Please read through this entire document before installing, to know what is coming. In the following, we first summarize the Information Accountability Infrastructure and its (many) components. Section II goes through each of the steps to install each of these components. Section III gives a sequence of steps for a demonstration of an intruder tampering with an application database and the subsequent detection and forensic analysis of that tampering. I. Information Accountability Infrastructure ========================================= The infrastructure consists of multiple components: (i) The tauBerkeleyDB (tBDB) DBMS (the version with audit capabilities), with the following modules -- STAMP } -- TEMPORAL SUPPORT } (provide transaction time support) -- CLOCK } -- AUDIT (mediates interaction between DBMS and Beecrypt) This is the DBMS of the monitored database. (ii) The Beecrypt Cryptography Library, which is responsible for hashing the transactions using a cryptographically strong hash function (SHA-1). (iii) The MySQL DBMS, the DBMS of the Secure Master Database. Note that the ODBC driver for MySQL is required to be installed. The driver file is called libmyodbc.so (iv) The ODBC standard software API, used in conjunction with the MySQL DBMS. (v) The External Digital Notarization Service (EDNS), which has the capability of digitally signing documents. As discussed in the demo, we provide a rudimentary EDNS, or the proprietary Surety EDNS may be used. (vi) The GnuPlot, which visualizes the database corruption information. The "gnuplot" command needs to be placed under /usr/local/bin (vii) Java SDK 1.6 needs to be installed. It is required by the GUIs. (viii) The End User application, which modifies the monitored database. (ix) The Utilities, which include -- the two daemons (validator and notarizer), and -- the three GUIs (CSO, CSI, DBA). (x) Initialize the system: the server database and the ODBC data source. Each one of these components needs to be downloaded, compiled, and installed in the order given above. Components (i), (iii), (iv), (vi), and (vii) and their interaction are shown at a high-level in the diagram included in the audit_system_components.pdf file. The components within the dotted rectangle belong to the Trusted Computing Base (TCB) and are assumed to be secure. The Monitored Database through the transaction time and audit support provided by tBDB modules hashes and links all the transactions using a cryptographically-strong hash function. The Notarizer periodically performs a notarization by sending that hash value, as a digital document, to the External Digital Notarization Service, obtaining a Notary ID. The Notary ID returned along with the initially computed hash values are stored in a separate smaller database. This database is assumed to exist in a different physical location from the database under audit. It is termed the Secure Master Database and is implemented using MySQL. When at a later point in time the validity of the Monitored Database must be checked, the Validator rescans the Monitored Database, hashes the scanned data and sends, to the EDNS, the new hash value along with the previously obtained Notary ID. The EDNS then uses the Notary ID to retrieve the corresponding hash value stored during notarization, and checks if the old and the new hash values are consistent. If not, then the Monitored Database has been compromised. Finally, the Chief Security Officer (CSO), the Database Administrator (DBA), and the Crime Scene Investigator (CSI) interact with the Secure Master Database using a series of GUIs. The GUIs thus enable all three individuals to shape the security policy, check the validity of the database under audit, and even perform forensic analysis when database corruption is detected. II. Information Accountability Infrastructure Installation Guide ================================================================ Requirements: To install the project, a Linux OS (preferably with bash shell) is required. We use the Ubuntu 9.04 OS. Please make sure that all the components are compiled and installed consistently on machines of either 64-bit or 32-bit architectures. The following directions also assume that the installation