Shiqing Ma's guest appearances

Shiqing Ma

CERIAS Weekly Security Seminar - Purdue University

Ryan Henry

Cory Doctorow

Doug Smith

Larry Ponemon

George Heron

Laura Thomas

Eli Lilly

Stephen Elliott

Tony Sager

David Carroll

Jack Daniel

Joe Judge

Chris Reed

Richard III

John Richardson

OwlTail

The Linux Audit system is widely used as a causality tracking system in real-world deployments for problem diagnosis and forensic analysis. However, it has poor performance. We perform a comprehensive analysis on the Linux Audit system and find that it suffers from high runtime and storage overheads due to the large volume of redundant events. To address these shortcomings, we propose an in-kernel cache-based online log-reduction system to enable high-performance audit logging. It features a multi-layer caching scheme distributed in various kernel data structures, and uses the caches to detect and suppress redundant events. Our technique is designed to reduce the runtime overhead caused by transferring, processing, and writing logs, as well as the space overhead caused by storing them on disk. Compared to existing log reduction techniques that first generate the huge raw logs before reduction, our technique avoids generating redundant events at the first place. Our experimental results of the prototype KCAL (Kernel-supported Cost-effective Audit Logging) on one-month real-world workloads show that KCAL can reduce the runtime overhead from 40+% to 15-%, and reduce space consumption by 90% on average. KCAL achieves such a large reduction with 4% CPU consumption on average, whereas a state-of-the-art user space log-reduction technique has to occupy a processor with 95+% CPU consumption all the time. About the speaker: Shiqing Ma is a Ph.D. candidate from the Department of Computer Science at Purdue University, advised by Dr. Xiangyu Zhang and Dr. Dongyan Xu. He received his B.E. from School of Software Engineering, Shanghai Jiao Tong University (SJTU) in 2013. His research focuses on system/software security, software engineering and machine learning. He is a recipient of the Bilsland Dissertation Fellowship and two Distinguished Paper Awards from NDSS 2016 and USENIX Security 2017.

<p>The Linux Audit system is widely used as a causality tracking system in real-world deployments for problem diagnosis and forensic analysis. However, it has poor performance. We perform a comprehensive analysis on the Linux Audit system and find that it suffers from high runtime and storage overheads due to the large volume of redundant events. To address these shortcomings, we propose an in-kernel cache-based online log-reduction system to enable high-performance audit logging. It features a multi-layer caching scheme distributed in various kernel data structures, and uses the caches to detect and suppress redundant events. Our technique is designed to reduce the runtime overhead caused by transferring, processing, and writing logs, as well as the space overhead caused by storing them on disk. Compared to existing log reduction techniques that first generate the huge raw logs before reduction, our technique avoids generating redundant events at the first place. Our experimental results of the prototype KCAL (Kernel-supported Cost-effective Audit Logging) on one-month real-world workloads show that KCAL can reduce the runtime overhead from 40+% to 15-%, and reduce space consumption by 90% on average. KCAL achieves such a large reduction with 4% CPU consumption on average, whereas a state-of-the-art user space log-reduction technique has to occupy a processor with 95+% CPU consumption all the time. About the speaker: Shiqing Ma is a Ph.D. candidate from the Department of Computer Science at Purdue University, advised by Dr. Xiangyu Zhang and Dr. Dongyan Xu. He received his B.E. from School of Software Engineering, Shanghai Jiao Tong University (SJTU) in 2013. His research focuses on system/software security, software engineering and machine learning. He is a recipient of the Bilsland Dissertation Fellowship and two Distinguished Paper Awards from NDSS 2016 and USENIX Security 2017.</p>

Shiqing Ma, Kernel-Supported Cost-Effective Audit Logging for Causality Tracking

Operating system level auditing is one of the most important forensics techniques. With operating system level audit systems, e.g., the Linux audit system, investigators can generate attack causal graphs by analyzing the causal relationships between the logged events. However, traditional techniques usually generate large and inaccrute causal graphs. This is because applications are not aware of the existence of the OS level audit systems, and can not provide its own context information. To solve this problem, we propose MPI (short for Multiple Perspective attack Investigation), a semantics aware program annotation and instrumentation technique to partition process executions based on the application specific high level task structures. It converts current applications to be provenance-aware, generates execution partitions with rich semantic information and provides multiple perspectives of an attack. We develop a prototype and integrate it with three different provenance systems: the Linux Audit system, ProTracer and the LPM-HiFi system. The evaluation results show that our technique generates simple and accurate attack graphs with rich high-level semantics and has much lower space and time overheads. About the speaker: Shiqing Ma is a Ph.D. student from the Department of Computer Science at Purdue University, advised by Dr. Xiangyu Zhang and Dr. Dongyan Xu. His research focuses on system and software security especially data provenance problems. His past works include building low-overhead, cost-effective operating system level provenance systems, and automatically translating normal programs into provenance-aware programs to help assist accurate provenance analysis. He is a recipient of two Distinguished Paper Awards from NDSS 2016 and USENIX Security 2017.

<p>Operating system level auditing is one of the most important forensics techniques. With operating system level audit systems, e.g., the Linux audit system, investigators can generate attack causal graphs by analyzing the causal relationships between the logged events. However, traditional techniques usually generate large and inaccrute causal graphs. This is because applications are not aware of the existence of the OS level audit systems, and can not provide its own context information. To solve this problem, we propose MPI (short for Multiple Perspective attack Investigation), a semantics aware program annotation and instrumentation technique to partition process executions based on the application specific high level task structures. It converts current applications to be provenance-aware, generates execution partitions with rich semantic information and provides multiple perspectives of an attack. We develop a prototype and integrate it with three different provenance systems: the Linux Audit system, ProTracer and the LPM-HiFi system. The evaluation results show that our technique generates simple and accurate attack graphs with rich high-level semantics and has much lower space and time overheads. About the speaker: Shiqing Ma is a Ph.D. student from the Department of Computer Science at Purdue University, advised by Dr. Xiangyu Zhang and Dr. Dongyan Xu. His research focuses on system and software security especially data provenance problems. His past works include building low-overhead, cost-effective operating system level provenance systems, and automatically translating normal programs into provenance-aware programs to help assist accurate provenance analysis. He is a recipient of two Distinguished Paper Awards from NDSS 2016 and USENIX Security 2017.</p>

Shiqing Ma, MPI: Multiple Perspective Attack Investigation with Semantic Aware Execution Partitioning