System auditing is a powerful tool that provides insight into the nature of suspicious events in computing systems, allowing the machine operators to detect and subsequently investigate security incidents. While auditing has proven invaluable to the security of traditional computers, existing audit frameworks are rarely designed with consideration for Real-Time Systems (RTS). The transparency provided by system auditing would be of tremendous benefit in a variety of security-critical RTS domains, (e.g., autonomous vehicles); however, if audit mechanisms are not carefully integrated into RTS, auditing can be rendered ineffectual and violate the real-world temporal requirements of the RTS.
This work demonstrates how commodity audit frameworks can be adapted to RTS, using Linux Audit as a case study. The volume of audit events generated by commodity frameworks is unsustainable within the temporal and resource constraints of real-time (RT) applications. Ellipsis, a set of kernel-based reduction techniques that leverage the periodic repetitive nature of RT applications, aggressively reduces the costs of system-level auditing. Ellipsis generates succinct descriptions of RT applications' expected activity while retaining a detailed record of unexpected activities, enabling analysis of suspicious activity while meeting temporal constraints. Our evaluation of Ellipsis, using ArduPilot (an open-source autopilot application suite) demonstrates up to 93% reduction in audit log generation.
- JournalSystem Auditing for Real-Time SystemsACM Trans. Priv. Secur., Sep 2023
- PreprintEllipsis: Towards Efficient System Auditing for Real-Time SystemsarXiv preprint arXiv:2208.02699, Sep 2022
- ConferenceTowards Efficient Auditing for Real-Time SystemsIn European Symposium on Research in Computer Security, Sep 2022