Standardised Syslog Processing ... - kau.diva-portal.orgkau.diva-portal.org/smash/get/diva2:954004/FULLTEXT02.pdf · [20]F.Miao,Y.Ma,andJ.Salowey.Transportlayer...

Rasmus Dahlberg a

nd Tobias Pulls |

Standardised Syslog Processi

ng

Standardised Syslog Processing

Today’s computer logs are like smoking guns and treasure maps in case of suspicious

system activities: they document intrusions, and log crucial information such as

failed system updates and crashed services. An adversary thus has a clear motive

to observe, alter, and delete log entries, considering that she could (i) start by using

the log’s content to identify new security vulnerabilities, and (ii) exploit them

without ever being detected. With this in mind we consider syslog standards and

open source projects that safeguard events during the storage and transit phases,

and examine how data compression effects security. We conclude that there are

syslog standards in place that satisfy security on a hop-by-hop basis, that there

are no such standards for secure storage, and that message compression is not

recommended during transit.

WORKING PAPER | September 2016

Faculty of Health, Science and Technology

Department of Mathematics and Computer Science

Faculty of Health, Science and Technology

Rasmus Dahlberg and Tobias Pulls

Standardised Syslog ProcessingRevisiting Secure Reliable Data Transfer and

Message Compression

StandardisedSyslogProcessing

RevisitingSecureReliableDataTransferandMessageCompression

RasmusDahlbergKarlstadUniversity,Dept.ofMathematicsand

ComputerScience,Sweden

TobiasPullsKarlstadUniversity,Dept.ofMathematicsand

ComputerScience,Sweden

ABSTRACTToday’scomputerlogsarelikesmokinggunsandtreasuremapsincaseofsuspicioussystemactivities:theydocumentintrusions,andlogcrucialinformationsuchasfailedsystemupdatesandcrashedservices.Anadversarythushasaclearmotivetoobserve,alter,anddeletelogentries,consideringthatshecould(i)startbyusingthelog’scontenttoidentifynewsecurityvulnerabilities,and(ii)exploitthemwithouteverbeingdetected. Withthisinmindweconsidersyslogstandardsandopensourceprojectsthatsafeguardeventsduringthestorageandtransitphases,andexaminehowdatacompressioneffectssecurity. Weconcludethattherearesyslogstandardsinplacethatsatisfysecurityonahop-by-hopbasis,thattherearenosuchstandardsforsecurestorage,andthatmessagecompressionisnotrecommendedduringtransit.

KeywordsSyslog,standardisedlogging,securedatacompression

1. INTRODUCTIONAcomputerlogwithdescriptionsofpastactivitysuchas

fileaccess,authorisationdecisions,andsystemdiagnosticsis,andhavelongbeen,aninvaluableresourceforsystemadministratorsduringtroubleshooting.Forexample,legacysyslog[18]datesbackasfarasthe1980s,andtobeginwiththeoriginaldesignhadlittleinterestinsecurity[13]. Thiscontradictsthecurrentneeds,consideringthattoday’slogscontainsensitivedatathatmustnotbeobserved,dropped,oraltered:securitynotifications,users’systemtraces,andsoforth.Inotherwords,itisessentialtoensuresecurelogmanagementonaprotocolandinfrastructurallevel,asisidentifiedinthesyslogrelatedrequestforcomments(RFCs)andinacomprehensivesurveypublishedbytheNationalInstituteofStandardsandTechnology(NIST)[14].Theconsequencesofunsecurelogmanagementisevidently

devastating.Considerwhatwouldhappeniflogentriesweretamperedwith,deleted,ormaliciouslyinsertedintothelogbyanadversary.Thetracesofanentireattackcouldeasilybehidden,andfalseevidenceproducedforevilpurposes.Evenmoreseverely,disclosureoftheusers’sensitivedatahaspreviouslydrivenpeopletosuicide[2]. Thus,asecurelogginginfrastructurecannotrunasifitmerelycontainsde-bugginginformation. Theimpactof,e.g.,denialofserviceattacks,confidentialitybreaches,andintegritycompromisesmustbecarefullyconsideredandaccountedforaccordingly,preferablydependingonwell-definedpolicies.

Currentlytherearemanysyslogrelatedstandards,someofwhichareoldorobsolete[23,30,31]andothersthatarequiterecent[9,10,13,20,24]. Apartfromthestandards,multipleopensourceprojectsexistthatprovidesecurelogmanagementsolutions[32,35].Intheresearchcommunitytherehasalsobeenseveralprevalentadvancements, mostnotablyincludingforward-secureconstructions[4,19].Ifthisisapplicable,however,isdependentonthesetting.Forinstance,aforwardsecureschemeservesnopurposewhenasystem’sdeviceshavetobetrustedatalltimes.

