Abstract
Retrospective security has become increasingly important to the theory and practice of cyber security, with auditing a crucial component of it. However, in systems where auditing is used, programs are typically instrumented to generate audit logs using manual, ad-hoc strategies. This is a potential source of error even if log analysis techniques are formal, since the relation of the log itself to program execution is unclear. This paper focuses on provably correct program rewriting algorithms for instrumenting formal logging specifications. Correctness guarantees that the execution of an instrumented program produces sound and complete audit logs, properties defined by an information containment relation between logs and the program’s logging semantics. We also propose a program rewriting approach to instrumentation for audit log generation, in a manner that guarantees correct log generation even for untrusted programs. As a case study, we develop such a tool for OpenMRS, a popular medical records management system, and consider instrumentation of break the glass policies.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
The proofs of Theorems 1–5 in this text are omitted for brevity, but are available in a related Technical Report [3].
- 2.
We use metavariable \(\mathbf {\mathfrak {p}}\) to range over programs in either the source or target language; it will be clear from context which language is used.
- 3.
While \(\varLambda _{\mathrm {call}}\) expressions and evaluation contexts appear as predicate arguments, their syntax can be written as string literals to conform to typical Datalog or Prolog syntax.
References
Allan, C., Avgustinov, P., Christensen, A.S., Hendren, L.J., Kuzins, S., Lhoták, O., de Moor, O., Sereni, D., Sittampalam, G., Tibble, J.: Adding trace matching with free variables to AspectJ. OOPSLA 2005, 345–364 (2005)
Amir-Mohammadian, S., Chong, S., Skalka, C.: Retrospective Security Module for OpenMRS (2015). https://github.com/sepehram/retro-security-openmrs
Amir-Mohammadian, S., Chong, S., Skalka, C.: The theory and practice of correct audit logging. Technical report, University of Vermont, October 2015. https://www.uvm.edu/~samirmoh/TR/TR_Audit.pdf
Bauer, L., Ligatti, J., Walker, D.: More enforceable security policies. Technical report TR-649-02, Princeton University, June 2002
Belhajjame, K., B’Far, R., Cheney, J., Coppens, S., Cresswell, S., Gil, Y., Groth, P., Klyne, G., Lebo, T., McCusker, J., Miles, S., Myers, J., Sahoo, S., Tilmes, C.: PROV-DM: the PROV data model. (2013). http://www.w3.org/TR/2013/REC-prov-dm-20130430. Accessed 07 February 2015
Biswas, D., Niemi, V.: Transforming privacy policies to auditing specifications. HASE 2011, 368–375 (2011)
Böck, B., Huemer, D., Tjoa, A.M.: Towards more trustable log files for digital forensics by means of trusted computing. In: AINA 2010, pp. 1020–1027. IEEE Computer Society (2010)
Buneman, P., Chapman, A., Cheney, J.: Provenance management in curated databases. SIGMOD 2006, 539–550 (2006)
Buneman, P., Khanna, S., Tan, W.-C.: Why and where: a characterization of data provenance. In: Bussche, J., Vianu, V. (eds.) ICDT 2001. LNCS, vol. 1973, pp. 316–330. Springer, Heidelberg (2000)
Cederquist, J.G., Corin, R., Dekker, M.A.C., Etalle, S., den Hartog, J.I., Lenzini, G.: Audit-based compliance control. Int. J. Inf. Secur. 6(2–3), 133–151 (2007)
Ceri, S., Gottlob, G., Tanca, L.: What you always wanted to know about Datalog (and never dared to ask). IEEE Trans. Knowl. Data Eng. 1(1), 146–166 (1989)
Cheney, J.: A formal framework for provenance security. CSF 2011, 281–293 (2011)
Cheney, J.: Semantics of the PROV data model (2013). http://www.w3.org/TR/2013/NOTE-prov-sem-20130430. Accessed 07 February 2015
Chuvakin, A.: Beautiful log handling. In: Oram, A., Viega, J. (eds.) Beautiful security: leading security experts explain how they think. O’Reilly Media Inc. (2009)
Cook, D., Hartnett, J., Manderson, K., Scanlan, J.: Catching spam before it arrives: domain specific dynamic blacklists. In: AusGrid 2006, pp. 193–202. Australian Computer Society, Inc.(2006)
Corin, R., Etalle, S., den Hartog, J.I., Lenzini, G., Staicu, I.: A logic for auditing accountability in decentralized systems. FAST 2004, 187–201 (2004)
CPMC Press Release: Audit finds employee access to patient files without apparent business or treatment purpose (2015). http://www.cpmc.org/about/press/News2015/phi.html. 30 January 2015
