DOCSLIB.ORG

Residue-Free Computing

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Proceedings on Privacy Enhancing Technologies ; 2021 (4):389–405 Logan Arkema* and Micah Sherr Residue-Free Computing Abstract: Computer applications often leave traces or rather to provide additional features and functionali- residues that enable forensic examiners to gain a de- ties. For example, modern operating systems maintain tailed understanding of the actions a user performed access times to quickly locate the most recently modi- on a computer. Such digital breadcrumbs are left by fied files; these access times help an examiner determine a large variety of applications, potentially (and indeed how the computer was used. Log-based filesystems are likely) unbeknownst to their users. This paper presents designed to facilitate fast data recovery, but also leave the concept of residue-free computing in which a user remnants of erased files and more generally allow exam- can operate any existing application installed on their iners to reconstruct the filesystem at various points in computer in a mode that prevents trace data from be- time. ing recorded to disk, thus frustrating the forensic pro- More generally, the traces left by operating systems cess and enabling more privacy-preserving computing. and applications leads to a status quo in which it is In essence, residue-free computing provides an “incog- exceedingly difficult to use a computer without leav- nito mode” for any application. We introduce our im- ing a readily available record of one’s actions. Coun- plementation of residue-free computing, ResidueFree, termeasures that enable greater privacy protections are and motivate ResidueFree by inventorying the poten- piecemeal, and are usually constrained to a particular tially sensitive and privacy-invasive residue left by popu- application—a notable example is the “incognito” or lar applications. We demonstrate that ResidueFree al- “privacy” mode of modern web browsers that are de- lows users to operate these applications without leaving signed to remove local traces of web activity left by the trace data, while incurring modest performance over- browser. More general solutions do exist [10, 12], but heads. they require modifications to the Linux kernel and fail to capture some types of application residue. (We ex- Keywords: privacy; forensics; anti-forensics plore the related literature in more detail in the next DOI 10.2478/popets-2021-0076 section.) Received 2021-02-28; revised 2021-06-15; accepted 2021-06-16. This paper introduces residue-free computing, a privacy-preserving (or anti-forensics) mode of operation for modern operating systems without requiring kernel 1 Introduction modifications. In residue-free computing, the user uses their normal operating system and has access to their Many of the actions that users perform on their com- existing files. The user may optionally choose to start puters leave digital traces. In a computer forensics in- any installed program in residue-free mode, which en- vestigation, these traces form digital breadcrumbs that ables the program to run on top of a union filesystem. allow a forensic examiner to gain a fairly detailed un- The application has read access to all existing data on derstanding of what the user did with their computer— any installed filesystem, but file modifications (includ- which applications and files were accessed, the times ing deletions) are made to a volatile filesystem stored in and potentially the duration of their accesses, and more memory (i.e., RAM). Upon exiting the application, the generally, the actions performed by the user. filesystem modifications are permanently erased. Con- Computer forensics is aided by modern operating ceptually, residue-free computing provides an incognito systems that tend to leave an enormous volume of these mode for any installed application. breadcrumbs. Operating systems leave traces not nec- Residue-free computing assumes an atypical threat essarily to ease the job of a forensic examiner, but model. It assumes a cooperative user who wants to pre- serve their privacy, and an application and operating system that do not actively attempt to prevent the ap- plication from executing in residue-free mode. That is, *Corresponding Author: Logan Arkema: Georgetown residue-free computing is designed to work on appli- University, Email: [email protected] Micah Sherr: Georgetown University, Email: cations and operating systems as they currently exist. [email protected] We assume as our adversary a forensic examiner who is Residue-Free Computing 390 able to take filesystem snapshots of the filesystem before Motivating examples. To motivate the use of and after the execution of an application in residue-free residue-free computing, we consider two example sce- mode. We describe our adversary in more detail below, narios. but