1.1 TerminologyandSettingWeconsiderthreetypesoftrusteddevices,namely origi-nators,relays,andcollectors.Anoriginatorgenerateseventsthataresentacrossanunreliableandunsecurenetwork.Theeventsareformattedassyslogmessages,andmaybesenttomultiplerelaysandcollectors.Uponreceiptofanevent,arelayispreconfiguredtoserveaforwardingfunction.Thecollectors,ontheotherhand,archiveeventsandperformloganalysis.Adevicecanbeanycombinationoforiginator,relayandcollector.Figure1depictsoursetting. Anactiveadversarythatiscomputationallyboundedintercepts,examines,modifies,delays,andreplayseventsintransit.Shemayalsoattempttocauseavailabilityissuesbyinjectingmaliciouseventstoexhaustbothrelaysandcollectors. Further,thirdpartiesthatareabletoauthenticatethemselvesquerythecollectorsforevents,demandingverifiableresponseswithregardtotheoriginatorthatgeneratedwhicheventatroughlywhattime.

CollectorRelay

Originator

Client

query

answerm2

m1 m1

m2

Figure1:Asketchofoursetting.

Fororiginatorsandrelays,spaceisalimitedresourceintheorderofafewgigabytes. Thecollectorsareassumedtobemorepowerful,anditisdesirabletosavebandwidthwithoutcompromisinganysecurity. Wedonotconsiderreplicationatthecollectors,butthisisinherentlysupportedbythemodelsinceacollectorcanalsobearelay.

1

1.2 GoalandScopeWewishtoexaminesyslogstandardsandrelatedconcepts

thatareapplicabletoUnix-likeenvironments. Theaimistoprovideguidelinesbasedonoursettingwherealldeviceshavetobetrusted,andwehopetofindsolutionsthatoffer:

–Reliabletransportbetweenthedifferentdevices;

–Confidentiality,integrity,andavailability;

–Originauthenticationonaper-messagebasis,i.e.,whichoriginatorgeneratedwhatmessage.

Itisalsodesiredthatweconsidersecuredatacompressionduringtransitandlong-termstorage. Ourscopeislimitedtostandardisedandwellestablishedopensourceprojects.

1.3 RoadmapTheremainderofthereportisstructuredasfollows.Sec-

tion2providesanoverviewofexistingsyslogstandardsandthesecuritypropertiestheyenforce. Section3highlightspopularopensourceprojectsrelatedtoscalableandsecurelogginginfrastructures.Section4introducestechniquesfordatacompressionandhowtheyeffectsecurity. Section5setsourdiscussionintocontext,providingguidelinesbasedonbestpractices.Finally,Section6concludesthereport.

2. SYSLOGSTANDARDSFirstweintroducepastdevelopmentandimportantnotes

regardingthesyslogprotocol,thenthelateststandardsforreliabledatatransferandsecurityareexamined.

2.1 TheSyslogProtocolAfterawideuseacrossnetworksformanyyears,observed

behaviourofBSDsyslogwasdocumentedinRFC3164[18].Theintentwastoprovideasimpleprotocoltransportingeventsfromsourcestosinks,resultingintheuseofUDPwithoutacknowledgementsandsecurityconsiderations.RFC3164waslaterondeclaredobsoleteandprecededby

astandardinRFC5424[9].Alayeredarchitectureintermsofanapplicationandtransportlayerwasintroduced,andanewstructureforthemessageformatdefined. Whilenoneofthetraditionalsecuritypropertieswereaddressed,severalencodingissueswereresolvedandacommongroundtobuilduponprovided.Inotherwords,toattainpropertiessuchasguaranteeddelivery,confidentiality,andintegrity,otherstandardsorvendorspecificsolutionsmustbeconsidered.

2.2 UDPandTCPTransportMappingsDespitethegeneralinteresttosecuresyslog,exceptions

existwhereinatraditionaltransportlayersuffices.ForsuchpurposestherearebothUserDatagramProtocol(UDP)andTransmissionControlProtocol(TCP)mappingsdefinedforsyslog[10,24]. Noneoftheseoptionsareentirelyreliable,however,becausesyslogissimplexwithoutanyapplicationlevelacknowledgements. Forinstance,itcanbenontrivialtodeterminewhichmessageshavebeencorrectlyreceivedintheeventofaprematurelyclosedTCP-connection. Aseparaterecoverymechanismmaythereforebenecessary.TheTCPtransportmappingisnotwithoutdrawbacks.

