Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the...

Custos: Practical Tamper-Evident Auditing of Operating Systems

Using Trusted Execution

Riccardo Paccagnella, Pubali Datta, Wajih Ul Hassan,Adam Bates, Christopher W. Fletcher, Andrew Miller, Dave Tian

Logs Are Useful

2Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella

Logs Are Useful

• 75% of incident response specialists said logs are the most valuable artifact during an investigation.1

Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella

1 Carbon Black Quarterly Incident Response Threat Report April 2019

Logs Are Useful

• 75% of incident response specialists said logs are the most valuable artifact during an investigation.1

1 Carbon Black Quarterly Incident Response Threat Report April 2019

Attack Model

Attack pattern:

1. Initial Access2. Establish Foothold3. Download Exploit4. Privilege Escalation5. Log Tampering

Attack ModelAttack pattern:

Logs about the compromise are crucial for forensics!

If the attacker does nottamper with them, we can detect the attack.

If the attacker tampers with them, we can’t detect the attack.

If the attacker does nottamper with them, we can detect the attack.

1. Initial Access2. Establish Foothold3. Download Exploit4. Privilege Escalation5. Log Tampering6. Lateral Movement

Central Server?

Integrity proofs

Design Overview

1) TAMPER-EVIDENT LOGGING

Design Overview

1) TAMPER-EVIDENT LOGGING

2) AUDITING

Logger

sk // secret key

Logger

ENCLAVE

sk // secret keyc // counterH // current hash

Logging:H.Update(mi)

𝝈 = 𝑺𝒊𝒈𝒔𝒌 (𝑯𝒂𝒔𝒉( 𝒎𝟏|| … || 𝒎𝒉||𝒄))

Logger

ENCLAVE

Logging:H.Update(m1)

Logger

ENCLAVE

Logging:H.Update(m2)

Logger

ENCLAVE

Logging:H.Update(mh)

Logger

ENCLAVE

Logger

ENCLAVE

Logger

…Auditor

ENCLAVE

Commitment:H.Update(c)𝜎 = Sigsk(H)H.Init()c++

Logger

…Auditor

ENCLAVE

Auditing

1) CENTRALIZED AUDITING

Auditing

1) CENTRALIZED AUDITING

2) DECENTRALIZED AUDITING

Logger+Auditor

Decentralized Auditing

Auditor z

Logger v ENCLAVE

pkv -> public key of v

Auditor z

Logger v ENCLAVE

audit challenge1

Auditor z

Logger v ENCLAVE

𝝈 = 𝑺𝒊𝒈𝒔𝒌𝒗 (𝑯𝒂𝒔𝒉( 𝒎𝟏|| … || 𝒎𝒉||𝒄))

audit challenge1

Auditor z

Logger v ENCLAVE

audit challenge

logs and 𝜎

Verification (𝜎, m1 , …, mh , c):H = Hash(m1 || … || mh || c)result = Verpk_v(𝜎, H)

Auditor z

Logger v ENCLAVE

audit challenge

logs and 𝜎

Security Analysis

Logging:H.Update(mi)

Logger v

ENCLAVE

Security Analysis

Logger v

ENCLAVE

Attack pattern:1. Initial Access2. Establish Foothold3. Download Exploit4. Privilege Escalation

Security Analysis

Logger v

ENCLAVE

Attack pattern:1. Initial Access2. Establish Foothold3. Download Exploit4. Privilege Escalation5. Log tampering

m’2m’1

m’k…

Security Analysis

Logger v

ENCLAVE

Auditor

ENCLAVE

m’2m’1

m’k…

Security Analysis

Logger v

ENCLAVE

Auditor

ENCLAVE

m’2m’1

m’k…

Security Analysis

Logger v

ENCLAVE

Verification (𝜎, m’1 , …, m’k , c):H = Hash(m’1 || … || m’k || c)result = Verpk_v(𝜎, H)

Auditor

ENCLAVE

m’2m’1

m’k…

Security Analysis

Logger v

ENCLAVE

Auditor

ENCLAVE

m’2m’1

m’k…

Security Analysis

Logger v

ENCLAVE

Auditor

ENCLAVE

m’2m’1

m’k…

Full security analysis on the paper!

Microbenchmarks

1 Karande et al. ”SGX-log: Securing System Logs With SGX." ASIACCS 2017.2 Hartung et al. “Practical and Robust Secure Logging from Fault-Tolerant Sequential Aggregate Signatures”, ProvSec 2017

0.001 0.01 0.1 1 10 100 1000 10000 100000

Custos

SGX-Log

Logging Latency (μs)

Application Benchmarks

00.10.20.30.40.50.60.70.80.9

11.11.2

nginx apache2 redis blast blast-multicore

Insecure Custos

Realistic Case Study

• Deploy Custos on 100 nodes.

