Auditing Frameworks Need Resource Isolation: A Systematic Study on the Super Producer Threat to System Auditing and Its Mitigation

TL;DR

This paper systematically studies the super producer threat in system auditing frameworks, revealing the need for resource isolation, and proposes NODROP, a new architecture that enhances security with minimal performance overhead.

Contribution

The paper identifies the lack of data isolation as a key vulnerability and introduces NODROP, a threadlet-based architecture that isolates provenance data to mitigate the super producer threat.

Findings

NODROP maintains auditing integrity against super producer attacks.

NODROP achieves 6.58% higher overhead than Linux, 6.30% lower than Sysdig.

Effective data isolation improves auditing security without significant performance loss.

Abstract

System auditing is a crucial technique for detecting APT attacks. However, attackers may try to compromise the system auditing frameworks to conceal their malicious activities. In this paper, we present a comprehensive and systematic study of the super producer threat in auditing frameworks, which enables attackers to either corrupt the auditing framework or paralyze the entire system. We analyze that the main cause of the super producer threat is the lack of data isolation in the centralized architecture of existing solutions. To address this threat, we propose a novel auditing framework, NODROP, which isolates provenance data generated by different processes with a threadlet-based architecture design. Our evaluation demonstrates that NODROP can ensure the integrity of the auditing frameworks while achieving an average 6.58% higher application overhead compared to vanilla Linux and 6.30% lower application overhead compared to a state-of-the-art commercial auditing framework, Sysdig across eight different hardware configurations.