Thereislittlecontrolregardingwhenapacketissent,andbydesignthethroughputislessthanthatofUDP.TheTCPpushflagmighthelptoensurethatimportanteventscannotresideinsidebuffersforlongperiodsoftime,but

extralatencyisinevitabledueto,e.g.,theinitialhandshakeandcongestionmechanism.Furthermore,ifTCPisfeasible,itislikelythattheTransportLayerSecurity(TLS)mappingisapplicable(seeSection2.3). TheDatagramTransportLayerSecurity(DTLS) mappingforsyslogcouldalsobeofinterestincircumstanceswherereliabledatatransferisirrelevantortoocostlyintermsofoverhead[34].

2.3 TLSTransportMappingTheuseofTLSisrecommendedtoprotectsyslogevents

onahop-by-hopbasis,i.e.,intransitfromoriginatorsandrelaystootherrelaysandcollectors[9,24].Forthispurpose,thereisaTLStransport mappingdefinedforsyslog[20].Mutualauthenticationispreferablycertificate-based,andconfidentialityandintegrityispreservedbyencapsulatingallsyslogmessagesasTLSapplicationdata.Notethatreliabledatatransferisnotnecessarilyprovided(seeSection2.2),anddenialofserviceisonlypartiallyguardedagainstduetotheprovidedauthenticationcapabilities. WewilldiscussselectionofTLSciphersuiteslateroninSection5.2.

2.4 IPsecforSyslogInternetProtocolSecurity(IPsec)isasecurityprotocolthatoperatesonthenetworklayer[15].AlltransportlayerservicesthatrunontopofIPsecwillthusreaptheharvestfromtheprovidedsecurityproperties,followingfromtwoassociatedIPsecprotocols. First,anauthenticatedheaderoffersintegrity,originauthentication,andoptionalreplayresistance.Second,anencapsulatedsecuritypayloadoffersthesamesetofservicesaswellasconfidentiality. Bothofthetwoprotocolssupportaccesscontrol,andrunineithertransportortunnel mode. Thedifferent modesdeterminedetailsregarding,e.g.,howadatagramshouldbeprocessed.WhatisnotapparentfromthisbriefintroductionisthatIPsecisacomplexprotocolwithmanyquirks[26].Itspanshundredsofpages,andevenseveralRFCs.However,whilecomplexityisoftenconsideredasecurityconcern[8],IPsecdoesaddressmanysecurityissuesifimplementedcorrectly.

2.5 SignedSyslogMessagesSyslog-sign[13]usesthestructureddataelementsdefined

inRFC5424[9]toauthenticateastreamofsyslogmessages,introducingsignatureandcertificateblocks. AsdepictedinFigure2,asignatureblockcontainshashesofpreviouslysentmessagesandisdigitallysigned. Theassociatedkey ma-terialisdistributedperiodicallythroughcertificateblocks,andmustbeprotectedexternally,e.g.,viaTLS,topreventman-in-the-middleattacks.Itshouldbenotedthatneithersignaturenorcertificateblocksareincludedinthestreamofsignedmessages. Theyare,however,encodedusingthesyslogmessageformat.

... s e H(ms) ... H(me) σ

p;σ← Sig(sk,p)

Figure2: Therationalebehindsignatureblocks;sanderefertothefirstandlastmessageindices,respectively.

Theresultingsyslog-signprotocolprovidesintegritycheck-ing,sequencingofevents,andoriginauthentication.Thus,replayattacksandmissingeventscanbeaccountedfor.Inaddition,twoproceduresforonlineandofflineverification

2

aredefined,andvendorspecificverificationissupported.Finally,duetosignaturegroups,eventscanbegroupedandsignedseparatelybytheoriginator. Thisisanimportantfeaturewhendifferenteventsshouldbeforwardedtovari-oussetsofcollectors,e.g.,dependingonapplication,priority,andreplicationpolicy.

3. OPENSOURCEPROJECTSSeveralopensourceprojectsexistthatareaimedtowards

securelogmanagement. Webrieflydescribetwoofthemostestablishedones,namelysyslognewgeneration(syslog-ng)andtherocket-fastsystemforlogprocessing(rsyslog).Thenaloggingutilitythatresideswithinsystemdishighlighted.