directories of TBDB, Beecrypt and ODBC are /home/johndoe/tbdb, /home/johndoe/beecrypt and /home/johndoe/odbc, respectively. Assume the source code directory of the Audit project is assumed to be (please create if not already existent) /home/johndoe/auditsource (i) To install the tBDB project and the Beecrypt Library, please visit http://www.cs.arizona.edu/projects/tau/tbdb/INSTALL (ii) The Beecrypt library was installed in the previous step. (iii) To install the MySQL DBMS, please visit http://www.mysql.com/downloads/mysql/ (iv) To install the ODBC driver, please visit http://www.unixodbc.org (v) External Digital Noterization Service -- The rudimentary EDNS is installed in step (iv). (vi) To install GnuPlot, please visit http://www.gnuplot.info/ After installation, please make sure that /usr/local/bin/gnuplot exists. (vii) To install Java 1.6 JDK, please visit http://java.sun.com/javase/downloads/widget/jdk6.jsp (viii) An end user demo application is included with the Utilities, installed in the next step. (ix) The Audit system release includes the Utilities. These are the "daemons" and "GUIs." The source code is provided in a zipped tar file called audit_system.tar.gz It can be downloaded from http://www.cs.arizona.edu/projects/tau/tbdb/audit_system.tar.gz Please modify the commands below as needed. 0. Prepare the environment variables [~]$bash TBDB_DIR=/home/johndoe/tbdb; export TBDB_DIR [~]$bash BEECRYPT_DIR=/home/johndoe/beecrypt; export BEECRYPT_DIR [~]$bash ODBC_DIR=/home/johndoe/odbc; export ODBC_DIR [~]$bash SOURCE_DIR=/home/johndoe/auditsource; export SOURCE_DIR [~]$bash export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$BEECRYPT_DIR/lib:$TBDB_DIR/lib:$ODBC_DIR/lib It is highly suggested that the above commands should be added to the .bashrc file under for example, /home/johndoe 1. Untar the Audit source code package (assume the package is located at $SOURCE_DIR): [~]$ tar -C $SOURCE_DIR -xzf audit_release.tar.gz This will create the directory $SOURCE_DIR/audit 2. Build the daemons [~]$ cd $SOURCE_DIR/audit/daemons [~]$ make clean [~]$ make This step creates five executables. They are validator, notarizer, application, db_create_time and intruder. 3. Build the GUIs [~]$ cd $SOURCE_DIR/audit/GUIs/src/gui [~]$ make clean [~]$ make This step creates three java executables (.jar files). They are CSO.jar, DBA.jar and CSI.jar (x) Initialize the system. 1. MySQL initialization For the Secure Master Database named tau, a set of tables recording the auditing information needs to be created in MySQL. To initialize the Secure Master Database, following these steps [~]$ mysql -h mysql -u root -p Note: "-h mysql" indicates the host name of the MySQL database server, which must be the same as the "SERVER" value in the .odbc.ini file. Once logged in, create a database named "tau" mysql> CREATE DATABASE IF NOT EXISTS tau; Note: It is required to create a new user, namely "tau" Login as root and switch to the MySQL db. Make the user and update the privileges. mysql> USE mysql; mysql> INSERT INTO user (Host, User, Password) VALUES('%', 'tau', PASSWORD('Ros4Prez')); mysql> GRANT ALL PRIVILEGES ON tau.* TO 'tau'@'%'; mysql> FLUSH PRIVILEGES; mysql> COMMIT; mysql> EXIT; In the audit_release.tar.gz file, we provided a tau_db.sql file which is produced by the mysqldump utility. This file contains the table creation script and some necessary initial records. To create the schema and initialize the tables in the tau database, execute the following command from shell [~]$ mysql -h mysql -u tau -p tau < tau_db.sql To verify the results, login to mysql [~]$ mysql -h mysql -u tau -p PASSWORD: Ros4Prez mysql> use tau; To list all the tables in tau mysql> SHOW tables; If the following list shows up, the secure master database is properly created and initialized. +----------------------+ | Tables_in_tau | +----------------------+ | Chain | | Configuration | | Employee | | Event | | IsMaintainedBy | | NotarizationCheck | | SynchronizedRegion | | UnsynchronizedRegion | | cost | | state_lookup | +----------------------+ 10 rows in set (0.00 sec) 2. Configure the ODBC datasource On the machine which the notarizer is running, the datasource is specified by the .odbc.ini file. [~]$ vi ~/.odbc.ini The following is an example of what to be specified in .odbc.ini [mysql] Description = MySQL test database Driver = mysql SERVER = mysql USER = tau PASSWORD = Ros4Prez DATABASE = tau PORT = 3306 Note: For the internal demo, the USER, PASSWORD and DATABASE should be tau, Ros4Prez and tau, respectively. However these variables can be set according to the actual running environment. 