Yongzheng Wu
National University of Singapore
Singapore
Roland Yap
National University of Singapore
Singapore
Logging and auditing is an important system facility for
monitoring correct system operation and for detecting
potential security problems. We present an architecture
for implementing user-level monitors for such auditing purposes.
It also doesn't require superuser privileges. It is simple
to create user defined monitors which are transparent and
provide security guarantees such as mandatory and reliable
monitoring with maintaining confidentiality of setuid
processes. We avoid problems of self-referential monitoring
and also increase flexibility with enforcing monitor use
policies. We show that our framework can be tailored
so that it is very efficient with only 2% overhead on
a heavy web server benchmark. Other macro and
micro-benchmarks also have low overheads. This demonstrates
that it is feasible to make use of arbitrary and programmable
user-level monitors for system security and auditing
applications and have only small system impact.
Keywords: auditing, logging, security monitor, IDS