3.1 Syslog-ngSyslog-ng[35]isacentralisedlogginginfrastructurethatisavailableonmanyhardwarearchitecturesandoperatingsystems,includingx86andUnix-likeenvironments.Amongotherfeatures,suchasdatabasemanagementandfiltering,thereissupportforreliabledatatransfer,messagesecrecyandintegrity,andmutualauthentication.Syslog-ngisalsocompatiblewithIPv4/IPv6networks,andtheclient,relay,andservermodesareparticularlyconvenientforoursetting.Notethatsyslog-ngisnotintendedforloganalysis:itcan

performrule-basedfilteringandtransform messagesfromoneformattoanother,butnotinterprettheir meaning.Moreover,thereiscurrentlynomechanismdefinedthatcangenerateproofswithregardtotimeandorigin.

3.2 RsyslogRsyslog[32]isacentralisedlogginginfrastructurethat

isavailableonseveralLinuxdistribution,includingUbuntuandCentOS.Thereissupportforfeaturessuchasdatabases,filtering,andsecurityadd-ons,whereinreliableandsecuretransitisenforcedusingTCP/TLS,andakeylesssigna-tureinfrastructureguardsagainstunauthorisedlog modi-fications. Likesyslog-ng,rsyslogdoesnotincorporatethesyslog-signprotocol. Therefore,neithermessageoriginnorthetimeofeventgenerationcanbeproventoathirdparty.Interestingly,rsyslogsupportsdatacompressionduring

transitforstreamsandindividualmessages. AsdescribedfurtherinSections4–5,thiscouldbeasecurityissue.

3.3 JournaldandSystemdThejournaldisaloggingutilitythatispartofthesystemd

daemon.Itisrelatedtosyslog,supportingstructuredbinaryencodings[37]andforwardsecuresealing[27]. Theformerincreasesstorageandautomatedsearchefficiency,whilethelatterwilllikelydetectanadversarythattamperswithpastlogentries.Itshouldbenotedthattheeffectivenessofsuchintegrityprotectionreliesonacheckpointfrequency,i.e.,howoftenkeymaterialissecurelyincremented,anditas-sumesthatdeletionoftheentirelogcanbedetectedbyothermeans.Asacaveat,thecheckpointfrequencymightnotbesufficientlylargebydefault.Thus,ensurethatisconfiguredproperlyforthesysteminquestion.

4. DATACOMPRESSIONForthewell-beingoftheentireInternet,itisofgeneral

interesttoreducebandwidthrequirements.Likewise,thereare manygainsinreducingstoragerequirements.Inthissectionweaimtohighlightpotentialsecurityissueswith

themostcommoncompressiontechniques,whichwillbeourbasiswhendiscussingthesubjectspecificallyforoursetting.

4.1 HuffmanCodingAtraditionalcharacterencodingrepresentseachsymbolwithequally manybits. Huffmancodingaimstoreducethenumberofbitsforthemostfrequentsymbols,therebyyieldingasuccinctrepresentationoftheoriginalstring[12].Forexample,withUTF-8,thestring“Mississippi”requires88← 11·8bits.AsshowninFigure3,thiscanbereducedto21bitsusingHuffmancodingasfollows.First,countthefrequencyofeachletterandordertheminincreasingorder.Second,repeatedlybuildabinarytree,bottom-up,wherethetwonodeswhosecombinedsymbolfrequenciesarethesmallest.Eachleftandrighttraversalisinterpretedaszeroandone,respectively.Finally,theresultingpathsdowntotheleavesdefineanoptimisedcharacterencoding.

(a)

fi 4s 4p 2M 1

(b)

ispM11

spM7

pM3

M1p2

s4

i4

(c)

ei 0s 10p 110M 111

Figure3:AHuffmanencodingfor“Mississippi”,resultinginthebinarystring111010100101001101100.

4.2 TheLempel-ZivFamilyTheseminalpaperbyZivandLempel[38]introduceda

compressionmechanism(now)namedLZ771.AsopposedtoHuffmancodingthattargetsindividualsymbols,repeatedsequencesarereplacedwithbackwardreferencestoreduceredundancy. Thebasicprincipleisasfollows. Acharacterstreamisprocessed,andaslidingwindowisadvancedsuchthatthereisasearchbuffertotheleftandalook-aheadbuffertotheright. Foreachwindowposition,thelongestprefixmatchisfirstdeterminedinthesearchbuffer. Next,itisreplacedwithareferenceontheform<d,l,c>,wheredisadistancetothepreviousoccurrence,litslength,andcthenextcharacterinthelook-aheadbuffer. Finally,thewindowisforwardedbyd+1steps.Anexamplebasedonthestring“Mississippi”isshown

inTable1. Thelongestprefixmatchinthesearchbufferishighlightedbyagraybackground,thenextcharacterinthelook-aheadbufferisbold,andtheresultingstringis<0,0,m><0,0,i><0,0,s><1,1,i><3,3,p><1,1,i>.Inpractise,thesizeofthesearchandlook-aheadbuffersarefixedinadvance,andnodelimitingcharactersareused.ThereisanentirefamilyofcompressionalgorithmsthatarerelatedtotheworkofZivandLempel. Thedifferentvariationsoffertrade-offswithregardtocompressiontimeandratio,andcanbecombinedwithotherapproaches.OnesuchcombinationisDEFLATE[5]:applyLZ77,followedbyHuffmancoding.Forfurtherdetails,pleaserefertothecomprehensivebookondatacompressionbySalomon[33].

