@inproceedings{ahmad2022hardlog, author = {Ahmad, Adil and Lee, Sangho and Peinado, Marcus}, title = {HardLog: Practical Tamper-Proof System Auditing Using a Novel Audit Device}, booktitle = {43rd IEEE Symposium on Security and Privacy (Oakland 2022)}, year = {2022}, month = {May}, abstract = {Audit systems maintain detailed logs of security-related events on enterprise machines to forensically analyze potential incidents. In principle, these logs should be safely stored in a secure location (e.g., network storage) as soon as they are produced, but this incurs prohibitive slowdown to a monitored machine. Hence, existing audit systems protect batched logs asynchronously (e.g., after tens of seconds), but this allows attackers to tamper with unprotected logs. This paper presents HardLog, a practical and effective system that employs a novel audit device to provide fine-grained log protection with minimal performance slowdown. HardLog implements criticality-aware log protection: it ensures that logs are synchronously protected in the audit device before an infrequent security-critical event is allowed to execute, but logs are asynchronously protected on frequent non-critical events to minimize performance overhead. Importantly, even on non-critical events, HardLog ensures bounded-asynchronous protection: it sends log entries to the audit device within a tiny, bounded delay from their creation using well-known real-time techniques. To demonstrate HardLog's effectiveness, we prototyped an audit device using commodity components and implemented a reference audit system for Linux. Our prototype achieves a bounded protection delay of 15 milliseconds at non-critical events alongside undelayed protection at critical events. We also show that, for diverse real-world programs, HardLog incurs a geometric mean performance slowdown of only 6.3%, hence it is suitable for many real-world deployment scenarios.}, url = {http://approjects.co.za/?big=en-us/research/publication/hardlog-practical-tamper-proof-system-auditing-using-a-novel-audit-device/}, }