UserLevelAudit - A User-level Framework for Auditing and...

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: A User-level Framework for Auditing and Monitoring Wu Yongzheng, Roland H. C. Yap School of Computing National University of Singapore { wuyongzh, ryap } @comp.nus.edu.sg Abstract Logging and auditing is an important system facility for monitoring correct system operation and for detect- ing potential security problems. We present an archi- tecture for implementing user-level auditing monitors which: (i) does not require superuser privileges; (ii) makes it simple to create user defined monitors which are transparent; and (iii) provides security guarantees such as mandatory and reliable monitoring while main- taining confidentiality of setuid processes. We avoid problems of self-referential monitoring. Monitor use policies can be specified to increase flexibility. We show that our framework can be tailored so that it is very efficient with low overhead on macro and micro bench- marks. This demonstrates that it is feasible to make use of arbitrary and programmable user-level monitors for system security and auditing applications. 1. Introduction and Overview Logging and auditing are important operating sys- tem facilities used to help monitor correct system op- eration and to detect potential security problems. In Unix systems, logging is traditionally application based . The application itself controls what is being logged through the system logging mechanism syslog , e.g. se- curity audit log messages generated by login , su , etc. The drawback of application logging is since it is un- der the control of an application which may be com- promised or malicious, no security guarantees are pos- sible. More secure versions of Unix have finer grained auditing mechanisms to satisfy the Trusted Computer System Evaluation Criteria (TCSEC) or Common Cri- teria (CC) security requirements. The Solaris Basic Security Module [7] for example defines kernel audit- ing events which can serve to log certain system calls. Such auditing is typically system-wide on all processes and requires administrator privileges. Traditional auditing mechanisms are designed mainly for system audit trail purposes. As such, they are not sufficient for the needs of more demanding secu- rity monitoring applications such as intrusion detection systems (IDS), determining correct application behav- ior, detecting improper system usage, etc. In this pa- per, we present an approach to auditing and monitor- ing which is sufficiently flexible for a variety of appli- cations. We provide a kernel extension which enables easy programming of user level (as opposed to kernel level) monitors for observing the effects of system calls made by specified processes of interest. Our philosophy is to separate mechanism from policy. A kernel-level mechanism provides transparent, secure and efficient monitoring, while the core logic and functionality is encapsulated in a user-level monitor. Having a user- space monitor means that we do not have to worry about code safety issues unlike a kernel-level one. Asabout code safety issues unlike a kernel-level one....
View Full Document

Page1 / 11

UserLevelAudit - A User-level Framework for Auditing and...

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online