1LZisanacronymfortheauthors,LempelandZiv,and(19)77referstotheyearofpublication.

3

Table1:DerivinganLZ77encodingfor“Mississippi”

i Search Look-ahead Output1 Mississippi <0,0,M>2 M ississippi <0,0,i>3 Mi ssissippi <0,0,s>3 Mis sissppi <1,1,i>

4 Missi ssippi <3,3,p>5 Mississip pi <1,1,i>

6 Mississippi

4.3 AttackingCompressionMechanismsWithoutdoubt,thepastdecadesshowhownontrivialthe

designandimplementationofsecurecomputersystemare.Yettodate,newvulnerabilitiesarefoundinSSL/TLS[25],certificateauthoritiesarecompromised[16,29],andnationalstateagenciesbreaksupposedlysecuredevices[21]. Whileisolatedcryptographicprimitivesmightbesecureontheirown,securitydoesnotcompose.Infact,proceduresthatwereneverintendedforsecuritycancausetrouble.OnesuchexampleisdatacompressionwhenappliedtoTLS[11].CompressionRatioInfo-LeakMadeEasy(CRIME)isan

exploitdevelopedbyRizzoandDoung[7].Anadversaryisabletohijacktheusers’privateTLSsessionsbyguessingtheauthenticationcookiesifthefollowingconditionsaremet:

–Theadversarycanobservethenetworktraffic,e.g.,viaawirelessmedium.

–Theadversarycaninjectcodeintothevictim’sbrowser,e.g.,byprovidingamaliciouslinkthatisclicked.

–ThevictimauthenticatesoveranHTTPSconnectionthatusesanLZ-likecompressionmechanism.

Theattackproceedsasfollows.First,theadversaryinjectscodeintothevictim’sbrowser. Thisallowsforachosenplaintextattack. Next,specialHTTPrequestsarecraftedsuchthatthesecretcookiecanbebrute-forcedonesymbolatatime. Finally,aguessisconsideredcorrectwhentheobservedciphertextisreducedduetoincreasedredundancy.Inotherwords,thetrickisthatarbitrarilychosenstringsarecompressedtogetherwiththesecretinformation,andLZ77causescorrectguessestoproducesmallerciphertexts.SomeoftheproposedcountermeasuresagainstCRIME

includenevercompressingsecretsandadversarycontrolleddata. Thesafestoption,however,appearstobedisablingcompressionalltogether2.Forinstance,inthefootstepsofCRIMEfollowBREACH[28]andTIME[3]. TheytargetthecompressionofHTTPresponses,andTIMErelaxestheprerequisitestolaunchasuccessfulattackbyeliminatingtheneedtoeavesdrop.Thus,weconcludethatdatacompressionisasensitivetopicthatmustbecarefullyconsidered.

5. RECOMMENDATIONSFirstweprovideanoverviewofwhattheexistingsyslog

standardscanandcannotaccomplishinoursetting,thenadditionaldetailsregardingcryptographicprimitives,securedatacompression,andverifiablequeriesarediscussed.

2ThecurrentdraftforTLS1.3removesdatacompression.

5.1 OverviewInasettingwherealldeviceshavetobetrusted,theex-

istingsyslogstandardscansupportthefollowingproperties:

–Confidentialityandintegrityduringtransit.UseTCP,anapplicationlevelrecoverymechanismforfullreliability,andeitherIPsecorTLS.

–Serverand mutualauthentication.UseastrongauthenticationmechanismbasedonTLSorIPsec.

–Originauthenticationandreplaydetection. Usesyslog-sign.Thiswillalsodetectmissingeventsduetoasequencingscheme,andthesignatureblockswillbetheproofsofcorrectnessforthequeryingclients.

Despitecombiningvarioussyslogstandards,thefollowingpropertiescannotbeprovided:

–Securestorage. Neitherconfidentiality,integrity,noravailabilityisensuredduringstorage.

–Secure DataCompression.Nosuchstandardsaredefinedforsyslog.