3306 is the default port used by MySQL. On the server side, where both the MySQL DBMS and ODBC are installed (e.g., $ODBC_DIR), the driver needs to be specified as: [~]$ vi $/ODBC_DIR/etc/odbcinst.ini An example: [mysql] Description = mySQL ODBC driver Driver = /usr/lib/libmyodbc.so The "Driver" field specifies a MySQL ODBC driver which comes with the installation of MySQL database. Please make sure the libmydobc.so dirver exists. This is a critical driver to this system. Note: The contents in the .odbc.ini and odbcinst.ini files are case sensitive. At this point, all of the components of the Infromation Accountability Infrastructure have been installed. We now turn to a demonstration of this Infrastructure that exercises all of these components. III. Run the Demonstration *********************************** This demonstration shows how all the components work together to detect and analyze a database corruption. The demonstration may utilize up to five distinct computers. However, it is also possible to run the demo on one machine. In that case, the different tasks carried out on different machines can be simulated by different terminal windows (sessions). In the five-machine case, assume the names of the machines are A.acme.com B.acme.com C.acme.com D.acme.com E.acme.com The names are the machines' network name, e.g., it is possible to do [~]$ ssh A.acme.com Assume A.acme.com is a machine used in the Trusted Computing Base (TCB). MySQL needs to be installed on A.acme.com Assume B.acme.com is a machine where the monitored database is created and transactions are running. The intruder program is run on B.acme.com as well. Assume C.acme.com is a machine where the CSO will configure the security settings and where the CSI will investigate the database corruption. C.acme.com requires GNUPlot to be installed. Assume D.acme.com is where the digital notarization service runs. Assume E.acme.com is a machine used by the DBA. Java 1.6 JDK is required for C and E. Gnuplot is required for C. MySQL is required for A. If run on one machine, then A = B = C = D = E. We assume that all machines have access to the $SOURCE_DIR directory via NFS. If that is not the case, the required program(s) will have to be individually installed on the appropriate machine(s). Assume DBA's email is johndoe@acme.com CSO's email is jimbob@acme.com CSI's email is horatio@acme.com 1) Optionally start the external digital notarization service (EDNS) The system uses an EDNS. Surety.com provides such a DNS and the system is configured to use this. To do so, Surety must first provide an account (say, Saccount) and a password (say, Spassword) for use by the notarizer and validator. Alternatively, we have provided a local EDNS that will run on machine D.acme.com To start the local EDNS on this machine, [~]$ cd $SOURCE_DIR/audit/daemons [~]$ ./notServ 1 & To emphasize, either use Surety.com or notServ. 2) On machine B.acme.com run the end user application that modifies the monitored database. [~]$ cd /home/johndoe [~]$ $SOURCE_DIR/audit/daemons/application auditdb acmedb This creates a database using tBDB named "acmedb" located at /home/johndoe/auditdb The transactions are then continuously applied to the created database. 