The HitchHiker's Guide to High-Assurance System Observability Protection with Efficient Permission Switches

TL;DR

HitchHiker offers a high-performance, low-delay, high-assurance log protection system using hardware permission switches, significantly outperforming existing methods in delay reduction and TCB minimization.

Contribution

It introduces a novel hardware-based permission switching approach for secure, real-time log protection with a minimal trusted computing base.

Findings

Reduces log protection delay by up to 99.3%.

Decreases TCB size by up to 26.9 times.

Imposes less than 6% overhead on real-world programs.

Abstract

Protecting system observability records (logs) from compromised OSs has gained significant traction in recent times, with several note-worthy approaches proposed. Unfortunately, none of the proposed approaches achieve high performance with tiny log protection delays. They also leverage risky environments for protection (\eg many use general-purpose hypervisors or TrustZone, which have large TCB and attack surfaces). HitchHiker is an attempt to rectify this problem. The system is designed to ensure (a) in-memory protection of batched logs within a short and configurable real-time deadline by efficient hardware permission switching, and (b) an end-to-end high-assurance environment built upon hardware protection primitives with debloating strategies for secure log protection, persistence, and management. Security evaluations and validations show that HitchHiker reduces log protection delay by 93.3--99.3% compared to the state-of-the-art, while reducing TCB by 9.4--26.9X. Performance evaluations show HitchHiker incurs a geometric mean of less than 6% overhead on diverse real-world programs, improving on the state-of-the-art approach by 61.9--77.5%.