–Availability. Whilemutualauthenticationhelpstopreventdenialofservice,filteringandlogrotationisnecessarytoassurethatanadversarycannotexhaustthenetworkanditsdevices.ForlogrotationthereisaLinuxservicethatmightbeuseful[36].

Finally,itshouldbenotedthatasignificantamountofoverheadwillbeintroducedwhenoneswitchesfromlegacysyslogtoasecurelogginginfrastructure. Theopensourceprojectsmightbeapplicableforsomevendors,anditislikelythatthejournaldloggingutilityisworthconsidering.

5.2 SelectingCryptographicPrimitivesItappearsthattherearenocurrentrecommendationswhenselectingcryptographicprimitivesforsecurelogging:thepresentedopensourceprojectsprovidenohelpinthisregard,andthesyslogstandardsareold. Therefore,wesuggestthattheguidelinesprovidedbyGoogle’ssecurityresearchersbefollowed,andpossiblythattheciphersuitessupportedbyChromeandFirefoxcouldbeconsidered3.Langley[17]discussedselectionofTLSciphersuitesatthe

Googlesecurityblog.HeconcludedthatTLS1.0shouldbeavoidedduetoseveralknownflaws,includingthosefoundinthestreamcipherRC4,andthatTLS1.1shouldbeavoidedtoo,ifpossible. Forinstance,theCBCblockciphermodeisvulnerabletotwoattacks: BEAST[6]andLucky13[1].Theformertargetsthegenerationofinitialisationvectorsandhasbeenpatched,whereasthelatterisatimingat-tackthatcouldbepreventedbyproperconfigurationoftheTLSserver.However,itisimpossiblefortheTLSclientstoknownifthatisthecaseinadvance.Thus,likeLangley,wedonotrecommendsuitesbasedonRC4orCBCmode.Instead,thebetteroptionistoselectsuitesofferedbyTLS1.2,inparticularthosebasedontheGCMblockciphermodeortheChaCha20-Poly1305cipher.Forexample,onaWindowsmachinethatrunsChromeversion51.0.2704.103,128-bitsecuritywithAESinGCMmodeisthefirstchoice,

3Todeterminetheciphersuitessupportedbyaparticulararchitecture,operatingsystem,andbrowser,visithttps://cc.dcsec.uni-hannover.dewiththeset-upinquestion.

4

thenChaCha20-Poly1305.EllipticcurvesarealsofavouredoverRSAforkeyagreementandauthentication,andSHA-256asthemessageauthenticationprimitive.Inotherwords,thefollowingciphersuiteswith128-bitkeysarerecommended:

–ECDHE-ECDSA-AES128-GCM-SHA256;

–ECDHE-RSA-AES128-GCM-SHA256;

–ECDHE-ECDSA-CHACHA20-POLY1305-SHA256;

–ECDHE-RSA-CHACHA20-POLY1305-SHA256.

Furthermore,avoidoldsuitesthatoriginatefromTLS1.0,andpaycloseattentiontothereleaseofTLS1.3.Sincetheciphersuitesalreadyselectahashfunctionand

adigitalsignaturescheme,wesuggestthatthoseprimitivesareusedifsyslog-signisinplace. ForcompatibilitywithRFC5848[13],newversionnumbersmustbedefined.

5.3 SecureDataCompressionThemorestructurethereisinthedatabeingcompressed,

theeasieritistoseparatesecretsfromadversarycontrolleddata.Forsyslog,especially,suchseparationcouldbefeasibleifthestandardisedmessageformatisused.First,somefieldsmightnotbeconsideredconfidential,inwhichcasetheycanbecompressedwithoutlosinganysecurity. Second,ifanadversaryisunabletogenerateplaintextforcompression,allotherfieldscouldbecompressedsecurely. Whilethefirstapproachisstraightforwardandeasilymappedfromasecuritypolicy,thelatterisnontrivialbecauseanadversarycanlikelyinfluencethegeneratedevents.Consideringtheinvolvedcomplexitywhenattemptingto

compressdataduringtransit,wedonotrecommendit.Inaddition,evenifonemanagestoseparatesecretsandusercontrolleddata,itisquestionablewhethertheresultingband-widthgainsaresignificantenough.Duringstorage,however,datacompressionentailsnoknownissues. Werecommenditbecauseitfavoursavailability.

