System auditing is a powerful tool that provides insight into the nature of suspicious events in computing systems, allowing machine operators to detect and subsequently investigate security incidents. While auditing has proven invaluable to the security of traditional computers, existing audit frameworks are rarely designed with consideration for Real-Time Systems (RTS). The transparency provided by system auditing would be of tremendous benefit in a variety of security-critical RTS domains, (e.g., autonomous vehicles); however, if audit mechanisms are not carefully integrated into RTS, auditing can be rendered ineffectual and violate the real-world temporal requirements of the RTS. In this paper, we demonstrate how to adapt commodity audit frameworks to RTS. Using Linux Audit as a case study, we first demonstrate that the volume of audit events generated by commodity frameworks is unsustainable within the temporal and resource constraints of real-time (RT) applications. To address this, we present Ellipsis, a set of kernel-based reduction techniques that leverage the periodic repetitive nature of RT applications to aggressively reduce the costs of system-level auditing. Ellipsis generates succinct descriptions of RT applications' expected activity while retaining a detailed record of unexpected activities, enabling analysis of suspicious activity while meeting temporal constraints. Our evaluation of Ellipsis, using ArduPilot (an open-source autopilot application suite) demonstrates up to 93% reduction in audit log generation.
翻译:系统审计是一个强有力的工具,它能使人们深入了解计算机系统中可疑事件的性质,使机器操作者能够发现并随后调查安全事件。虽然审计已证明对传统计算机的安全非常宝贵,但现有的审计框架很少考虑实时系统(RTS),系统审计提供的透明度将极大地有益于各种对安全的至关重要的RTS领域(例如,自主车辆);然而,如果审计机制不小心地纳入RTS,审计就会变得无效,违反RTS的实时要求。在本文件中,我们展示了如何使商品审计框架适应RTS。使用Linux审计作为案例研究,我们首先表明,在实时应用程序的时间和资源限制范围内,商品框架产生的审计事件数量是不可持续的。为了解决这个问题,我们介绍一套基于内核的削减技术,利用RT应用程序的周期性重复性来大幅度降低系统层面审计的成本。 Ellipis对RT应用程序的预期活动作了简明描述,同时保留出意想不到活动的详细记录,使对可疑活动的分析在满足减排时程限制的同时,我们能够对Arlipsial活动进行分析。