System auditing is a central concern when investigating and responding to security incidents. Unfortunately, attackers regularly engage in anti-forensic activities after a break-in, covering their tracks from the system logs in order to frustrate the efforts of investigators. While a variety of tamper-evident logging solutions have appeared throughout the industry and the literature, these techniques do not meet the operational and scalability requirements of system-layer audit frameworks.
In this work, we introduce CUSTOS, a practical framework for the detection of tampering in system logs. CUSTOS consists of a tamper-evident logging layer and a decentralized auditing protocol. The former enables the verification of log integrity with minimal changes to the underlying logging framework, while the latter enables near real-time detection of log integrity violations within an enterprise-class network. CUSTOS is made practical by the observation that we can decouple the costs of cryptographic log commitments from the act of creating and storing log events, without trading off security, leveraging features of off-the-shelf trusted execution environments. Supporting over one million events per second, we show that CUSTOS’ tamper-evident logging protocol is three orders of magnitude (1000x) faster than prior secure logging solutions, while incurring only between 2% and 7% runtime overhead over insecure logging on intensive workloads. Further, we show that CUSTOS’ auditing protocol can detect violations in near real-time even in the presence of a powerful dis- tributed adversary and with minimal (2.7%) network overhead. CUSTOS thus demonstrates a realistic path forward to achieving practical tamper-evident auditing of operating systems.