5.4 VerifiableQueriesClientsthatquerycollectorsforeventsdemandproofsof

correctness.Forthispurpose,wesuggestaccompanyingtheretrievedeventswiththecorrespondingsignatureblocks.Aclientacceptssuchproofsiftheretrievedeventsarehashedcorrectlyandifthesignaturesareauthentic. Thissufficesbecauseeverythingistrusted,asbothtimeofgenerationandorigincanbevouchedforbytheoriginator’ssignature.Itisquestionablewhethersyslog-signisworthwhilewhen

alldevicesaretrustedandTCP/TLSisinplace. Clearly,eachmessagewillarriveintacttothecollectors,andsincealldevicesaretrustedtheyshouldnotaltertheoriginators’identifiersandtimestamps. Thereforesequencingschemesandsignaturesservelittletonopurpose,whichmightbethereasonwhynoneofthepopularopensourceprojectssupportit.Nevertheless,NetBSDprovidesanoldimplementationofsyslog-signthatcouldbeinterestingtoexamine[22].

6. CONCLUDINGREMARKSOurgoalwastoexamineexistingstandardsthatsecure

syslog,bothduringthestorageandtransitphases. Wefoundthatthereexistnosuchstandardsforstorage,butavail-ability,integrity,andconfidentialitycanbeguardedagainstduringtransit. Astandardisedprotocolforsigningsyslog

messageswasalsodiscovered,andcanbeusedtoprovethedevicesthatgeneratedwhicheventsatroughlywhattimes.Italsodetectsmissingevents,anddefinesacountermeasureagainstreplayattacks.Thesyslogrelatedstandardsfailtoprovideguidelineson

howtoselectcryptographicprimitives,andtheyarenotasusefulunlessalldevicesaretrusted.Likewise,theopensourceprojectsfailinthisregardtoo,buttheyareapplicableforoursettingifsyslog-signisimplemented.Inaddition,weexaminedhowmessagecompressioneffectssecurity,andconcludedthatitmightbedangerousbecauseitintroducescomplexitywithpresumablysmallgains.Finally, weencouragethereadertoconsiderasetting

wherethedevicescanbecompromisedatsomepointintime.Thenjournaldisaprevalentfirststeptoprotectthelog’sintegrity,andsimilarapproachescanbeusedtoensureconfidentiality.

7. ACKNOWLEDGEMENTWewouldliketothankStefanLindskogforhisvaluablefeedback.RasmusDahlbergandTobiasPullshavereceivedfundingfromtheHITSresearchprofilefundedbytheSwedishKnowledgeFoundation.

8. REFERENCES[1]N.J.AlFardanandK.G.Paterson.Luckythirteen:BreakingtheTLSandDTLSrecordprotocols.InIEEESymposiumonSecurityandPrivacy,pages526–540,May2013.

[2]C.Baraniuk.Ashleymadison:’suicides’overwebsitehack.BBCNews,August2015.http://www.bbc.com/news/technology-34044506.

[3]T.Be’eryandA.Shulman.AperfectCRIME?OnlyTIMEwilltell.BlackHatEurope,March2013.

[4]K.D.Bowers,C.Hart,A.Juels,andN.Triandopoulos.PillarBox:Combatingnext-generationmalwarewithfastforward-securelogging.InResearchinAttacks,IntrusionsandDefenses—17thInternationalSymposium,pages46–67,September2014.

[5]P.Deutsch.DEFLATEcompresseddataformatspecificationversion1.3.RFC1951,May1996.InternetRequestsforComments.

[6]T.DuongandJ.Rizzo.BEAST:SurprisingcryptoattackagainstHTTPS.ekopartySecurityConference,September2011.

[7]T.DuongandJ.Rizzo.TheCRIMEattack.ekopartySecurityConference,September2012.

[8]N.FergusonandB.Schneier.AcryptographicevaluationofIPsec,December2003.https://www.schneier.com/academic/paperfiles/paper-ipsec.pdf.

[9]R.Gerhards.Thesyslogprotocol.RFC5424,March2009.InternetRequestsforComments.

[10]R.GerhardsandC.Lonvick.TransmissionofsyslogmessagesoverTCP.RFC6587,April2012.InternetRequestsforComments.

[11]R.Holz,Y.Sheffer,andP.Saint-Andre.Summarizingknownattacksontransportlayersecurity(TLS)anddatagramTLS(DTLS).RFC7457,February2015.InternetRequestsforComments.

[12]D.A.Huffman.Amethodfortheconstructionof

5

minimum-redundancycodes.ProceedingsoftheIRE,40(9):1098–1101,September1952.

[13]J.Kelsey,J.Callas,andA.Clemm.Signedsyslogmessages.RFC5848,May2010.InternetRequestsforComments.

[14]K.Kent.Guidetocomputersecuritylogmanagement.TechnicalReportSP800-92,September2006.NationalInstituteofStandardsandTechnology.

[15]S.KentandK.Seo.SecurityarchitecturefortheInternetprotocol.RFC4301,December2005.InternetRequestsforComments.