in brief, we do not protect against a network ad- Privacy from invasive cohabitants: A computer user versary who learns which applications are being used shares a residence with an individual (for example, an by examining network traces, nor do we protect against abusive partner) who attempts to monitor the user’s malware running on the user’s device that attempts to computer usage. This adversary may be technically so- record actions. Our goal is to prevent our snapshot ad- phisticated, but is not necessarily a trained forensic ex- versary from learning which applications were used and aminer. The user is also not especially technically so- which files were accessed. phisticated, but is aware that ResidueFree is installed To be most useful, residue-free computing should on their computer. not require any program modifications and should be The user uses Skype. Although the user may not compatible with all software already installed on the be aware that Skype stores comprehensive log files that computer, including its operating system. Increased contain chat transcript and Skype call metadata (in- privacy should not come at a significant performance cluding participants and call durations), the user for- penalty; running an application in residue-free mode tunately opted to use ResidueFree to operate Skype. should incur limited overheads. Finally, residue-free Since Skype was used in residue-free mode, the cohab- computing should be user-friendly, allowing a user to itating adversary can neither identify that Skype was easily opt to use residue-free computing mode (or not) used nor learn with whom the user communicated. for any application. Privacy from a knowledgeable forensic investigator: There already exist techniques that achieve some of An investigative journalist enters a border crossing the goals of residue-free computing. For example, the when their computer is seized and imaged. The bor- user can simply run an application in a virtual ma- der crossing agent examines the journalist’s computer chine and use checkpointing to roll back filesystem and to learn what they are investigating. Fortunately, the memory changes after the application exits. Or, the user journalist used ResidueFree to run the VLC media could use a live CD operating system such as The Am- player, so the log of the videos that they viewed (in- nesic Incognito Live System (Tails) [2] that is tailored cluding some interviews streamed from the web) are not to frustrate forensic investigations by preventing traces available to the agent, as they otherwise would have had from being recorded to non-volatile storage. However, ResidueFree not been activated. these solutions incur high usability costs as they require Contributions. In summary, this paper makes the the user to significantly modify their behavior (to the following contributions: point of using an entirely different operating system) in – The design of residue-free computing: a mode of op- order to gain some privacy protections. eration that provides an “incognito mode” for any We present the design and implementation of application; ResidueFree, an instantiation of residue-free comput- – ResidueFree, an open-source implementation of ing that allows users to operate their existing applica- residue-free computing. ResidueFree is available tions (on their existing operating systems) in residue- as free open-source software and is available at free mode. We perform an in-depth forensic investi- https://larkema.github.io/residuefree/; gation in which we examine every persistent file cre- – A study of the residue (i.e., forensic traces) left ated or modified during a run in residue-free mode, by popular applications, and an examination of and find that ResidueFree leaks only minimal infor- how ResidueFree prevents the collection of these mation: namely, that ResidueFree was used. The ap- traces. plication being used and the affected files (both read and modified) are invisible to the forensic examiner. We show through extensive benchmark-based evalu- ation that ResidueFree incurs moderate-to-limited 2 Related Work overhead. Finally, we provide a simple and intuitive in- terface for ResidueFree for the Gnome desktop: users The literature on privacy-enhancing methods of com- run an application in residue-free mode by right-clicking puting is rich and diverse. In this section, we describe the application icon and selecting “Run in Residue- how residue-free computing fits in the context of this Free.” existing literature. Residue-Free Computing 391 Most related to residue-free computing are from traditional files stored on the main filesystem to PrivExec [22] and TpriVexeC [10] which have the containerized filesystems, which themselves are stored shared goal of providing an incognito-like privacy
Recommended publications
  • The Web Never Forgets: Persistent Tracking Mechanisms in the Wild

