficiently.

Xin Xu,Wei Wang,Jingqiang Lin,Zhen Yang,Haoling Fan,Qiongxiao Wang

DOI: https://doi.org/10.1109/icccn54977.2022.9868883

2022-01-01

Abstract:Conventional data integrity solutions for Version Control Systems (VCSs) include hash verification, commit signature and log-based schemes. However, existing schemes either bring heavy burden to the VCS client, or place high requirements on the VCS server. These schemes are incapable of offering a lightweight service. Moreover, existing schemes cannot offer corruption provenance that facilitates corruption location and version recovery. To address these challenges, we present LiTIV, a lightweight traceable data integrity verification scheme for VCS. LiTIV introduces a third-party verification server, namely Data Verifier (DV), which effectively reduces impacts on the VCS client and server. LiTIV exploits index history table (IHT) along with signed commit information to achieve both integrity and traceability. Besides, a balanced Merkle hash tree (BMT) is designed and adopted to achieve fast data updating and efficient integrity verification. In case of malicious tampering of V CS file system disks, LiTIV can rely on the BMT structure to effectively detect implicit inconsistency, and achieve backtracking for tam-pering provenance with IHT query. We also design a probabilistic sampling verification mechanism on historical commits to achieve high performance under security premise. Extensive evaluations show that LiTIV achieves traceable integrity security against various attacks and is highly efficient.

Sepideh Avizheh,Reihaneh Safavi-Naini,Shuai Li

DOI: https://doi.org/10.48550/arXiv.1910.14169

2019-10-31

Abstract:Logging systems are an essential component of security systems and their security has been widely studied. Recently (2017) it was shown that existing secure logging protocols are vulnerable to crash attack in which the adversary modifies the log file and then crashes the system to make it indistinguishable from a normal system crash. The attacker was assumed to be non-adaptive and not be able to see the file content before modifying and crashing it (which will be immediately after modifying the file). The authors also proposed a system called SLiC that protects against this attacker. In this paper, we consider an (insider) adaptive adversary who can see the file content as new log operations are performed. This is a powerful adversary who can attempt to rewind the system to a past state. We formalize security against this adversary and introduce a scheme with provable security. We show that security against this attacker requires some (small) protected memory that can become accessible to the attacker after the system compromise. We show that existing secure logging schemes are insecure in this setting, even if the system provides some protected memory as above. We propose a novel mechanism that, in its basic form, uses a pair of keys that evolve at different rates, and employ this mechanism in an existing logging scheme that has forward integrity to obtain a system with provable security against adaptive (and hence non-adaptive) crash attack. We implemented our scheme on a desktop computer and a Raspberry Pi, and showed in addition to higher security, a significant efficiency gain over SLiC.

Cryptography and Security

Jingyu Zhou,Giovanni Vigna

DOI: https://doi.org/10.1109/csac.2004.17

2004-01-01

Abstract:Host security is achieved by securing both the operating system kernel and the privileged applications that run on top of it. Application-level bugs are more frequent than kernel-level bugs, and, therefore, applications are often the means to compromise the security of a system. Detecting these attacks can be difficult, especially in the case of attacks that exploit application-logic errors. These attacks seldom exhibit characterizing patterns as in the case of buffer overflows and format string attacks. In addition, the data used by intrusion detection systems is either too low-level, as in the case of system calls, or incomplete, as in the case of syslog entries. This paper presents a technique to enforce nonbypassable, application-level auditing that does not require the recompilation of legacy systems. The technique is implemented as a kernel-level component, a privileged daemon, and an offline language tool. The technique uses binary rewriting to instrument applications so that meaningful and complete audit information can be extracted. This information is then matched against application-specific signatures to detect attacks that exploit application-logic errors. The technique has been successfully applied to detect attacks against widely-deployed applications, including the Apache Web server and the OpenSSH server.

Jian Zhang,Yang,Yanjiao Chen,Fei Chen

DOI: https://doi.org/10.1109/iwqos.2017.7969107

2017-01-01

Abstract:With the development of cloud storage, data owners no longer physically possess their data and thus how to ensure the integrity of their outsourced data becomes a challenging task. Several protocols have been proposed to audit cloud storage, all of which rely mainly on data block tags to check data integrity. However, their block tag constructions employ cryptographic operations, which makes them computationally complex. In this paper, we investigate a secure cloud storage protocol based on the classic discrete logarithm problem. Our protocol generates data block tags with only basic algebraic operations, which brings substantial computation savings compared with previous work. We also strictly prove that the proposed protocol is secure under a definition which captures the real-world uses of cloud storage. In order to fit more application scenarios, we extend the proposed protocol to support data dynamics by employing an index vector and third-party public auditing by using a random masking number, both of which are efficient and provably secure. At last, theoretical analysis and experimental evaluation are provided to validate the superiority of the proposed protocol.

Ennan Zhai,Qingni Shen,Yonggang Wang,Tao Yang,Liping Ding,Sihan Qing

DOI: https://doi.org/10.1007/978-3-642-20291-9_38

2011-01-01

Abstract:Host compromise is a serious security problem for operating systems. Most previous solutions based on integrity protection models are difficult to use: on the other hand, usable integrity protection models can only provide limited protection. This paper presents SecGuard, a secure and practical integrity protection model. To ensure the security of systems. SecGuard provides provable guarantees for operating systems to defend against three categories of threats: network-based threat, IPC communication threat and contaminative file threat. To ensure practicability, SecGuard introduces several novel techniques. For example, SecGuard leverages the information of existing discretionary access control information to initialize integrity labels for subjects and objects in the system. We developed the prototype system of SecGuard based on Linux Security Modules framework (LSM), and evaluated the security and practicability of SecGuard.

Siqin Zhao,Kang Chen,Weimin Zheng

DOI: https://doi.org/10.1109/ISPA.2009.32

2009-01-01

Abstract:Auditable file system is used to track the usage of the file system including the operations like read and write. Auditable file system keeps the trails of userspsila action and the trails are kept faithfully for future auditing. However, as the logs are still kept within the same file system, it will be quite vulnerable to be exposed as malware penetrating the system. Even with the file system hiding the logs, the skillful attacker can still analyze the on-disk structure to get and modify the logs. Thus the logs should be kept separate from the working system. Virtual machines can provide such separation as virtual machines can hold the whole operating system while still keep the system apart from the metal hardware. We propose a method of secure logging for auditable file system using a logging virtual machine. The logs are kept in another virtual machine safely. Even the working virtual machine is broken; the logs are not exposed to the outside. By the isolation provided by virtual machines, the logs can be kept safe and valid. The high privileged user can not modify the logs contents, or forge the logs and data to keep consistency, or pretend to be another user for doing un-authorized actions. We have done several works as well as a prototype system to show the feasibility of such approach. Experiments show that the logging virtual machine will not bring too much overhead.

Changhua Chen,Tingzhen Yan,Chenxuan Shi,Hao Xi,Zhirui Fan,Hai Wan,Xibin Zhao

DOI: https://doi.org/10.1109/tifs.2024.3459616

IF: 7.231

2024-10-18

IEEE Transactions on Information Forensics and Security

Abstract:Cyberattacks have caused significant damage and losses in various domains. While existing attack investigations against cyberattacks focus on identifying compromised system entities and reconstructing attack stories, there is a lack of information that security analysts can use to locate software vulnerabilities and thus fix them. In this paper, we present AiVl, a novel software vulnerability location method to push the attack investigation further. AiVl relies on logs collected by the default built-in system auditing tool and program binaries within the system. Given a sequence of malicious log entries obtained through traditional attack investigations, AiVl can identify the functions responsible for generating these logs and trace the corresponding function call paths, namely the location of vulnerabilities in the source code. To achieve this, AiVl proposes an accurate, concise, and complete specific-domain program modeling that constructs all system call flows by static-dynamic techniques from the binary, and develops effective matching-based algorithms between the log sequences and program models. To evaluate the effectiveness of AiVl, we conduct experiments on 18 real-world attack scenarios and an APT, covering comprehensive categories of vulnerabilities and program execution classes. The results show that compared to actual vulnerability remediation reports, AiVl achieves a 100% precision and an average recall of 90%. Besides, the runtime overhead is reasonable, averaging at 7%.

computer science, theory & methods,engineering, electrical & electronic

Yingjiu Li,Sushil Jajodia,X. Sean Wang

2003-01-01

Abstract:This thesis reports a systematic study of data protection in three different, yet related, scenarios. The first scenario is to guard relational data against unauthorized redistribution or data piracy. In this scenario, the data is released to users who have full control over the use of data but are restricted from any redistribution. A novel technique is presented for embedding fingerprints in database relations so that the original recipient of the data can be identified. In our scheme, one secret key (with or without primary key attributes in database relations) is used to decide the way how a fingerprint is embedded. Rigorous analysis shows that, with high probability, a detected fingerprint is indeed the fingerprint originally embedded, and embedded fingerprints cannot be modified or erased by a variety of attacks, including bits flipping, tuple addition and deletion; secret key guessing, and collusion among multiple recipients of the same relation. In addition, as a special case of fingerprinting, a robust watermarking scheme is also presented for relational databases. The second scenario is to protect the privacy of individual data value against interval-based inference from aggregation queries. Different from the first scenario in which the data is released to users, this scenario is about data that are controlled by its owner. Users are allowed to access the data through aggregation queries. An individual data value is said to be compromised if an accurate enough interval, called inference interval, is obtained from aggregation results such that the actual data value must fall into the interval. Our study shows that it is intractable to audit interval-based inference for bounded integer values; while for bounded real values, the auditing problem has a polynomial time complexity involving mathematical programming with a large number of constraints and/or variables. The last scenario is to detect anomaly from usage log data. Different from the first scenario in which the data are released to users as well as the second scenario in which the data are allowed to be queried by users, this scenario is about using log data to build profiles for user normal behaviors and detect suspicious anomalies that deviate from the profiles. Experiments show that our proposed method is more flexible and precise than previous methods that do not use time information or simply use fixed partition of time intervals in profiling. (Abstract shortened by UMI.)

