Better Logging through Formality
We rely on programs that consume audit logs to do so successfully (a robustness issue) and form the correct interpretations of the input (a semantic issue). The vendor’s documentation of the log format is an important part of the specification for any log consumer. As a specification, it is subject to improvement using formal specification techniques. This work presents a methodology for formalizing and refining the description of an audit log to improve robustness and semantic accuracy of programs that use the log. Ideally applied during design of a new format, the methodology is also profitably applied to existing log formats. Its application to Solaris BSM (an existing, commercial format) demonstrated utility by detecting ambiguities or errors of several types in the documentation or implementation of BSM logging, and identifying opportunities to improve the content of the logs. The products of this work are the methodology itself for use in refining other log formats and their consumers, and an annotated, machine-readable grammar for Solaris BSM that can be used by the community to quickly construct applications that consume BSM logs.
Keywordslog formal specification documentation reliability interoperability CIDF BSM grammar
Unable to display preview. Download preview PDF.
- Matt Bishop. A standard audit trail format. In Proceedings of the 1995 National Information Systems Security Conference, pages 136–145, Baltimore, Maryland, October 1995.Google Scholar
- Mark Crosbie, Bryn Dole, Todd Ellis, Ivan Krsul, and Eugene Spafford. IDIOT users guide. Technical Report TR-96-050, Purdue University, September 1996.Google Scholar
- J. Gosling, B. Joy, and G. Steele. The Java Language Specification. Addison-Wesley, 1996.Google Scholar
- John E. Hopcroft and Jeffrey D. Ullman. Introduction to Automata Theory, Languages, and Computation. Addison-Wesley, 1979.Google Scholar
- Koral Ilgun. USTAT: A Real-Time Intrusion Detection System for UNIX. MS thesis, University of California, Santa Barbara, November 1992.Google Scholar
- SRI International. EMERALD website. http://www.sdl.sri.com/emerald/, April 2000.
- Ulf Lindqvist and Phillip A. Porras. Detecting computer and network misuse through the production-based expert system toolset (P-BEST). In Proceedings of the 1999 IEEE Symposium on Security and Privacy, Oakland, California, October 1999.Google Scholar
- Sun Microsystems. SunSHIELD Basic Security Module Guide. Sun Microsystems, 901 San Antonio Road, Palo Alto, California, Solaris 2.6 edition, 1997. Part Number 802-5757-10.Google Scholar
- P. Mockapetris. Domain names-concepts and facilities. STD 13, ISI, November 1987.Google Scholar
- Abdelaziz Mounji. Languages and Tools for Rule-Based Distributed Intrusion Detection. D.Sc. thesis, Universitaires Notre-Dame de la Paix Namur (Belgium), September 1997.Google Scholar
- Terence Parr. ANTLR website. http://www.antlr.org/, February 2000.
- Terence John Parr. Obtaining Practical Variants of LL(k) and LR(k) for k > 1 by Splitting the Atomic k-tuple. PhD thesis, Purdue University, August 1993.Google Scholar
- Manfred Ruschitzka. Two-level grammars for data conversions. Future Generation Computer Systems, pages 373–380, 1990.Google Scholar
- Brian Tung. Common intrusion detection framework. http://www.gidos.org/, November 1999.