Skip to main content
SpringerLink
Log in

Towards Efficient Auditing for Real-Time Systems

  • Conference paper
  • First Online:
Computer Security – ESORICS 2022 (ESORICS 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13556))

Included in the following conference series:

Abstract

System auditing is a powerful tool that provides insight into the nature of suspicious events in computing systems, allowing machine operators to detect and subsequently investigate security incidents. While auditing has proven invaluable to the security of traditional computers, existing audit frameworks are rarely designed with consideration for Real-Time Systems (RTS). The transparency provided by system auditing would be of tremendous benefit in a variety of security-critical RTS domains, (e.g., autonomous vehicles); however, if audit mechanisms are not carefully integrated into RTS, auditing can be rendered ineffectual and violate the real-world temporal requirements of the RTS.

In this paper, we demonstrate how to adapt commodity audit frameworks to RTS. Using Linux Audit as a case study, we first demonstrate that the volume of audit events generated by commodity frameworks is unsustainable within the temporal and resource constraints of real-time (RT) applications. To address this, we present Ellipsis, a set of kernel-based reduction techniques that leverage the periodic repetitive nature of RT applications to aggressively reduce the costs of system-level auditing. Ellipsis generates succinct descriptions of RT applications’ expected activity while retaining a detailed record of unexpected activities, enabling analysis of suspicious activity while meeting temporal constraints. Our evaluation of Ellipsis, using ArduPilot (an open-source autopilot application suite) demonstrates up to 93% reduction in audit log generation.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://bitbucket.org/sts-lab/ellipsis.

  2. 2.

    A technical report with supplementary material for this work is available [10].

  3. 3.

    Specifically, our ruleset audits execve, read, readv, write, writev, sendto, recvfrom, sendmsg, recvmsg, mmap, mprotect, link, symlink, clone, fork, vfork, open, close, creat, openat, mknodat, mknod, dup, dup2, dup3, bind, accept, accept4, connect, rename, setuid, setreuid, setresuid, chmod, fchmod, pipe, pipe2, truncate, ftruncate, sendfile, unlink, unlinkat, socketpair,splice, init_module, and finit_module.

  4. 4.

    Frequency values are chosen based on application support: https://ardupilot.org/copter/docs/parameters-Copter-stable-V4.1.0.html#sched-loop-rate-scheduling-main-loop-rate.

  5. 5.

    A technical report with further evaluations, template examples, security demonstrations and expanded RTS properties survey is available [10].

References

  1. System auditing (2018). https://access.redhat.com/documentation/en-us/red/_hat/_enterprise/_linux/6/html/security/_guide/chap-system/_auditing

  2. Raspberry Pi Linux 4.19 Preempt RT (2019). https://github.com/raspberrypi/linux/tree/rpi-4.19.y-rt

  3. Embedded linux (2020). https://elinux.org/Main/_Page

  4. The instrumented microkernel (2020). http://www.qnx.com/developers/docs/6.4.1/neutrino/sys/_arch/trace.html

  5. Tracealyzer for vxworks (2020). http://percepio.com/docs/VxWorks/manual/

  6. Navio2 board (2021). https://navio2.emlid.com/

  7. Akesson, B., et al.: An empirical survey-based study into industry practice in real-time systems. In: IEEE Real-Time Systems Symposium. IEEE (2020)

    Google Scholar 

  8. Anderson, M.: Securing embedded linux (2020). https://elinux.org/images/5/54/Manderson4.pdf

  9. ArduPilot Development Team and Community: Ardupilot (2020). http://ardupilot.org/

  10. Bansal, A., et al.: Ellipsis: Towards efficient system auditing for real-time systems (2022). https://doi.org/10.48550/ARXIV.2208.02699

  11. Bates, A., et al.: Take only what you need: leveraging mandatory access control policy to reduce provenance storage costs. In: 7th Workshop on the Theory and Practice of Provenance, TaPP 2015 (2015)

