FOX: Hardware-Assisted File Auditing for Direct Access NVM-Hosted Filesystems

TL;DR

FOX introduces a hardware-assisted scheme for precise, low-overhead auditing of file access events in NVM-hosted filesystems, addressing limitations of traditional software-based auditing methods.

Contribution

The paper presents FOX, a hardware-assisted auditing scheme that enables fine-grained, flexible, and efficient monitoring of file system operations on NVM, with minimal performance impact.

Findings

FOX achieves accurate file access auditing with low overhead.

Prototyping on Gem5 shows acceptable performance trade-offs.

Compared to software schemes, FOX offers enhanced security and efficiency.

Abstract

With emerging non-volatile memories entering the mainstream market, several operating systems start to incorporate new changes and optimizations. One major OS support is the direct-access for files, which enables efficient access for files hosted in byte-addressable NVM systems. With DAX-enabled filesystems, files can be accessed directly similar to memory with typical load/store operations. Despite its efficiency, the frequently used system call of direct access is troublesome for system auditing. File system auditing is mandatory and widely used because auditing logs can help detect anomalies, suspicious file accesses, or be used as an evidence in digital forensics. However, the frequent and long-time usage of direct access call blinds the operating system or file system from tracking process operations to shared files after the initial page faults. This might results in imprecise casualty analysis and leads to false conclusion for attack detection. To remedy the tension between enabling fine-grained file system auditing and leveraging the performance of NVM-hosted file systems, we propose a novel hardware-assisted auditing scheme, FOX. FOX enables file system auditing through lightweight hardware-software changes which can monitor every read or write event for mapped files on NVM. Additionally, we propose the optimized schemes, that enable auditing flexibility for selected files/memory range. By prototyping FOX on a full system simulator, Gem5, we observe a relatively small reduced throughput and an acceptable extra writes compared to our baseline. Compared to other instrumentation-based software schemes, our scheme is low-overhead and secure.