    The Web Never Forgets: Persistent Tracking Mechanisms in the Wild

    The Web Never Forgets: Persistent Tracking Mechanisms in the Wild Gunes Acar1, Christian Eubank2, Steven Englehardt2, Marc Juarez1 Arvind Narayanan2, Claudia Diaz1 1KU Leuven, ESAT/COSIC and iMinds, Leuven, Belgium {name.surname}@esat.kuleuven.be 2Princeton University {cge,ste,arvindn}@cs.princeton.edu ABSTRACT 1. INTRODUCTION We present the first large-scale studies of three advanced web tracking mechanisms — canvas fingerprinting, evercookies A 1999 New York Times article called cookies compre­ and use of “cookie syncing” in conjunction with evercookies. hensive privacy invaders and described them as “surveillance Canvas fingerprinting, a recently developed form of browser files that many marketers implant in the personal computers fingerprinting, has not previously been reported in the wild; of people.” Ten years later, the stealth and sophistication of our results show that over 5% of the top 100,000 websites tracking techniques had advanced to the point that Edward employ it. We then present the first automated study of Felten wrote “If You’re Going to Track Me, Please Use Cook­ evercookies and respawning and the discovery of a new ev­ ies” [18]. Indeed, online tracking has often been described ercookie vector, IndexedDB. Turning to cookie syncing, we as an “arms race” [47], and in this work we study the latest present novel techniques for detection and analysing ID flows advances in that race. and we quantify the amplification of privacy-intrusive track­ The tracking mechanisms we study are advanced in that ing practices due to cookie syncing. they are hard to control, hard to detect and resilient Our evaluation of the defensive techniques used by to blocking or removing.
  • A the Hacker

    A the Hacker

    A The Hacker Madame Curie once said “En science, nous devons nous int´eresser aux choses, non aux personnes [In science, we should be interested in things, not in people].” Things, however, have since changed, and today we have to be interested not just in the facts of computer security and crime, but in the people who perpetrate these acts. Hence this discussion of hackers. Over the centuries, the term “hacker” has referred to various activities. We are familiar with usages such as “a carpenter hacking wood with an ax” and “a butcher hacking meat with a cleaver,” but it seems that the modern, computer-related form of this term originated in the many pranks and practi- cal jokes perpetrated by students at MIT in the 1960s. As an example of the many meanings assigned to this term, see [Schneier 04] which, among much other information, explains why Galileo was a hacker but Aristotle wasn’t. A hack is a person lacking talent or ability, as in a “hack writer.” Hack as a verb is used in contexts such as “hack the media,” “hack your brain,” and “hack your reputation.” Recently, it has also come to mean either a kludge, or the opposite of a kludge, as in a clever or elegant solution to a difficult problem. A hack also means a simple but often inelegant solution or technique. The following tentative definitions are quoted from the jargon file ([jargon 04], edited by Eric S. Raymond): 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.
  • Rootless Containers with Podman and Fuse-Overlayfs

    Rootless Containers with Podman and Fuse-Overlayfs

    CernVM Workshop 2019 (4th June 2019) Rootless containers with Podman and fuse-overlayfs Giuseppe Scrivano @gscrivano Introduction 2 Rootless Containers • “Rootless containers refers to the ability for an unprivileged user (i.e. non-root user) to create, run and otherwise manage containers.” (https://rootlesscontaine.rs/ ) • Not just about running the container payload as an unprivileged user • Container runtime runs also as an unprivileged user 3 Don’t confuse with... • sudo podman run --user foo – Executes the process in the container as non-root – Podman and the OCI runtime still running as root • USER instruction in Dockerfile – same as above – Notably you can’t RUN dnf install ... 4 Don’t confuse with... • podman run --uidmap – Execute containers as a non-root user, using user namespaces – Most similar to rootless containers, but still requires podman and runc to run as root 5 Motivation of Rootless Containers • To mitigate potential vulnerability of container runtimes • To allow users of shared machines (e.g. HPC) to run containers without the risk of breaking other users environments • To isolate nested containers 6 Caveat: Not a panacea • Although rootless containers could mitigate these vulnerabilities, it is not a panacea , especially it is powerless against kernel (and hardware) vulnerabilities – CVE 2013-1858, CVE-2015-1328, CVE-2018-18955 • Castle approach : it should be used in conjunction with other security layers such as seccomp and SELinux 7 Podman 8 Rootless Podman Podman is a daemon-less alternative to Docker • $ alias
  • CERIAS Tech Report 2017-5 Deceptive Memory Systems by Christopher N