    Google Scholar 

  12. Bates, A., et al.: Trustworthy whole-system provenance for the linux kernel. In: Proceedings of 24th USENIX Security Symposium (2015)

    Google Scholar 

  13. Bates, A., et al.: Taming the costs of trustworthy provenance through policy reduction. ACM Trans. Internet Technol. 17(4), 34:1–34:21 (2017)

    Google Scholar 

  14. Begg, R.: Step up cyber hygiene: Secure access to medical devices (2020). http://www.machinedesign.com/medical-design/article/21128232/step-up-cyber-hygiene-secure-access-to-medical-devices

  15. Ben, Y., et al.: T-tracker: compressing system audit log by taint tracking. In: 2018 IEEE 24th International Conference on Parallel and Distributed Systems (ICPADS), pp. 1–9 (2018)

    Google Scholar 

  16. Böhm, K., et al.: New developments on EDR (event data recorder) for automated vehicles. Open Eng. 10(1), 140–146 (2020)

    Article  Google Scholar 

  17. Bose, U.: The black box solution to autonomous liability. Wash, UL Rev (2014)

    Google Scholar 

  18. Brandenburg, B., Anderson, J.: Feather-trace: a lightweight event tracing toolkit. In: Proceedings of the Third International Workshop on Operating Systems Platforms for Embedded Real-Time Applications, pp. 19–28 (2007)

    Google Scholar 

  19. Burguiere, C., Rochange, C.: History-based schemes and implicit path enumeration. In: 6th International Workshop on Worst-Case Execution Time Analysis (WCET 2006). Schloss Dagstuhl-Leibniz-Zentrum für Informatik (2006)

    Google Scholar 

  20. Carbon Black: Global incident response threat report (2018). http://www.carbonblack.com/global-incident-response-threat-report/november-2018/. Accessed 20 Apr 2019

  21. Casimiro, A., et al.: How to build a timely computing base using real-time linux. In: 2000 IEEE International Workshop on Factory Communication Systems. Proceedings (Cat. No. 00TH8531), pp. 127–134. IEEE (2000)

    Google Scholar 

  22. Chen, C., et al.: Distributed provenance compression. In: Proceedings of the 2017 ACM International Conference on Management of Data, pp. 203–218 (2017)

    Google Scholar 

  23. Chen, C.Y., et al.: Schedule-based side-channel attack in fixed-priority real-time systems. Technical report (2015)

    Google Scholar 

  24. Correia, M., Veríssimo, P., Neves, N.F.: The design of a COTS real-time distributed security kernel. In: Bondavalli, A., Thevenod-Fosse, P. (eds.) EDCC 2002. LNCS, vol. 2485, pp. 234–252. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36080-8_21

    Chapter  Google Scholar 

  25. Crane, C.: Automotive cyber security: A crash course on protecting cars against hackers (2020). https://www.thesslstore.com/blog/automotive-cyber-security-a-crash-course-on-protecting-cars-against-hackers/

  26. Day, R., Slonosky, M.: Securing connected embedded devices using built-in rtos security (2020). http://mil-embedded.com/articles/securing-connected-embedded-devices-using-built-in-rtos-security/

  27. Department of Homeland Security: Cyber physical systems security (2020). www.dhs.gov/science-and-technology/cpssec

  28. Gehani, A., Tariq, D.: SPADE: support for provenance auditing in distributed environments. In: Proceedings of the 13th International Middleware Conference, Middleware 2012 (2012)

    Google Scholar 

  29. Gurgen, L., et al.: Self-aware cyber-physical systems and applications in smart buildings and cities. In: 2013 Design, Automation & Test in Europe Conference & Exhibition (DATE), pp. 1149–1154. IEEE (2013)

    Google Scholar 

  30. Gustafsson, J., Ermedahl, A.: Experiences from applying wcet analysis in industrial settings. In: 10th IEEE International Symposium on Object and Component-Oriented Real-Time Distributed Computing, pp. 382–392. IEEE (2007)

