custos: practical tamper-evident auditing of …...privilege escalation 5. log tampering 10 if the...
TRANSCRIPT
![Page 1: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/1.jpg)
Custos: Practical Tamper-Evident Auditing of Operating Systems
Using Trusted Execution
Riccardo Paccagnella, Pubali Datta, Wajih Ul Hassan,Adam Bates, Christopher W. Fletcher, Andrew Miller, Dave Tian
![Page 2: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/2.jpg)
Logs Are Useful
2Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
![Page 3: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/3.jpg)
Logs Are Useful
3
• 75% of incident response specialists said logs are the most valuable artifact during an investigation.1
Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
1 Carbon Black Quarterly Incident Response Threat Report April 2019
![Page 4: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/4.jpg)
Logs Are Useful
4
• 75% of incident response specialists said logs are the most valuable artifact during an investigation.1
Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
1 Carbon Black Quarterly Incident Response Threat Report April 2019
![Page 5: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/5.jpg)
5Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
![Page 6: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/6.jpg)
6Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
![Page 7: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/7.jpg)
Attack Model
7Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
Attack pattern:
1. Initial Access2. Establish Foothold3. Download Exploit4. Privilege Escalation5. Log Tampering
![Page 8: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/8.jpg)
Attack ModelAttack pattern:
1. Initial Access2. Establish Foothold3. Download Exploit4. Privilege Escalation5. Log Tampering
8Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
Logs about the compromise are crucial for forensics!
![Page 9: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/9.jpg)
Attack ModelAttack pattern:
1. Initial Access2. Establish Foothold3. Download Exploit4. Privilege Escalation5. Log Tampering
9
Logs about the compromise are crucial for forensics!
Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
If the attacker does nottamper with them, we can detect the attack.
![Page 10: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/10.jpg)
Attack ModelAttack pattern:
1. Initial Access2. Establish Foothold3. Download Exploit4. Privilege Escalation5. Log Tampering
10
If the attacker tampers with them, we can’t detect the attack.
Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
If the attacker does nottamper with them, we can detect the attack.
Logs about the compromise are crucial for forensics!
![Page 11: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/11.jpg)
Attack ModelAttack pattern:
1. Initial Access2. Establish Foothold3. Download Exploit4. Privilege Escalation5. Log Tampering
11Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
![Page 12: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/12.jpg)
Attack ModelAttack pattern:
1. Initial Access2. Establish Foothold3. Download Exploit4. Privilege Escalation5. Log Tampering6. Lateral Movement
12Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
![Page 13: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/13.jpg)
Attack ModelAttack pattern:
1. Initial Access2. Establish Foothold3. Download Exploit4. Privilege Escalation5. Log Tampering6. Lateral Movement
13Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
Central Server?
![Page 14: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/14.jpg)
Attack ModelAttack pattern:
1. Initial Access2. Establish Foothold3. Download Exploit4. Privilege Escalation5. Log Tampering6. Lateral Movement
14Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
Logs
Integrity proofs
![Page 15: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/15.jpg)
Design Overview
15Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
![Page 16: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/16.jpg)
Design Overview
1) TAMPER-EVIDENT LOGGING
16Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
![Page 17: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/17.jpg)
Design Overview
1) TAMPER-EVIDENT LOGGING
2) AUDITING
17Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
![Page 18: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/18.jpg)
18
Logger
Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
![Page 19: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/19.jpg)
19
sk // secret key
Logger
Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
ENCLAVE
![Page 20: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/20.jpg)
20
sk // secret keyc // counterH // current hash
Logging:H.Update(mi)
𝝈 = 𝑺𝒊𝒈𝒔𝒌 (𝑯𝒂𝒔𝒉( 𝒎𝟏|| … || 𝒎𝒉||𝒄))
Logger
Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
ENCLAVE
![Page 21: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/21.jpg)
21
sk // secret keyc // counterH // current hash
Logging:H.Update(m1)
𝝈 = 𝑺𝒊𝒈𝒔𝒌 (𝑯𝒂𝒔𝒉( 𝒎𝟏|| … || 𝒎𝒉||𝒄))
m1
Logger
Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
ENCLAVE
![Page 22: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/22.jpg)
22
sk // secret keyc // counterH // current hash
