Ellipsis: Towards Efficient System Auditing for Real-Time Systems

TL;DR

Ellipsis is a kernel-based approach that reduces audit log volume in real-time systems by exploiting application periodicity, enabling effective security monitoring without violating temporal constraints.

Contribution

The paper introduces Ellipsis, a novel reduction technique for system auditing in real-time systems, adapting commodity frameworks to meet strict timing and resource requirements.

Findings

Achieves up to 93% reduction in audit log generation

Maintains detailed records of unexpected activities in RT systems

Demonstrates effectiveness on ArduPilot autopilot application

Abstract

System auditing is a powerful tool that provides insight into the nature of suspicious events in computing systems, allowing machine operators to detect and subsequently investigate security incidents. While auditing has proven invaluable to the security of traditional computers, existing audit frameworks are rarely designed with consideration for Real-Time Systems (RTS). The transparency provided by system auditing would be of tremendous benefit in a variety of security-critical RTS domains, (e.g., autonomous vehicles); however, if audit mechanisms are not carefully integrated into RTS, auditing can be rendered ineffectual and violate the real-world temporal requirements of the RTS. In this paper, we demonstrate how to adapt commodity audit frameworks to RTS. Using Linux Audit as a case study, we first demonstrate that the volume of audit events generated by commodity frameworks is unsustainable within the temporal and resource constraints of real-time (RT) applications. To address this, we present Ellipsis, a set of kernel-based reduction techniques that leverage the periodic repetitive nature of RT applications to aggressively reduce the costs of system-level auditing. Ellipsis generates succinct descriptions of RT applications' expected activity while retaining a detailed record of unexpected activities, enabling analysis of suspicious activity while meeting temporal constraints. Our evaluation of Ellipsis, using ArduPilot (an open-source autopilot application suite) demonstrates up to 93% reduction in audit log generation.