    Google Scholar 

  31. Hahad, M.: Iot proliferation and widespread 5G: a perfect botnet storm (2020). http://www.scmagazine.com/home/opinion/executive-insight/iot-proliferation-and-widespread-5g-a-perfect-botnet-storm/

  32. Hassan, W.U., et al.: Towards scalable cluster auditing through grammatical inference over provenance graphs. In: Proceedings of the 25th ISOC Network and Distributed System Security Symposium, NDSS 2018, San Diego, CA, USA (2018)

    Google Scholar 

  33. Hassan, W.U., et al.: NoDoze: combatting threat alert fatigue with automated provenance triage. In: 26th ISOC Network and Distributed System Security Symposium, NDSS 2019 (2019)

    Google Scholar 

  34. Hassan, W.U., et al.: OmegaLog: high-fidelity attack investigation via transparent multi-layer log analysis. In: 27th ISOC Network and Distributed System Security Symposium, NDSS 2020 (2020)

    Google Scholar 

  35. Hatton, L.: Safer language subsets: an overview and a case history, misra c. Inf. Softw. Technol. 46(7), 465–472 (2004)

    Article  Google Scholar 

  36. Hayes, J.: Hackers under the hood (2020). https://eandt.theiet.org/content/articles/2020/03/hackers-under-the-hood/

  37. Hossain, M.N., et al.: Dependence-preserving data compaction for scalable forensic analysis. In: Proceedings of the 27th USENIX Conference on Security Symposium, SEC 2018, pp. 1723–1740. USENIX Association, Berkeley (2018)

    Google Scholar 

  38. Kohei, K.: Recent security features and issues in embedded systems (2020). https://elinux.org/Images/e/e2/ELC2008/_KaiGai.pdf

  39. Konrad, S., Cheng, B.H.: Real-time specification patterns. In: Proceedings of the 27th International Conference on Software Engineering, pp. 372–381 (2005)

    Google Scholar 

  40. Kwon, Y., et al.: MCI: modeling-based causality inference in audit logging for attack investigation. In: Proceedings of the 25th Network and Distributed System Security Symposium (NDSS 2018) (2018)

    Google Scholar 

  41. Lee, I., et al.: Challenges and research directions in medical cyber-physical systems. Proc. IEEE 100(1), 75–90 (2011)

    Google Scholar 

  42. Lee, K.H., et al.: High accuracy attack provenance via binary-based execution partition. In: Proceedings of NDSS 2013 (2013)

    Google Scholar 

  43. Lee, K.H., et al.: LogGC: garbage collecting audit log. In: Proceedings of the 2013 ACM SIGSAC conference on Computer and Communications Security, CCS 2013, pp. 1005–1016. ACM, New York (2013)

    Google Scholar 

  44. Li, Y.T.S., Malik, S.: Performance analysis of embedded software using implicit path enumeration. In: Proceedings of the ACM SIGPLAN 1995 Workshop on Languages, Compilers, & Tools for Real-Time Systems, pp. 88–98 (1995)

    Google Scholar 

  45. Liu, C.L., Layland, J.W.: Scheduling algorithms for multiprogramming in a hard-real-time environment. J. ACM 20(1), 46–61 (1973)

    Article  MathSciNet  Google Scholar 

  46. Liu, Y., et al.: Towards a timely causality analysis for enterprise security. In: NDSS (2018)

    Google Scholar 

  47. Ma, S., et al.: Accurate, low cost and instrumentation-free security audit logging for windows. In: Proceedings of the 31st Annual Computer Security Applications Conference, ACSAC 2015, pp. 401–410. ACM, New York (2015)

    Google Scholar 

  48. Ma, S., et al.: Protracer: towards practical provenance tracing by alternating between logging and tainting. In: NDSS (2016)

