Kernel Logging and Security:
Evaluation of the Detail
Performance Relationship
Darcy Davis
Gregory Davis
What Should Be Logged?

Logging system events aids evaluation of
security threats and breaches.
 Detection,

reconstruction
Logging is not free!
 CPU
time, memory, disk space
What Should Be Logged?
Goal: Find the optimal balance between
benefit of data vs. cost in resources.
 Relationship is not a simple tradeoff!
 Most studies focus either on maximizing
performance or information gained.

Our Ideas

Empirical methods for measuring cost and
benefit
 Cost:
measure the additional resource
consumption of logging an event.
 Benefit: investigate resulting logs for known
security breaches.
Our Ideas

Consider the context of the system
 No
single optimal policy
 Dependent on workload characteristics and
type of security vulnerability.
Our Ideas

Domain-specific configuration
 Fine-grained
control of what gets logged for
whom.
 Reduce data which is almost surely useless.
Our Implementation
Kernel module implementation of a logger
to empirically measure cost of logging
individual system calls.
1. App calls patched
syscall
2. Preliminary data
logged
3. Original syscall
executed
4. Return to patched
routine
5. Finalize logging
6. Return result to
app
Patched System Calls
sys_open
 sys_close
 sys_read
 sys_write
 sys_execve

sys_fork
 sys_exit
 sys_socketcall
 sys_setuid
 sys_setgid

Workloads Evaluated

GetBuild
 Typical

Webload
 Typical

developer workload
webserver workload
Combined
 Combined
conditions of GetBuild and Webload
CPU Overhead
Total cycles – normal syscall cycles = logging overhead
3500000
2500000
unpatched
patched
2000000
1500000
1000000
500000
ec
fo
rk
ex
it
re
ad
w
rit
e
op
en
so clo
ck se
et
ca
ll
0
ex
CPU cycles .
3000000
CPU Overhead
40000
35000
30000
25000
20000
15000
10000
5000
0
al
l
ck
e
tc
e
so
cl
os
op
en
e
rit
w
ad
re
it
unpatched
patched
ex
CPU cycles .
Total cycles – normal syscall cycles = logging overhead
Raw Disk Usage
Raw Disk Usage
Workload
GetBuld
WebLo
Combined
Open/Close
16868
34678
191950
Open
12247
30070
93233
Close
4621
4608
98717
12154
7723
179252
Read
7362
4817
124884
Write
4792
2906
54368
12875
10033
215146
20000
2684
1195
13059
10000
44581
53629
599407
0
Net
Exec/Fork/Exit
TOTAL
50000
40000
Bytes
Read/Write
60000
Exec/Fork/Exit
Net
Read/Write
Open/Close
30000
Get/Build
WebLoad
Task
Strengths
Independent overhead measures
 Simple system demonstrates central
problem with disk consumption
 Low CPU and memory overhead, even
with VM testing.

Improvements
Breadth of logging.
 Replace ksyslog daemon with integrated
logging functionality.
 Formalize analysis of benefits
 Consider complexity of auditing
 Implement fine-grained customization

Questions?