Logging:H.Update(m2)
𝝈 = 𝑺𝒊𝒈𝒔𝒌 (𝑯𝒂𝒔𝒉( 𝒎𝟏|| … || 𝒎𝒉||𝒄))
m1
Logger
Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
m2
ENCLAVE
![Page 23: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/23.jpg)
23
sk // secret keyc // counterH // current hash
Logging:H.Update(mh)
𝝈 = 𝑺𝒊𝒈𝒔𝒌 (𝑯𝒂𝒔𝒉( 𝒎𝟏|| … || 𝒎𝒉||𝒄))
m1
Logger
Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
m2
mh
…
ENCLAVE
![Page 24: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/24.jpg)
24
sk // secret keyc // counterH // current hash
Logging:H.Update(mh)
m1
Logger
Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
m2
mh
…
ENCLAVE
𝝈 = 𝑺𝒊𝒈𝒔𝒌 (𝑯𝒂𝒔𝒉( 𝒎𝟏|| … || 𝒎𝒉||𝒄))
![Page 25: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/25.jpg)
25
sk // secret keyc // counterH // current hash
Logging:H.Update(mh)
m1
Logger
Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
m2
mh
…Auditor
ENCLAVE
𝝈 = 𝑺𝒊𝒈𝒔𝒌 (𝑯𝒂𝒔𝒉( 𝒎𝟏|| … || 𝒎𝒉||𝒄))
![Page 26: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/26.jpg)
26
sk // secret keyc // counterH // current hash
Logging:H.Update(mh)
Commitment:H.Update(c)𝜎 = Sigsk(H)H.Init()c++
m1
Logger
Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
m2
mh
…Auditor
ENCLAVE
𝝈 = 𝑺𝒊𝒈𝒔𝒌 (𝑯𝒂𝒔𝒉( 𝒎𝟏|| … || 𝒎𝒉||𝒄))
![Page 27: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/27.jpg)
Auditing
27Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
1) CENTRALIZED AUDITING
![Page 28: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/28.jpg)
Auditing
28Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
1) CENTRALIZED AUDITING
2) DECENTRALIZED AUDITING
![Page 29: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/29.jpg)
29Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
Logger+Auditor
Logger+Auditor
Logger+Auditor
Logger+Auditor
Decentralized Auditing
![Page 30: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/30.jpg)
30Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
Auditor z
Logger v ENCLAVE
pkv -> public key of v
![Page 31: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/31.jpg)
31Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
Auditor z
Logger v ENCLAVE
audit challenge1
pkv -> public key of v
![Page 32: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/32.jpg)
32Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
Auditor z
Logger v ENCLAVE
𝝈 = 𝑺𝒊𝒈𝒔𝒌𝒗 (𝑯𝒂𝒔𝒉( 𝒎𝟏|| … || 𝒎𝒉||𝒄))
audit challenge1
pkv -> public key of v
![Page 33: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/33.jpg)
33Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
Auditor z
Logger v ENCLAVE
𝝈 = 𝑺𝒊𝒈𝒔𝒌𝒗 (𝑯𝒂𝒔𝒉( 𝒎𝟏|| … || 𝒎𝒉||𝒄))
audit challenge
logs and 𝜎
1
2
pkv -> public key of v
![Page 34: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/34.jpg)
34Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
Verification (𝜎, m1 , …, mh , c):H = Hash(m1 || … || mh || c)result = Verpk_v(𝜎, H)
Auditor z
Logger v ENCLAVE
𝝈 = 𝑺𝒊𝒈𝒔𝒌𝒗 (𝑯𝒂𝒔𝒉( 𝒎𝟏|| … || 𝒎𝒉||𝒄))
audit challenge
logs and 𝜎
1
2
pkv -> public key of v
![Page 35: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/35.jpg)
35
Security Analysis
Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
![Page 36: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/36.jpg)
36
Security Analysis
Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
sk // secret keyc // counterH // current hash
Logging:H.Update(mi)
Logger v
ENCLAVE
![Page 37: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/37.jpg)
37
Security Analysis
Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
sk // secret keyc // counterH // current hash
Logging:H.Update(mh)
m1
Logger v
m2
mh
…
ENCLAVE
Attack pattern:1. Initial Access2. Establish Foothold3. Download Exploit4. Privilege Escalation
![Page 38: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/38.jpg)
38
Security Analysis
Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
sk // secret keyc // counterH // current hash
Logging:H.Update(mh)
m1
Logger v
m2
mh
…
ENCLAVE
Attack pattern:1. Initial Access2. Establish Foothold3. Download Exploit4. Privilege Escalation5. Log tampering
m’2m’1
m’k…
![Page 39: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/39.jpg)
39
Security Analysis
Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
sk // secret keyc // counterH // current hash
Logging:H.Update(mh)
m1
Logger v
m2
mh
…
ENCLAVE
Auditor
ENCLAVE
Attack pattern:1. Initial Access2. Establish Foothold3. Download Exploit4. Privilege Escalation5. Log tampering
m’2m’1
m’k…
![Page 40: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/40.jpg)
40
Security Analysis
Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
sk // secret keyc // counterH // current hash
Logging:H.Update(mh)
Commitment:H.Update(c)𝜎 = Sigsk(H)H.Init()c++
m1
Logger v
m2
mh
…
ENCLAVE
Auditor
ENCLAVE
Attack pattern:1. Initial Access2. Establish Foothold3. Download Exploit4. Privilege Escalation5. Log tampering
m’2m’1
m’k…
![Page 41: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/41.jpg)
41
Security Analysis
Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
sk // secret keyc // counterH // current hash
Logging:H.Update(mh)
Commitment:H.Update(c)𝜎 = Sigsk(H)H.Init()c++
m1
Logger v
m2
mh
…
ENCLAVE
Verification (𝜎, m’1 , …, m’k , c):H = Hash(m’1 || … || m’k || c)result = Verpk_v(𝜎, H)
Auditor
ENCLAVE
