Tamper-evident logging is paramount for forensic audits and accountability subsystems. It is based on a forward integrity model: upon intrusion, the attacker is not able to counterfeit the logging data generated before controlling the system. There are local and distributed solutions to this problem. Distributed solutions are suitable for common scenarios, albeit not appropriate for autonomous and loosely connected systems. Moreover, they can be complex and introduce new security issues. Traditional local tamper-evident logging systems use cryptographic ratchets. In previous works, we presented SealFS (from now on, SealFSv1), a system that follows a radically different approach for local tamper-evident logging based on keystream storage. In this paper, we present a new version, SealFSv2, which combines ratcheting and storage-based log anti-tamper protection. This new approach is flexible and enables the user to decide between complete theoretical security (like in SealFSv1) and partial linear degradation (like in a classical ratchet scheme), exchanging storage for computation with user-defined parameters to balance security and resource usage. We also describe an implementation of this scheme. This implementation, which showcases our approach, is an optimized evolution of the original Linux kernel module. It implements a stackable file system that enables transparent tamper-evident logging to all user space applications and provides instant deployability. Last, we present a complete performance evaluation of our current implementation and a fair performance comparison of the two opposite approaches for local tamper-evident logging (i.e., storage-based vs. ratcheting). This comparison suggests that, on current systems and general-purpose hardware, the storage-based approach and hybrid schemes perform better than the traditional ratchet approach.
Frida is a powerful dynamic analysis tool that uses different mechanisms to hijack the control flow of the analyzed process and is capable of communicating with external tools. The code of the process is manipulated to intercept the function calls and analyze them. Frida is * This work is partially funded under the Proyectos de Generación de Conocimiento 2021 call of Ministry of Science and Innovation of Spain co-funded by the European Union, project PID2021-126592OB-C22 CASCAR/DMARCE. commonly used to analyze suspicious programs and malware. Nevertheless, the function call interception mechanisms can be circumvented by malicious code. In this paper, we describe the different techniques to detect Frida and a novel technique to bypass those interception mechanisms. We also describe a generic mitigation method based on standard Linux capabilities, specifically the Page Table Entry (PTE) inspection mechanisms. This method is generic and does not depend on specialized hardware. Finally, we present an open source implementation, gopper, a lightweight stand-alone tool that watches a process to detect anomalous and suspicious behaviors without interference.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.