RTS Auditing | Ayoosh Bansal

System auditing is a powerful tool that provides insight into the nature of suspicious events in computing systems, allowing the machine operators to detect and subsequently investigate security incidents. While auditing has proven invaluable to the security of traditional computers, existing audit frameworks are rarely designed with consideration for Real-Time Systems (RTS). The transparency provided by system auditing would be of tremendous benefit in a variety of security-critical RTS domains, (e.g., autonomous vehicles); however, if audit mechanisms are not carefully integrated into RTS, auditing can be rendered ineffectual and violate the real-world temporal requirements of the RTS.

This work demonstrates how commodity audit frameworks can be adapted to RTS, using Linux Audit as a case study. The volume of audit events generated by commodity frameworks is unsustainable within the temporal and resource constraints of real-time (RT) applications. Ellipsis, a set of kernel-based reduction techniques that leverage the periodic repetitive nature of RT applications, aggressively reduces the costs of system-level auditing. Ellipsis generates succinct descriptions of RT applications' expected activity while retaining a detailed record of unexpected activities, enabling analysis of suspicious activity while meeting temporal constraints. Our evaluation of Ellipsis, using ArduPilot (an open-source autopilot application suite) demonstrates up to 93% reduction in audit log generation.

References

2023

Journal
System Auditing for Real-Time Systems

Ayoosh Bansal, Anant Kandikuppa, Monowar Hasan, Chien-Ying Chen, Adam Bates, and Sibin Mohan

ACM Trans. Priv. Secur., Sep 2023

Abs Bib PDF Code

System auditing is an essential tool for detecting malicious events and conducting forensic analysis. Although used extensively on general-purpose systems, auditing frameworks have not been designed with consideration for the unique constraints and properties of Real-Time Systems (RTS). System auditing could provide tremendous benefits for security-critical RTS. However, a naı̈ve deployment of auditing on RTS could violate the temporal requirements of the system while also rendering auditing incomplete and ineffectual. To ensure effective auditing that meets the computational needs of recording complete audit information while adhering to the temporal requirements of the RTS, it is essential to carefully integrate auditing into the real-time (RT) schedule. This work adapts the Linux Audit framework for use in RT Linux by leveraging the common properties of such systems, such as special purpose and predictability. Ellipsis, an efficient system for auditing RTS is devised that learns the expected benign behaviors of the system and generates succinct descriptions of the expected activity. Evaluations using varied RT applications show that Ellipsis reduces the volume of audit records generated during benign activity by up to 97.55%, while recording detailed logs for suspicious activities. Empirical analyses establish that the auditing infrastructure adheres to the properties of predictability and isolation that are important to RTS. Furthermore, the schedulability of RT task sets under audit is comprehensively analyzed to enable the safe integration of auditing in RT task schedules.
@article{bansal2023system, address = {New York, NY, USA}, author = {Bansal, Ayoosh and Kandikuppa, Anant and Hasan, Monowar and Chen, Chien-Ying and Bates, Adam and Mohan, Sibin}, doi = {10.1145/3625229}, issn = {2471-2566}, journal = {ACM Trans. Priv. Secur.}, keywords = {security auditing, model-based reduction, cyber-physical systems}, month = sep, publisher = {Association for Computing Machinery}, title = {System Auditing for Real-Time Systems}, url = {https://doi.org/10.1145/3625229}, year = {2023} }

2022

Preprint

Ellipsis: Towards Efficient System Auditing for Real-Time Systems

Ayoosh Bansal, Anant Kandikuppa, Chien-Ying Chen, Monowar Hasan, Adam Bates, and Sibin Mohan

arXiv preprint arXiv:2208.02699, Sep 2022

arXiv Bib PDF

@article{bansal2022ellipsis,
  title = {Ellipsis: Towards Efficient System Auditing for Real-Time Systems},
  author = {Bansal, Ayoosh and Kandikuppa, Anant and Chen, Chien-Ying and Hasan, Monowar and Bates, Adam and Mohan, Sibin},
  journal = {arXiv preprint arXiv:2208.02699},
  year = {2022},
}

Conference

Towards Efficient Auditing for Real-Time Systems

Ayoosh Bansal, Anant Kandikuppa, Chien-Ying Chen, Monowar Hasan, Adam Bates, and Sibin Mohan

In European Symposium on Research in Computer Security, Sep 2022

Bib PDF Code Slides

@inproceedings{bansal2022towards,
  title = {Towards Efficient Auditing for Real-Time Systems},
  author = {Bansal, Ayoosh and Kandikuppa, Anant and Chen, Chien-Ying and Hasan, Monowar and Bates, Adam and Mohan, Sibin},
  booktitle = {European Symposium on Research in Computer Security},
  pages = {614--634},
  year = {2022},
  organization = {Springer Nature Switzerland Cham},
}