    CERIAS Tech Report 2017-5 Deceptive Memory Systems by Christopher N

    CERIAS Tech Report 2017-5 Deceptive Memory Systems by Christopher N. Gutierrez Center for Education and Research Information Assurance and Security Purdue University, West Lafayette, IN 47907-2086 DECEPTIVE MEMORY SYSTEMS ADissertation Submitted to the Faculty of Purdue University by Christopher N. Gutierrez In Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy December 2017 Purdue University West Lafayette, Indiana ii THE PURDUE UNIVERSITY GRADUATE SCHOOL STATEMENT OF DISSERTATION APPROVAL Dr. Eugene H. Spa↵ord, Co-Chair Department of Computer Science Dr. Saurabh Bagchi, Co-Chair Department of Computer Science Dr. Dongyan Xu Department of Computer Science Dr. Mathias Payer Department of Computer Science Approved by: Dr. Voicu Popescu by Dr. William J. Gorman Head of the Graduate Program iii This work is dedicated to my wife, Gina. Thank you for all of your love and support. The moon awaits us. iv ACKNOWLEDGMENTS Iwould liketothank ProfessorsEugeneSpa↵ord and SaurabhBagchi for their guidance, support, and advice throughout my time at Purdue. Both have been instru­ mental in my development as a computer scientist, and I am forever grateful. I would also like to thank the Center for Education and Research in Information Assurance and Security (CERIAS) for fostering a multidisciplinary security culture in which I had the privilege to be part of. Special thanks to Adam Hammer and Ronald Cas­ tongia for their technical support and Thomas Yurek for his programming assistance for the experimental evaluation. I am grateful for the valuable feedback provided by the members of my thesis committee, Professor Dongyen Xu, and Professor Math­ ias Payer.
  • PV204: Disk Encryption Lab

    PV204: Disk Encryption Lab

    PV204: Disk encryption lab May 12, 2016, Milan Broz <[email protected]> Introduction Encryption can provide confidentiality and authenticity of user data. It can be implemented on several different layes, including application, file system or storage device. Application encryption examples are PGP or ZIP compression with password. Encryption of files (inside filesystem or through independent layer like Linux eCryptfs) provides more generic solution. Yet some parts (like filesystem metadata) are still unencrypted. However this solution provides encrypted data with private key per user. (Every user can have own directory encrypted by own key.) Encryption of the low-level storage (disk) is called Full Disk Encryption (FDE). It is completely transparent to the user (no need to choose what to encrypt – the whole disk is encrypted). The encrypted disk behaves as the same as a disk without encryption. The major disadvantage is that everyone who knows the password can read the whole disk. Often we combine FDE with another encryption layer. The primary use of FDE is to provide data confidentiality in power-down mode (stolen laptop does not leak user data). Once the disk is unlocked, the main encryption key remains in system, usually directly in system RAM. Exercise II will show how easy is to get this key from memory image of system. Another disadvantage of FDE is that it usually cannot guarantee integrity of data. Encryption is fully transparent and length-preserving, the ciphertext and plaintext device are of the same size. There is no space to store any integrity information. This allows attacks by direct modification of ciphertext.
  • 2016 8Th International Conference on Cyber Conflict: Cyber Power