    Google Scholar 

  49. Ma, S., et al.: ProTracer: towards practical provenance tracing by alternating between logging and tainting. In: Proceedings of NDSS 2016 (2016)

    Google Scholar 

  50. Ma, S., et al.: MPI: multiple perspective attack investigation with semantic aware execution partitioning. In: 26th USENIX Security Symposium (2017)

    Google Scholar 

  51. Ma, S., et al.: Kernel-supported cost-effective audit logging for causality tracking. In: 2018 USENIX Annual Technical Conference (USENIX ATC 2018), pp. 241–254. USENIX Association, Boston (2018)

    Google Scholar 

  52. Milajerdi, S.M., et al.: Holmes: real-time apt detection through correlation of suspicious information flows. In: 2019 2019 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, Los Alamitos (2019)

    Google Scholar 

  53. Monostori, L., et al.: Cyber-physical systems in manufacturing. Cirp Ann. 65(2), 621–641 (2016)

    Article  Google Scholar 

  54. Paccagnella, R., et al.: Custos: practical tamper-evident auditing of operating systems using trusted execution. In: 27th ISOC Network and Distributed System Security Symposium, NDSS 2020 (2020)

    Google Scholar 

  55. Perlroth, N., Sanger, D.E.: Cyberattacks Put Russian Fingers on the Switch at Power Plants, U.S. Says (2018). https://www.nytimes.com/2018/03/15/us/politics/russia-cyberattacks.html

  56. Pohly, D., et al.: Hi-Fi: collecting high-fidelity whole-system provenance. In: Proceedings of the 2012 Annual Computer Security Applications Conference, ACSAC 2012, Orlando, FL, USA (2012)

    Google Scholar 

  57. Puschner, P., Burns, A.: Writing temporally predictable code. In: Proceedings of the Seventh IEEE International Workshop on Object-Oriented Real-Time Dependable Systems, (WORDS 2002), pp. 85–91. IEEE (2002)

    Google Scholar 

  58. Rajkumar, R., et al.: Cyber-physical systems: the next computing revolution. In: Design Automation Conference, pp. 731–736. IEEE (2010)

    Google Scholar 

  59. Sandell, D., Ermedahl, A., Gustafsson, J., Lisper, B.: Static timing analysis of real-time operating system code. In: Margaria, T., Steffen, B. (eds.) ISoLA 2004. LNCS, vol. 4313, pp. 146–160. Springer, Heidelberg (2006). https://doi.org/10.1007/11925040_10

    Chapter  Google Scholar 

  60. Shepherd, D.: Industry 4.0: the development of unique cybersecurity (2020). https://manufacturingdigital.com/technology/industry-40-development-unique-cybersecurity

  61. Slabodkin, G.: Coronavirus chaos ripe for hackers to exploit medical device vulnerabilities (2020). https://www.medtechdive.com/news/coronavirus-chaos-ripe-for-hackers-to-exploit-medical-device-vulnerabilitie/575717/

  62. Song, J., Parmer, G.: C’mon: a predictable monitoring infrastructure for system-level latent fault detection and recovery. In: 21st IEEE Real-Time and Embedded Technology and Applications Symposium, pp. 247–258. IEEE (2015)

    Google Scholar 

  63. Sundaram, V., et al.: Prius: Generic hybrid trace compression for wireless sensor networks. In: Proceedings of the 10th ACM Conference on Embedded Network Sensor Systems, pp. 183–196 (2012)

    Google Scholar 

  64. SUSE LINUXAG: Linux Audit-Subsystem Design Documentation for Linux Kernel 2.6, v0.1 (2004). http://uniforumchicago.org/slides/HardeningLinux/LAuS-Design.pdf

  65. Tang, Y., et al.: Nodemerge: template based efficient data reduction for big-data causality analysis. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, pp. 1324–1337. ACM, New York (2018)