Chen Zhi,Jianwei Yin,Junxiao Han,Shuiguang Deng

DOI: https://doi.org/10.1109/apsec51365.2020.00058

2020-01-01

Abstract:Logging is a common practice to collect valuable runtime information about software systems. However, information written to log files can be sensitive and give valuable guidance to attackers. In fact, information exposure through logging is not uncommon. Even large-scale online services (e.g., Facebook and Twitter) have reported exposing sensitive information via log files, and hundreds of millions of users are affected. Despite the severity of such vulnerabilities, there is no existing work that studies such vulnerabilities in the real-world context, and we have little knowledge about them. To fill this gap, we conduct a preliminary study on 413 real-world vulnerabilities to investigate the exploitability and root causes of such vulnerabilities. By analyzing these vulnerabilities, we find that 1) about two-third (67.8%) vulnerabilities can be exploited via the network, and a significant amount (89.3%) of vulnerabilities can be exploited with low efforts; 2) malicious users and insiders can use about half of (46.9%) proof-of-concept exploits to launch attacks without any expertise; 3) the top three common root causes for the vulnerabilities are insecure whole-object logging (43.4%), incorrect permission assignment (17.5%), and improper implementation of sanitization (11.2%). Based on the findings, we also discuss the implications for researchers and practitioners. We believe our work can inspire further work on detecting and fixing the vulnerabilities.

Zhihong Tian,Bin Li,Hongli Zhang

DOI: https://doi.org/10.1109/ICCIAS.2006.294212

2006-01-01

Abstract:It is well-known that current Intrusion Detection Systems produce large numbers of false alerts. Those low quality alerts make it very hard for administrators to understand and take appropriate actions. To deal with false positive, in this paper, an attack-feedback-based approach is introduced to verify the success of attacks. This method processes each packet as soon as it is received. When a suspect packet is indicative of an attack on an existing network service, the effects of that packet on the host will be further tracked by following the causal dependencies. The experimental results have shown that the proposed technique is highly effective in reducing the alert volume and verifying the success of intrusion attempts.

Jie Lin,Chuanyi Liu,Binxing Fang

DOI: https://doi.org/10.1145/2660267.2662377

2014-01-01

Abstract:Building a trustworthy cloud is critical for its practical use. Most current researches usually take integrity measurements using trusted computing to address trust issue, such as integrity measurement architecture (IMA) implemented in Linux kernel. However, some runtime attacks intrude the system while not tampering with the programs, which cannot be detected by integrity mechanism. We call them non-tampering attacks. This paper presents TraceVirt, a framework for detecting these non-tampering attacks, which combines the strong isolation and event-driven capacity to log runtime information. The logging data is processed by remote intrusion analysis cluster to analyze potential attacks. The experimental results show that TraceVirt can detect the real world non-tampering attacks and the performance overhead is acceptable.

Sean Weerakkody,Yilin Mo,Bruno Sinopoli

DOI: https://doi.org/10.1109/cdc.2014.7039974

2014-01-01

Abstract:Ensuring the security of control systems against integrity attacks is a major challenge. Due to the events of Stuxnet, replay attacks in particular have been considered by the research community. Replaying previous measurements of a system in steady state allows an adversary to generate statistically correct virtual outputs which can bypass traditional detectors. The adversary can then inject destabilizing inputs to cause damage to the plant. The method of injecting secret noisy control inputs, or physical watermarking, has recently been proposed to detect replay attacks. However, the proposed watermarking design methods assume that the adversary does not use his potential access to real time communication channels to create stealthy virtual outputs to send to the defender. In this paper, we formulate an attack model for an adversary who uses knowledge of the system as well as access to a subset of real time control inputs and sensor outputs to construct stealthy virtual outputs. A robust physical watermark and detector to counter such an adversary is proposed.