• Replay attack from DARPA Transparent Computing engagement:– Professional red-team emulating a nation state attacker.

1. Failed Compromise Attempt (Exploit of

Firefox 54.0.1) 2. Initial Access(Exploit of Firefox 54.0.1)3. Unprivileged Shell

Complete the attack

1. Failed Compromise Attempt (Exploit of

Firefox 54.0.1) 2. Initial Access(Exploit of Firefox 54.0.1)3. Unprivileged Shell

Complete the attack

11:46:17

4. Download Drakon

5. Privilege Escalation (through Drakon binary)6. Log Tampering

11:46:44

11:46:47Custos’ auditingdiscovered log

tampering!

10:5211:42

Conclusion

Conclusion• Log integrity is important.

• Custos is a practical solutionfor log integrity.

Logging:H.Update(mi)m

Logger

ENCLAVE

• Custos can discover log tampering in near real-time.

Logger

ENCLAVE

• Custos can discover log tampering in near real-time.

• https://bitbucket.org/sts-lab/custos

Logger

ENCLAVE

Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the...

Documents

Transcript of Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the...

Efficient Data Structures for Tamper-Evident Logging...Tamper evident solutions • Current commercial solutions – ‘Write only’ hardware appliances – Security depends on correct

We can custom make your bags Tamper Evident Cash Solutions - … · Tamper Evident Cash Solutions from Versapak By Appointment to Her Majesty the Queen Supplier of Tamper Evident

Non-Printed Tamper-Evident TapeSecurity Tape Strips Seal your cartons for safety with Labelmaster’s Printed Tamper-Evident Tape Strips. These strips provide physical evidence of

tamper evident - Distinctive Medical...TAMPER EVIDENT Maintaining the integrity of items moving around hospitals has never been more important. Our range of tamper evident bags, seals,

U.S. Market for Tamper Evident Caps for IV And Oral Syringes 2013

We can custom make your bags Tamper Evident Cash Solutions · Tamper Evident Cash Solutions from Versapak By Appointment to Her Majesty the Queen Supplier of Tamper Evident Bags and

Purchase of Tamper Evident Envelopes for the University of ... · 2.2 During 2016-17, University of Delhi has procured tamper evident envelopes of about Rs. 4,00,000/- approx. However,

VoteBox: a tamper-evident, veriﬁable electronic voting system · USENIX Association 17th USENIX Security Symposium 349 VoteBox: a tamper-evident, veriﬁable electronic voting system

Holograms Inc. · 3D Hologram Sticker Label 3D Hologram Stickers O u r P r o d u c t s. TAMPER PROOF LABEL Tamper Proof Labels Tamper Proof Label Tamper Proof Label Tamper Evident

STEB's Security Tamper Evident Bags · 2020. 9. 1. · TAMPER EVIDENT BAG Internal transparent pocket to display receipt as proof of purchase at airport duty-free shop, or on board

ly single-use tamper evident sterile seal that provides ... single-use tamper evident sterile seal that provides and maintains a 100% sterile barrier! ly ... ST-ST1102 28 mm Blue 1000

CUSTOS: Practical Tamper-Evident Auditing of Operating ...€¦ · In this work, we introduce CUSTOS, a practical framework for the detection of tampering in system logs. CUSTOS consists

DOT SUPPLIES - AlcoPro€¦ · 342 Tamper Evident Tape $25.00 Tamper Evident Tape Use Tamper Evident to fasten test results to the Alcohol Test Form. Each box contains two rolls of

InnoSealer Tamper Evident Bag Closing System

Code of practice for tamper-evident packaging of …...Code of practice for tamper-evident packaging of therapeutic goods V2.0 May 2017 Page 9 of 17 • The seal must be intact, complete

Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware

More About InnoSeal Systems- Tamper Evident Bag Sealer

Tamper Evident Seals - Lasersec · 2017. 4. 11. · Tamper Evident Seal Tamper evident seal application is a fast and easy way to offer your customers a tamper evident container or

E˜ective Use of Tamper Evident Chemical Drum Labels to Combat Product Counterfeiting ... · 2019-04-01 · E˜ective Use of Tamper Evident Chemical Drum Labels to Combat Product

TAMPER-EVIDENT DUAL FREQUENCY RAINFC TRANSPONDER IC