Attack pattern:1. Initial Access2. Establish Foothold3. Download Exploit4. Privilege Escalation5. Log tampering
m’2m’1
m’k…
![Page 42: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/42.jpg)
42
Security Analysis
Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
sk // secret keyc // counterH // current hash
Logging:H.Update(mh)
Commitment:H.Update(c)𝜎 = Sigsk(H)H.Init()c++
m1
Logger v
m2
mh
…
ENCLAVE
Verification (𝜎, m’1 , …, m’k , c):H = Hash(m’1 || … || m’k || c)result = Verpk_v(𝜎, H)
Auditor
ENCLAVE
Attack pattern:1. Initial Access2. Establish Foothold3. Download Exploit4. Privilege Escalation5. Log tampering
m’2m’1
m’k…
![Page 43: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/43.jpg)
43
Security Analysis
Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
sk // secret keyc // counterH // current hash
Logging:H.Update(mh)
Commitment:H.Update(c)𝜎 = Sigsk(H)H.Init()c++
m1
Logger v
m2
mh
…
ENCLAVE
Verification (𝜎, m’1 , …, m’k , c):H = Hash(m’1 || … || m’k || c)result = Verpk_v(𝜎, H)
Auditor
ENCLAVE
Attack pattern:1. Initial Access2. Establish Foothold3. Download Exploit4. Privilege Escalation5. Log tampering
m’2m’1
m’k…
Full security analysis on the paper!
![Page 44: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/44.jpg)
44
Microbenchmarks
Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
![Page 45: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/45.jpg)
45
Microbenchmarks
Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
1 Karande et al. ”SGX-log: Securing System Logs With SGX." ASIACCS 2017.2 Hartung et al. “Practical and Robust Secure Logging from Fault-Tolerant Sequential Aggregate Signatures”, ProvSec 2017
0.001 0.01 0.1 1 10 100 1000 10000 100000
Custos
SGX-Log
BGLS
Logging Latency (μs)
1
2
![Page 46: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/46.jpg)
46
Application Benchmarks
Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
![Page 47: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/47.jpg)
47
Application Benchmarks
Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
00.10.20.30.40.50.60.70.80.9
11.11.2
nginx apache2 redis blast blast-multicore
Nor
mal
ized
Runt
ime
Insecure Custos
![Page 48: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/48.jpg)
48
Realistic Case Study
Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
![Page 49: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/49.jpg)
49
Realistic Case Study
Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
• Deploy Custos on 100 nodes.
![Page 50: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/50.jpg)
50
Realistic Case Study
Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
• Deploy Custos on 100 nodes.
• Replay attack from DARPA Transparent Computing engagement:– Professional red-team emulating a nation state attacker.
![Page 51: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/51.jpg)
10:52
51Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
1. Failed Compromise Attempt (Exploit of
Firefox 54.0.1) 2. Initial Access(Exploit of Firefox 54.0.1)3. Unprivileged Shell
11:42
Complete the attack
11:46
![Page 52: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/52.jpg)
10:52
52Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
1. Failed Compromise Attempt (Exploit of
Firefox 54.0.1) 2. Initial Access(Exploit of Firefox 54.0.1)3. Unprivileged Shell
11:42
Complete the attack
11:46
![Page 53: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/53.jpg)
11:46:17
53Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
4. Download Drakon
5. Privilege Escalation (through Drakon binary)6. Log Tampering
11:46:44
11:46:47Custos’ auditingdiscovered log
tampering!
10:5211:42
11:46
![Page 54: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/54.jpg)
Conclusion
54Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
![Page 55: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/55.jpg)
Conclusion• Log integrity is important.
55Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
![Page 56: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/56.jpg)
Conclusion• Log integrity is important.
• Custos is a practical solutionfor log integrity.
56Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
sk // secret keyc // counterH // current hash
Logging:H.Update(mi)m
Logger
ENCLAVE
![Page 57: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/57.jpg)
Conclusion• Log integrity is important.
• Custos is a practical solutionfor log integrity.
• Custos can discover log tampering in near real-time.
57Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
sk // secret keyc // counterH // current hash
Logging:H.Update(mi)m
Logger
ENCLAVE
![Page 58: Custos: Practical Tamper-Evident Auditing of …...Privilege Escalation 5. Log Tampering 10 If the attacker tampers with them, we can’t detect the attack. Custos: Practical Tamper-Evident](https://reader034.vdocuments.mx/reader034/viewer/2022050408/5f84e0fad7091a00905c8638/html5/thumbnails/58.jpg)
Conclusion• Log integrity is important.
• Custos is a practical solutionfor log integrity.
• Custos can discover log tampering in near real-time.
• https://bitbucket.org/sts-lab/custos
58Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution – Riccardo Paccagnella
sk // secret keyc // counterH // current hash
Logging:H.Update(mi)m
Logger
ENCLAVE