Tao Qin,Yuli Gao,Lingyan Wei,Zhaoli Liu,Chenxu Wang

DOI: https://doi.org/10.1049/iet-net.2017.0188

2018-01-01

IET Networks

Abstract:Log analysis is an efficiency way to detect threats by scrutinizing the events recorded by the operating systems and devices. However, it is more and more difficult to discover threats accurately due to the massive amount of logs and their various formats. Focusing on this problem, the authors propose a method for potential threats mining based on the correlation analysis of multi-type logs. First...

George R. S. Weir,Andreas Aßmuth

2024-05-03

Abstract:Effective activity and event monitoring is an essential aspect of digital forensic readiness. Techniques for capturing log and other event data are familiar from conventional networked hosts and transfer directly to the Cloud context. In both contexts, a major concern is the risk that monitoring systems may be targeted and impaired by intruders seeking to conceal their illicit presence and activities. We outline an approach to intrusion monitoring that aims (i)~to ensure the credibility of log data and (ii)~provide a means of data sharing that supports log reconstruction in the event that one or more logging systems is maliciously impaired.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

William Pourmajidi,Andriy Miranskyy

DOI: https://doi.org/10.1109/CLOUD.2018.00150

2018-05-23

Abstract:During the normal operation of a Cloud solution, no one usually pays attention to the logs except technical department, which may periodically check them to ensure that the performance of the platform conforms to the Service Level Agreements. However, the moment the status of a component changes from acceptable to unacceptable, or a customer complains about accessibility or performance of a platform, the importance of logs increases significantly. Depending on the scope of the issue, all departments, including management, customer support, and even the actual customer, may turn to logs to find out what has happened, how it has happened, and who is responsible for the issue. The party at fault may be motivated to tamper the logs to hide their fault. Given the number of logs that are generated by the Cloud solutions, there are many tampering possibilities. While tamper detection solution can be used to detect any changes in the logs, we argue that critical nature of logs calls for immutability. In this work, we propose a blockchain-based log system, called Logchain, that collects the logs from different providers and avoids log tampering by sealing the logs cryptographically and adding them to a hierarchical ledger, hence, providing an immutable platform for log storage.

Cryptography and Security,Software Engineering

Qian Zhenjiang,Liu Wei,Huang Hao

IF: 1.019

2014-01-01

Chinese Journal of Electronics

Abstract:Microkernel integrity is an important aspect of security for the whole microkernel system. Many of the research works on microkernel integrity focus on analysis and safeguards against the existing kernel attacks, and security enhancements for the vulnerabilities of system design and implementation aspects. The formal methods for operating system design and verification ensure the system's high level of security. The existing formalization work and research for operating system mainly focus on the code-level verification of program correctness. In this paper, we propose a formal abstraction model of microkernel in order to accurately describe the semantics of every kernel behavior, and achieve the description of the whole kernel. Based on the model we illustrate the microkernel integrity criterions and elaborate on the integrity mechanism. Meanwhile, we formally verify the completeness and consistency between the mechanism and the definition of the microkernel integrity. We use the self-implemented operating system VTOS (Verified trusted operating system) as an example to illustrate the design method for the microkernel integrity.

Lein Harn,Hung-Yu Lin,Shoubao Yang

DOI: https://doi.org/10.1016/0167-4048(92)90130-J

1992-01-01

Abstract:This paper describes a software authentication technique based on the public key cryptography for information integrity. The software provider can use a secret key to sign any released program and the user can verify the integrity of programs obtained from vendors or a ''trusted information database''. The software provider needs to go through a registration process to become ''licensed'' and obtains certificates from multiple certificate centers before being able to sign any released program. Users need only one public key to verify the integrity of the programs.

Shubham S. Srivastava,Medha Atre,Shubham Sharma,Rahul Gupta,Sandeep K. Shukla

DOI: https://doi.org/10.48550/arXiv.1901.00228

2019-01-02

Abstract:Integrity and security of the data in database systems are typically maintained with access control policies and firewalls. However, insider attacks -- where someone with an intimate knowledge of the system and administrative privileges tampers with the data -- pose a unique challenge. Measures like append only logging prove to be insufficient because an attacker with administrative privileges can alter logs and login records to eliminate the trace of attack, thus making insider attacks hard to detect. In this paper, we propose Verity -- first of a kind system to the best of our knowledge. Verity serves as a dataless framework by which any blockchain network can be used to store fixed-length metadata about tuples from any SQL database, without complete migration of the database. Verity uses a formalism for parsing SQL queries and query results to check the respective tuples' integrity using blockchains to detect insider attacks. We have implemented our technique using Hyperledger Fabric, Composer REST API, and SQLite database. Using TPC-H data and SQL queries of varying complexity and types, our experiments demonstrate that any overhead of integrity checking remains constant per tuple in a query's results, and scales linearly.

Databases,Distributed, Parallel, and Cluster Computing