[16]A.Langely.Enhancingdigitalcertificatesecurity.GoogleResearch,January2013.https://security.googleblog.com/2013/01/enhancing-digital-certificate-security.html.

[17]A.Langely.Arosteroftlsciphersuitesweaknesses.GoogleResearch,November2013.https://security.googleblog.com/2013/11/a-roster-of-tls-cipher-suites-weaknesses.html.

[18]C.Lonvick.TheBSDsyslogprotocol.RFC3164,August2001.InternetRequestsforComments.

[19] G.A.MarsonandB.Poettering.Practicalsecurelogging:Seekablesequentialkeygenerators.InESORICS,pages111–128,September2013.

[20]F.Miao,Y.Ma,andJ.Salowey.Transportlayersecurity(TLS)transportmappingforsyslog.RFC5425,March2009.InternetRequestsforComments.

[21]E.Nakashima.FBIpaidprofessionalhackersone-timefeetocracksanbernardinoiPhone,April2016.https://www.washingtonpost.com/world/national-security/fbi-paid-professional-hackers-one-time-fee-to-crack-san-bernardino-iphone/2016/04/12/5397814a-00de-11e6-9d36-33d198ea26c5story.html.

[22]NetBSD.syslogdconfigurationfile—syslog.conf(5).manpages.

[23]D.NewandM.T.Rose.Reliabledeliveryforsyslog.RFC3195,November2001.InternetRequestsforComments.

[24]A.Okmianski.TransmissionofsyslogmessagesoverUDP.RFC5426,March2009.InternetRequestsforComments.

[25]OpenSSL.Vulnerabilities.https://www.openssl.org/news/vulnerabilities.html,RetrievedJuly2016.

[26]K.G.Paterson.AcryptographictouroftheIPsecstandards.InformationSecurityTechnicalReport,11(2):72–81,2006.

[27]L.Poettering.Forwardsecuresealingisfinallycompoingtosystemd’sjournal.Google+Blog,August2012.https://plus.google.com/+LennartPoetteringTheOneAndOnly/posts/g1E6AxVKtyc.

[28]A.Prado,N.Harris,andY.Gluck.SSL,gonein30seconds.BlackHatUSA,July2012.

[29]R.Prins.Diginotarcertificateauthoritybreach—“operationblacktulip”.Fox-IT,September2011.

[30] M.Rose.Theblocksextensibleexchangeprotocolcore.RFC3080,March2001.InternetRequestsforComments.

[31] M.Rose.MappingtheBEEPcoreontoTCP.RFC

3081,March2001.InternetRequestsforComments.

[32]Rsyslog.Therocket-fastsystemforlogprocessing.http://www.rsyslog.com/,RetrievedJuly2016.

[33]D.Salomon.DataCompression:TheCompleteReference.Springer-VerlagLondon,4edition,2007.

[34]J.Salowey,T.Petch,R.Gerhards,andF.H.Datagramtransportlayersecurity(DTLS)transportmappingforsyslog.RFC6012,October2010.InternetRequestsforComments.

[35]Syslog-ng.Opensourcelogmanagementsolutionwithoveramillionusersworldwide.https://syslog-ng.org/,RetrievedJuly2016.

[36]E.TroanandP.Brown.logrotate—rotates,compresses,andmailssystemlogs,November2002.

[37]Ubuntu-16.04.Specialjournalfields—systemd.journal-fields(7).manpages.

[38]J.ZivandA.Lempel.Auniversalalgorithmforsequentialdatacompression.IEEETransactionsonInformationTheory,23(3):337–343,1977.

6

Rasmus Dahlberg a

nd Tobias Pulls |

Standardised Syslog Processi

ng

Standardised Syslog Processing

Today’s computer logs are like smoking guns and treasure maps in case of suspicious

system activities: they document intrusions, and log crucial information such as

failed system updates and crashed services. An adversary thus has a clear motive

to observe, alter, and delete log entries, considering that she could (i) start by using

the log’s content to identify new security vulnerabilities, and (ii) exploit them

without ever being detected. With this in mind we consider syslog standards and

open source projects that safeguard events during the storage and transit phases,

and examine how data compression effects security. We conclude that there are

syslog standards in place that satisfy security on a hop-by-hop basis, that there

are no such standards for secure storage, and that message compression is not

recommended during transit.

WORKING PAPER | September 2016

Faculty of Health, Science and Technology

Department of Mathematics and Computer Science

Faculty of Health, Science and Technology

Rasmus Dahlberg and Tobias Pulls

Standardised Syslog ProcessingRevisiting Secure Reliable Data Transfer and

Message Compression