vCause: Efficient and Verifiable Causality Analysis for Cloud-based Endpoint Auditing

TL;DR

vCause is a system that ensures secure, efficient, and verifiable causality analysis in cloud endpoint auditing by using authenticated data structures to prevent tampering and verify results.

Contribution

It introduces vCause, combining graph accumulators and verifiable provenance graphs to enable secure, efficient causality analysis in untrusted cloud environments.

Findings

Achieves <1% overhead on endpoints

Achieves 3.36% overhead on the cloud

Provides formal security guarantees for causality verification

Abstract

In cloud-based endpoint auditing, security administrators often rely on the cloud to perform causality analysis over log-derived versioned provenance graphs to investigate suspicious attack behaviors. However, the cloud may be distrusted or compromised by attackers, potentially manipulating the final causality analysis results. Consequently, administrators may not accurately understand attack behaviors and fail to implement effective countermeasures. This risk underscores the need for a defense scheme to ensure the integrity of causality analysis. While existing tamper-evident logging schemes and trusted execution environments show promise for this task, they are not specifically designed to support causality analysis and thus face inherent security and efficiency limitations. This paper presents vCause, an efficient and verifiable causality analysis system for cloud-based endpoint auditing. vCause integrates two authenticated data structures: a graph accumulator and a verifiable provenance graph. The data structures enable validation of two critical steps in causality analysis: (i) querying a point-of-interest node on a versioned provenance graph, and (ii) identifying its causally related components. Formal security analysis and experimental evaluation show that vCause can achieve secure and verifiable causality analysis with only <1% computational overhead on endpoints and 3.36% on the cloud.