A study of accountability in operating systems
Logging has become a fundamental feature within the modern operating systems due to the fact that logging may be used through a variety of applications and fashion. Syslog daemon is the logging implementation in Unix/Linux platforms, while Windows Event Log is the logging implementation in Microsoft Windows platforms. These logging implementations provide APIs that in turn, simplify logging functions from data collection to data storage. First, we introduce accountable administration. Accountability implies that entities should be held responsible for their actions or behaviors so that the entities are part of larger chains of accountability. Many security models and systems are built upon the assumption that super users are trustworthy. However, it becomes challenging to hold super users accountable since they can erase any trace of their activities. This chapter proposes an accountable administration model for operating systems where all system administrators can be accounted for even if they are untrustworthy. The accountability policy and operating system primitives are designed and constructed so that the proposed model is provable. Second, Flow-net model is introduced in order to achieve better accountability, which means a logging system should be capable of capturing activities as well as the relationships among activities. Existing logging techniques record isolated events and rely on attributes and time stamps to establish their relationships, and this leads to probable loss of event relationships among large and complex logs. In this chapter, we present the design of flow-net methodology and its implementation in current operating system such as Linux. We demonstrate that the flow-net logging technique is capable of preserving event relationships. Finally, we leverage the overhead introduced by Linux Auditing Framework. Logging is a critical component of Linux auditing. The experiments indicate that the logging overhead can be significant. The chapter aims to leverage the performance overhead introduced by Linux Audit Framework under various usage patterns. The study on the problem leads an adaptive audit logging mechanism. Many security incidents or other important events are often accompanied with precursory events. We identify important precursory events - the vital signs of system activity and the audit events that must be recorded. We then design an adaptive auditing mechanism that increases or reduces the type of events collected and the frequency of events collected based upon the online analysis of the vital sign events.