Datta, A., Blocki, J., Christin, N., DeYoung, H., Garg, D., Jia, L., Kaynar, D., Sinha, A.: Understanding and protecting privacy: formal semantics and principled audit mechanisms. In: Jajodia, S., Mazumdar, C. (eds.) ICISS 2011. LNCS, vol. 7093, pp. 1–27. Springer, Heidelberg (2011)
DeYoung, H., Garg, D., Jia, L., Kaynar, D., Datta, A.: Privacy policy specification and audit in a fixed-point logic: How to enforce HIPAA, GLBA, and all that. Technical report CMU-CyLab-10-008, Carnegie Mellon University, April 2010
DeYoung, H., Garg, D., Jia, L., Kaynar, D.K., Datta, A.: Experiences in the logical specification of the HIPAA and GLBA privacy laws. WPES 2010, 73–82 (2010)
Erlingsson, Ú.: The inlined reference monitor approach to security policy enforcement. Ph.D. thesis, Cornell University (2003)
Etalle, S., Winsborough, W.H.: A posteriori compliance control. SACMAT 2007, 11–20 (2007)
Fu, Q., Zhu, J., Hu, W., Lou, J., Ding, R., Lin, Q., Zhang, D., Xie, T.: Where do developers log? an empirical study on logging practices in industry. ICSE 2014, 24–33 (2014)
Garg, D., Jia, L., Datta, A.: Policy auditing over incomplete logs: theory, implementation and applications. CCS 2011, 151–162 (2011)
Guts, N., Fournet, C., Zappa Nardelli, F.: Reliable evidence: auditability by typing. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 168–183. Springer, Heidelberg (2009)
Hasan, R., Sion, R., Winslett, M.: The case of the fake Picasso: preventing history forgery with secures provenance. FAST 2009, 1–14 (2009)
InterProlog Consulting: Logic for your app (2014). http://interprolog.com/. Accessed 27 September 2015
Jagadeesan, R., Jeffrey, A., Pitcher, C., Riely, J.: Towards a theory of accountability and audit. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 152–167. Springer, Heidelberg (2009)
Kemmerer, R.A., Vigna, G.: Intrusion detection: a brief history and overview. Computer 35(4), 27–30 (2002)
King, J.T., Smith, B., Williams, L.: Modifying without a trace: General audit guidelines are inadequate for open-source electronic health record audit mechanisms. In: IHI 2012, pp. 305–314. ACM (2012)
Kohlas, J.: Information Algebras: Generic Structures For Inference. Discrete mathematics and theoretical computer science. Springer, London (2003)
Kohlas, J., Schmid, J.: An algebraic theory of information: an introduction and survey. Information 5(2), 219–254 (2014)
Lampson, B.W.: Computer security in the real world. IEEE Computer 37(6), 37–46 (2004)
Martin, M., Livshits, B., Lam, M.S.: Finding application errors and security flaws using PQL: a program query language. In: OOPSLA 2005, pp. 365–383. ACM (2005)
Matthews, P., Gaebel, H.: Break the glass. In: HIE Topic Series. Healthcare Information and Management Systems Society (2009). http://www.himss.org/files/himssorg/content/files/090909breaktheglass.pdf
Povey, D.: Optimistic security: a new access control paradigm. NSPW 1999, 40–45 (1999)
Rizvi, S.Z., Fong, P.W.L., Crampton, J., Sellwood, J.: Relationship-based access control for an open-source medical records system. SACMAT 2015, 113–124 (2015)
Schneider, F.B.: Enforceable security policies. ACM Trans. Inf. Syst. Secur. 3(1), 30–50 (2000)
Vaughan, J.A., Jia, L., Mazurak, K., Zdancewic, S.: Evidence-based audit. CSF 2008, 177–191 (2008)
Weitzner, D.J.: Beyond secrecy: new privacy protection strategies for open information spaces. IEEE Internet Comput. 11(5), 94–96 (2007)
Weitzner, D.J., Abelson, H., Berners-Lee, T., Feigenbaum, J., Hendler, J.A., Sussman, G.J.: Information accountability. Commun. ACM 51(6), 82–87 (2008)
Zhang, W., Chen, Y., Cybulski, T., Fabbri, D., Gunter, C.A., Lawlor, P., Liebovitz, D.M., Malin, B.: Decide now or decide later? Quantifying the tradeoff between prospective and retrospective access decisions. CCS 2014, 1182–1192 (2014)
Zheng, A.X., Jordan, M.I., Liblit, B., Naik, M., Aiken, A.: Statistical debugging: simultaneous identification of multiple bugs. In: ICML 2006, pp. 1105–1112. ACM (2006)
Acknowledgement
This work is supported in part by the National Science Foundation under Grant No. 1408801 and Grant No. 1054172, and by the Air Force Office of Scientific Research.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Amir-Mohammadian, S., Chong, S., Skalka, C. (2016). Correct Audit Logging: Theory and Practice. In: Piessens, F., Viganò, L. (eds) Principles of Security and Trust. POST 2016. Lecture Notes in Computer Science(), vol 9635. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-49635-0_8
Download citation
DOI: https://doi.org/10.1007/978-3-662-49635-0_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-49634-3
Online ISBN: 978-3-662-49635-0
eBook Packages: Computer ScienceComputer Science (R0)