    2016 8Th International Conference on Cyber Conflict: Cyber Power

    2016 8th International Conference on Cyber Conflict: Cyber Power N.Pissanidis, H.Rõigas, M.Veenendaal (Eds.) 31 MAY - 03 JUNE 2016, TALLINN, ESTONIA 2016 8TH International ConFerence on CYBER ConFlict: CYBER POWER Copyright © 2016 by NATO CCD COE Publications. All rights reserved. IEEE Catalog Number: CFP1626N-PRT ISBN (print): 978-9949-9544-8-3 ISBN (pdf): 978-9949-9544-9-0 CopyriGHT AND Reprint Permissions No part of this publication may be reprinted, reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written permission of the NATO Cooperative Cyber Defence Centre of Excellence ([email protected]). This restriction does not apply to making digital or hard copies of this publication for internal use within NATO, and for personal or educational use when for non-profit or non-commercial purposes, providing that copies bear this notice and a full citation on the first page as follows: [Article author(s)], [full article title] 2016 8th International Conference on Cyber Conflict: Cyber Power N.Pissanidis, H.Rõigas, M.Veenendaal (Eds.) 2016 © NATO CCD COE Publications PrinteD copies OF THIS PUBlication are availaBLE From: NATO CCD COE Publications Filtri tee 12, 10132 Tallinn, Estonia Phone: +372 717 6800 Fax: +372 717 6308 E-mail: [email protected] Web: www.ccdcoe.org Head of publishing: Jaanika Rannu Layout: Jaakko Matsalu LEGAL NOTICE: This publication contains opinions of the respective authors only. They do not necessarily reflect the policy or the opinion of NATO CCD COE, NATO, or any agency or any government.
  • HTTP-FUSE Xenoppix

    HTTP-FUSE Xenoppix

    HTTP-FUSE Xenoppix Kuniyasu Suzaki† Toshiki Yagi† Kengo Iijima† Kenji Kitagawa†† Shuichi Tashiro††† National Institute of Advanced Industrial Science and Technology† Alpha Systems Inc.†† Information-Technology Promotion Agency, Japan††† {k.suzaki,yagi-toshiki,k-iijima}@aist.go.jp [email protected], [email protected] Abstract a CD-ROM. Furthermore it requires remaking the entire CD-ROM when a bit of data is up- dated. The other solution is a Virtual Machine We developed “HTTP-FUSE Xenoppix” which which enables us to install many OSes and ap- boots Linux, Plan9, and NetBSD on Virtual plications easily. However, that requires in- Machine Monitor “Xen” with a small bootable stalling virtual machine software. (6.5MB) CD-ROM. The bootable CD-ROM in- cludes boot loader, kernel, and miniroot only We have developed “Xenoppix” [1], which and most part of files are obtained via Internet is a combination of CD/DVD bootable Linux with network loopback device HTTP-FUSE “KNOPPIX” [2] and Virtual Machine Monitor CLOOP. It is made from cloop (Compressed “Xen” [3, 4]. Xenoppix boots Linux (KNOP- Loopback block device) and FUSE (Filesys- PIX) as Host OS and NetBSD or Plan9 as Guest tem USErspace). HTTP-FUSE CLOOP can re- OS with a bootable DVD only. KNOPPIX construct a block device from many small block is advanced in automatic device detection and files of HTTP servers. In this paper we describe driver integration. It prepares the Xen environ- the detail of the implementation and its perfor- ment and Guest OSes don’t need to worry about mance. lack of device drivers.
  • Online Layered File System (OLFS): a Layered and Versioned Filesystem and Performance Analysis

    Online Layered File System (OLFS): a Layered and Versioned Filesystem and Performance Analysis