    Google Scholar 

  66. The Linux Foundation: Real-Time Linux (2018). https://wiki.linuxfoundation.org/realtime/start

  67. The MITRE Corporation: Medical device cybersecurity (2018). https://www.mitre.org/sites/default/files/2021-11/prs-18-1550-Medical-Device-Cybersecurity-Playbook.pdf

  68. Tian, D.J., et al.: Provusb: block-level provenance-based data protection for usb storage devices. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, New York (2016)

    Google Scholar 

  69. Veríssimo, P., Casimiro, A.: The timely computing base model and architecture. IEEE Trans. Comput. 51(8), 916–930 (2002)

    Article  Google Scholar 

  70. Veríssimo, P., et al.: The timely computing base: timely actions in the presence of uncertain timeliness. In: Proceeding International Conference on Dependable Systems and Networks, DSN 2000, pp. 533–542. IEEE (2000)

    Google Scholar 

  71. Wang, L.: PID Control System Design and Automatic Tuning Using MATLAB/Simulink. John Wiley & Sons, Hoboken (2020)

    Book  Google Scholar 

  72. Wang, Q., et al.: Fear and logging in the internet of things. In: Proceedings of the 25th ISOC Network and Distributed System Security Symposium, NDSS 2018 (2017)

    Google Scholar 

  73. Wu, Y., et al.: Zeno: diagnosing performance problems with temporal provenance. In: 16th USENIX Symposium on Networked Systems Design and Implementation (NSDI 19), pp. 395–420. USENIX Association, Boston (2019)

    Google Scholar 

  74. Xu, Z., et al.: High fidelity data reduction for big data security dependency analyses. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 504–516. ACM, New York (2016)

    Google Scholar 

  75. Yagemann, C., et al.: Validating the integrity of audit logs against execution repartitioning attacks. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, CCS 2021 (2021)

    Google Scholar 

  76. Yoon, M.K., et al.: Learning execution contexts from system call distribution for anomaly detection in smart embedded system. In: Proceedings of the Second International Conference on Internet-of-Things Design and Implementation (2017)

    Google Scholar 

Download references

Acknowledgements

The material presented in this paper is based upon work supported by the Office of Naval Research (ONR) under grant number N00014-17-1-2889 and the National Science Foundation (NSF) under grant numbers CNS 1750024, CNS 1932529, CNS 1955228, CNS 2055127, CNS 2145787 and CNS 2152768. Any opinions, findings, and conclusions or recommendations expressed in this publication are those of the authors and do not necessarily reflect the views of the sponsors.

Author information

Authors and Affiliations

  1. University of Illinois Urbana-Champaign, Urbana-Champaign, IL, 61801, USA

    Ayoosh Bansal, Anant Kandikuppa, Chien-Ying Chen & Adam Bates

  2. Wichita State University, Wichita, KS, 67260, USA

    Monowar Hasan

  3. The George Washington University, Washington, DC, 20052, USA

    Sibin Mohan

Authors
  1. Ayoosh Bansal
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Anant Kandikuppa
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Chien-Ying Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Monowar Hasan
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Adam Bates
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Sibin Mohan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ayoosh Bansal .

Editor information

Editors and Affiliations

  1. Rutgers University, Newark, NJ, USA

    Vijayalakshmi Atluri

  2. Hamad Bin Khalifa University, Doha, Qatar

    Roberto Di Pietro

  3. Technical University of Denmark, Kongens Lyngby, Denmark

    Christian D. Jensen

  4. Technical University of Denmark, Kongens Lyngby, Denmark

    Weizhi Meng

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Bansal, A., Kandikuppa, A., Chen, CY., Hasan, M., Bates, A., Mohan, S. (2022). Towards Efficient Auditing for Real-Time Systems. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds) Computer Security – ESORICS 2022. ESORICS 2022. Lecture Notes in Computer Science, vol 13556. Springer, Cham. https://doi.org/10.1007/978-3-031-17143-7_30

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-17143-7_30

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-17142-0

  • Online ISBN: 978-3-031-17143-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation