Withdraw
Loading…
Towards trustworthy foundations for operating system Forensics
Paccagnella, Riccardo
Loading…
Permalink
https://hdl.handle.net/2142/105946
Description
- Title
- Towards trustworthy foundations for operating system Forensics
- Author(s)
- Paccagnella, Riccardo
- Issue Date
- 2019-07-12
- Director of Research (if dissertation) or Advisor (if thesis)
- Bates, Adam M
- Department of Study
- Computer Science
- Discipline
- Computer Science
- Degree Granting Institution
- University of Illinois at Urbana-Champaign
- Degree Name
- M.S.
- Degree Level
- Thesis
- Keyword(s)
- operating systems
- forensics
- secure logging
- audit logs
- system auditing framework
- tamper-evident logging
- kernel race condition
- asynchronous logging
- forward integrity
- Abstract
- System logging is an essential component of building and maintaining secure systems. Unfortunately, attackers regularly engage in anti-forensic activities after a break-in, covering their tracks from system logs in order to frustrate the efforts of investigators. In response to this threat, a variety of secure logging solutions have appeared in the industry and the literature that attempt to provide tamper-resistance (e.g., Write-Once-Read-Many drives, remote storage servers) or tamper-evidence (e.g., cryptographic integrity proofs) for system logs. However, these approaches have not seen widespread adoption and moreover do not address the operational requirements of system-layer auditing frameworks. As such, the vast majority of system logs today remain vulnerable to adversarial tampering and removal. In this thesis, we revisit the goal of secure logging within the context of standard operating system abstractions. We introduce Custos, a comprehensive framework for the detection and prevention of tampering in system logs. Custos enables real-time detection of log integrity violations within an enterprise-class network while being minimally invasive to the underlying logging framework. Next, we present and validate an in-memory attack on the integrity of auditing frameworks. Our attack exploits the intrinsically asynchronous nature of I/O and IPC activity, demonstrating that an attacker can snatch the very evidence of their own intrusion out of message buffers before it is securely recorded. Finally, we present KennyLoggings, the first kernel-based tamper evident logging scheme that cryptographically secures event records at the moment of the event’s occurrence. We demonstrate that our systems are practical and impose modest (< 10%) costs to the operating system, while being able to detect violations even in the presence of powerful distributed adversaries. More generally, the systems presented in this thesis dramatically mitigate the threat of a covert anti-forensic attacker, enabling analysts to inspect a verifiable chain of custody for forensic data. Thus, this thesis demonstrates a viable path forward to achieving trustworthy foundations for operating system forensics.
- Graduation Semester
- 2019-08
- Type of Resource
- text
- Permalink
- http://hdl.handle.net/2142/105946
- Copyright and License Information
- Copyright 2019 Riccardo Paccagnella
Owning Collections
Dissertations and Theses - Computer Science
Dissertations and Theses from the Dept. of Computer ScienceGraduate Dissertations and Theses at Illinois PRIMARY
Graduate Theses and Dissertations at IllinoisManage Files
Loading…
Edit Collection Membership
Loading…
Edit Metadata
Loading…
Edit Properties
Loading…
Embargoes
Loading…