    Loyola University Chicago Loyola eCommons Computer Science: Faculty Publications and Other Works Faculty Publications 5-2010 Online Layered File System (OLFS): A Layered and Versioned Filesystem and Performance Analysis Joseph P. Kaylor Konstantin Läufer Loyola University Chicago, [email protected] George K. Thiruvathukal Loyola University Chicago, [email protected] Follow this and additional works at: https://ecommons.luc.edu/cs_facpubs Part of the Computer Sciences Commons Recommended Citation Joe Kaylor, Konstantin Läufer, and George K. Thiruvathukal, Online Layered File System (OLFS): A layered and versioned filesystem and performance analysi, In Proceedings of Electro/Information Technology 2010 (EIT 2010). This Conference Proceeding is brought to you for free and open access by the Faculty Publications at Loyola eCommons. It has been accepted for inclusion in Computer Science: Faculty Publications and Other Works by an authorized administrator of Loyola eCommons. For more information, please contact [email protected]. This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License. Copyright © 2010 Joseph P. Kaylor, Konstantin Läufer, and George K. Thiruvathukal 1 Online Layered File System (OLFS): A Layered and Versioned Filesystem and Performance Analysis Joe Kaylor, Konstantin Läufer, and George K. Thiruvathukal Loyola University Chicago Department of Computer Science Chicago, IL 60640 USA Abstract—We present a novel form of intra-volume directory implement user mode file system frameworks such as FUSE layering with hierarchical, inheritance-like namespace unifica- [16]. tion. While each layer of an OLFS volume constitutes a subvol- Namespace Unification: Unix supports the ability to ume that can be mounted separately in a fan-in configuration, the entire hierarchy is always accessible (online) and fully navigable mount external file systems from external resources or local through any mounted layer.
  • How to Create a Custom Live CD for Secure Remote Incident Handling in the Enterprise

    How to Create a Custom Live CD for Secure Remote Incident Handling in the Enterprise

    How to Create a Custom Live CD for Secure Remote Incident Handling in the Enterprise Abstract This paper will document a process to create a custom Live CD for secure remote incident handling on Windows and Linux systems. The process will include how to configure SSH for remote access to the Live CD even when running behind a NAT device. The combination of customization and secure remote access will make this process valuable to incident handlers working in enterprise environments with limited remote IT support. Bert Hayes, [email protected] How to Create a Custom Live CD for Remote Incident Handling 2 Table of Contents Abstract ...........................................................................................................................................1 1. Introduction ............................................................................................................................5 2. Making Your Own Customized Debian GNU/Linux Based System........................................7 2.1. The Development Environment ......................................................................................7 2.2. Making Your Dream Incident Handling System...............................................................9 2.3. Hardening the Base Install.............................................................................................11 2.3.1. Managing Root Access with Sudo..........................................................................11 2.4. Randomizing the Handler Password at Boot Time ........................................................12
  • In Search of the Ideal Storage Configuration for Docker Containers

    In Search of the Ideal Storage Configuration for Docker Containers

    In Search of the Ideal Storage Configuration for Docker Containers Vasily Tarasov1, Lukas Rupprecht1, Dimitris Skourtis1, Amit Warke1, Dean Hildebrand1 Mohamed Mohamed1, Nagapramod Mandagere1, Wenji Li2, Raju Rangaswami3, Ming Zhao2 1IBM Research—Almaden 2Arizona State University 3Florida International University Abstract—Containers are a widely successful technology today every running container. This would cause a great burden on popularized by Docker. Containers improve system utilization by the I/O subsystem and make container start time unacceptably increasing workload density. Docker containers enable seamless high for many workloads. As a result, copy-on-write (CoW) deployment of workloads across development, test, and produc- tion environments. Docker’s unique approach to data manage- storage and storage snapshots are popularly used and images ment, which involves frequent snapshot creation and removal, are structured in layers. A layer consists of a set of files and presents a new set of exciting challenges for storage systems. At layers with the same content can be shared across images, the same time, storage management for Docker containers has reducing the amount of storage required to run containers. remained largely unexplored with a dizzying array of solution With Docker, one can choose Aufs [6], Overlay2 [7], choices and configuration options. In this paper we unravel the multi-faceted nature of Docker storage and demonstrate its Btrfs [8], or device-mapper (dm) [9] as storage drivers which impact on system and workload performance. As we uncover provide the required snapshotting and CoW capabilities for new properties of the popular Docker storage drivers, this is a images. None of these solutions, however, were designed with sobering reminder that widespread use of new technologies can Docker in mind and their effectiveness for Docker has not been often precede their careful evaluation.
  • Auditing Overhead, Auditing Adaptation, and Benchmark Evaluation in Linux Lei Zeng1, Yang Xiao1* and Hui Chen2

