System auditing is a crucial technique for detecting APT attacks. However, attackers may try to compromise the system auditing frameworks to conceal their malicious activities. In this paper, we present a comprehensive and systematic study of the super producer threat in auditing frameworks, which enables attackers to either corrupt the auditing framework or paralyze the entire system. We analyze that the main cause of the super producer threat is the lack of data isolation in the centralized architecture of existing solutions. To address this threat, we propose a novel auditing framework, NODROP, which isolates provenance data generated by different processes with a threadlet-based architecture design. Our evaluation demonstrates that NODROP can ensure the integrity of the auditing frameworks while achieving an average 6.58% higher application overhead compared to vanilla Linux and 6.30% lower application overhead compared to a state-of-the-art commercial auditing framework, Sysdig across eight different hardware configurations.

翻译：系统审计是检测APT攻击的关键技术。然而，攻击者可能试图破坏系统审计框架以隐藏其恶意行为。本文对审计框架中的超级生产者威胁进行了全面而系统的研究，该威胁使得攻击者能够破坏审计框架甚至瘫痪整个系统。我们分析指出，超级生产者威胁的主要原因是现有解决方案的集中式架构缺乏数据隔离。为应对此威胁，我们提出了一种新型审计框架NODROP，该框架基于线程级架构设计，实现了不同进程产生的溯源数据的隔离。实验评估表明，在八种不同硬件配置下，NODROP能够确保审计框架的完整性，同时相比标准Linux系统平均引入6.58%的额外应用开销，而相比业界先进的商业审计框架Sysdig则平均降低6.30%的应用开销。