Protecting system observability records (logs) from compromised OSs has gained significant traction in recent times, with several note-worthy approaches proposed. Unfortunately, none of the proposed approaches achieve high performance with tiny log protection delays. They also leverage risky environments for protection (\eg many use general-purpose hypervisors or TrustZone, which have large TCB and attack surfaces). HitchHiker is an attempt to rectify this problem. The system is designed to ensure (a) in-memory protection of batched logs within a short and configurable real-time deadline by efficient hardware permission switching, and (b) an end-to-end high-assurance environment built upon hardware protection primitives with debloating strategies for secure log protection, persistence, and management. Security evaluations and validations show that HitchHiker reduces log protection delay by 93.3--99.3% compared to the state-of-the-art, while reducing TCB by 9.4--26.9X. Performance evaluations show HitchHiker incurs a geometric mean of less than 6% overhead on diverse real-world programs, improving on the state-of-the-art approach by 61.9--77.5%.
翻译:近年来,保护系统可观测性记录(日志)免受已沦陷操作系统侵害的研究受到广泛关注,并已提出若干值得注意的方法。遗憾的是,现有方法均无法在实现极低日志保护延迟的同时保持高性能。这些方法还依赖高风险环境进行保护(例如多数方案采用通用虚拟机监控程序或TrustZone,其可信计算基与攻击面较大)。HitchHiker系统旨在解决这一问题。该系统设计目标包括:(a) 通过高效的硬件权限切换机制,在可配置的实时截止期内实现对批量日志的内存保护;(b) 基于硬件保护原语构建端到端高可信环境,结合精简策略实现安全的日志保护、持久化与管理。安全评估与验证表明,相较于现有最优方案,HitchHiker将日志保护延迟降低了93.3%–99.3%,同时将可信计算基缩减至原有规模的1/9.4–1/26.9。性能评估显示,HitchHiker在多样化实际程序上产生的几何平均开销低于6%,较现有最优方案的性能提升达61.9%–77.5%。