    Auditing Overhead, Auditing Adaptation, and Benchmark Evaluation in Linux Lei Zeng1, Yang Xiao1* and Hui Chen2

    SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 2015; 8:3523–3534 Published online 4 June 2015 in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.1277 RESEARCH ARTICLE Auditing overhead, auditing adaptation, and benchmark evaluation in Linux Lei Zeng1, Yang Xiao1* and Hui Chen2 1 Department of Computer Science, The University of Alabama, Tuscaloosa 35487-0290, AL, U.S.A. 2 Department of Mathematics and Computer Science, Virginia State University, Petersburg 23806, VA, U.S.A. ABSTRACT Logging is a critical component of Linux auditing. However, our experiments indicate that the logging overhead can be significant. The paper aims to leverage the performance overhead introduced by Linux audit framework under various us- age patterns. The study on the problem leads to an adaptive audit-logging mechanism. Many security incidents or other im- portant events are often accompanied with precursory events. We identify important precursory events – the vital signs of system activity and the audit events that must be recorded. We then design an adaptive auditing mechanism that increases or reduces the type of events collected and the frequency of events collected based upon the online analysis of the vital-sign events. The adaptive auditing mechanism reduces the overall system overhead and achieves a similar level of protection on the system and network security. We further adopt LMbench to evaluate the performance of key operations in Linux with compliance to four security standards. Copyright © 2015 John Wiley & Sons, Ltd. KEYWORDS logging; overhead; Linux; auditing *Correspondence Yang Xiao, Department of Computer Science, The University of Alabama, 101 Houser Hall, PO Box 870290, Tuscaloosa 35487-0290, AL, U.S.A.
  • Mcafee Foundstone Fsl Update

    Mcafee Foundstone Fsl Update

    2016-AUG-18 FSL version 7.5.841 MCAFEE FOUNDSTONE FSL UPDATE To better protect your environment McAfee has created this FSL check update for the Foundstone Product Suite. The following is a detailed summary of the new and updated checks included with this release. NEW CHECKS 20369 - Splunk Enterprise Multiple Vulnerabilities (SP-CAAAPQM) Category: General Vulnerability Assessment -> NonIntrusive -> Web Server Risk Level: High CVE: CVE-2013-0211, CVE-2015-2304, CVE-2016-1541, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE- 2016-2109, CVE-2016-2176 Description Multiple vulnerabilities are present in some versions of Splunk Enterprise. Observation Splunk Enterprise is an operational intelligence solution Multiple vulnerabilities are present in some versions of Splunk Enterprise. The flaws lie in multiple components. Successful exploitation by a remote attacker could lead to the information disclosure of sensitive information, cause denial of service or execute arbitrary code. 20428 - (HT206899) Apple iCloud Multiple Vulnerabilities Prior To 5.2.1 Category: Windows Host Assessment -> Miscellaneous (CATEGORY REQUIRES CREDENTIALS) Risk Level: High CVE: CVE-2016-1684, CVE-2016-1836, CVE-2016-4447, CVE-2016-4448, CVE-2016-4449, CVE-2016-4483, CVE-2016-4607, CVE- 2016-4608, CVE-2016-4609, CVE-2016-4610, CVE-2016-4612, CVE-2016-4614, CVE-2016-4615, CVE-2016-4616, CVE-2016-4619 Description Multiple vulnerabilities are present in some versions of Apple iCloud. Observation Apple iCloud is a manager for the Apple's could based storage service. Multiple vulnerabilities are present in some versions of Apple iCloud. The flaws lie in several components. Successful exploitation could allow an attacker to retrieve sensitive data, cause a denial of service condition or have other unspecified impact on the target system.