3) On machine E.acme.com, run CSO.jar to add the newly created database and assign a DBA and a CSI [~]$ java -jar $SOURCE_DIR/audit/GUIs/src/gui/CSO.jar B.acme.com $SOURCE_DIR/audit/daemons/dbcreate_time_getter (Note that the first argument, i.e., B.acme.com, is the machine on which the database to be monitored exists. The second argument is a program which retrieves the creation date information of the "acmedb" database.) You will be prompted by the CSO GUI to login. To login as CSO, use the following: username: jimbob@acme.com password: tbdb Add more employees by clicking "add employee" on the menu bar. For instance, the DBA and CSI need to be added as the following two entries: email: johndoe@acme.com password: tbdbDBA eamil:horatio@acme.com password: tbdbCSI Add the newly created db to the list of monitored databases by clicking "add database". For example: dbname: acmedb dbsource: /home/johndoe/auditdb Note: The "dbsource" has to be the absolute path name to the directory under which the database (acmedb) is located. On the "Databases" tab, click the newly added database and assign the CSI (horatio@acme.com) and the DBA (johndoe@acme.com) for that database. Close the window by clicking the X button on the right-top corner of the window. 4) On machine E.acme.com, run DBA to assign the forensic analysis algorithm and the time intervals for notarization and validation. [~]$ java -jar $SOURCE_DIR/audit/GUIs/src/gui/DBA.jar -NS A.acme.com -DIR $SOURCE_DIR/audit/daemons -DNS D.acme.com The options of the DBA GUI include: -NS: the name of the machine where the Secure Master Database is installed -DIR: the absolute path name of the directory where both the validator and notarizer exist The above two arguments are always required. Depending on whether we use Surety or the local EDNS we either provide the options: -A: the account name for accessing Surety service -P: the password used along with -A for accessing Surety service or the option -DNS: the name of the machine where the local EDNS service runs The DBA GUI will prompt you to login. To login as DBA, use the following: username: johndoe@acme.com password: tbdbDBA Click "All databases" dropbox and choose the new created db. Set the "Detection Resolution Unit" to be 1 min. Set the scheduled running time for notarizer to the current time at the bottom. Click "Save These Settings" and close the window (by clicking the X button on the right-top corner of the window). 5) On machine B.acme.com, wait five to ten minutes and then stop the database by pressing the "Enter" key. 6) On machine B.acme.com, run intruder program to change database by 1 byte. [~]$ cd /home/johndoe [~]$ sync [~]$ od -c auditdb/acmedb [~]$ $SOURCE_DIR/audit/daemons/intruder auditdb/acmedb 77050 [~]$ sync Note: 77050 is a random offset in the file auditdb/acmedb Therefore, this number has to be smaller than the size of the file. The command od -c would reveal the size of the file, so please choose this number accordingly. To see the change made to the byte by the last command, execute: [~]$ od -c auditdb/acmedb Note: If you change a byte in the free space of a page, this is not actually a database corruption, and will not be shown later as such. 7) Wait for warning message to be sent to the DBA's email (johndoe@acme.com). The subject of the email containing the corruption information is "Warning!" 8) On machine C.acme.com, run CSI to check the error. [~]$ java -jar $SOURCE_DIR/audit/GUIs/src/gui/CSI.jar The CSI GUI will prompt you to login. To login as CSI use: username: horatio@acme.com password: tbdb Choose the database you created and click "View Database Corruption Graphically" The X and Y axes are labeled with transaction time and clock/real time respectively. The red rectangle displayed gives bounds on the "where" and "when" of the corruption event. Thus on the X axis we can see "where" the corrupted data is stored and on the Y axis "when" the corruption happened. 9) On machine B.acme.com, run "atq" to find the job id of the notarizer and validator tasks and run "atrm" to clean up these scheduled jobs. For example execute: [~]$ atq output: [~]$ 1234 Tue Feb 28 22:06:00 2010 a johndoe [~]$ 1235 Tue Feb 23 22:07:00 2010 = johndoe The output means there are two scheduled tasks with IDs 1234 and 1235. To remove them, execute: [~]$ atrm 1234 [~]$ atrm 1235 10) On machine A.acme.com, delete the newly created database in MySQL Log into MySQL for control database: [~]$ mysql -h mysql -u tau -p the password is: Ros4Prez Inside the MySQL client terminal, issue the command "use tau" to select the control database. show tables; select * from Event where name="acmedb"; delete from Configuration where name="acmedb"; delete from Event where name="acmedb"; delete from SsMaintainedBy where name="acmedb"; 11) On machine A.acme.com, delete the auditdb/acmedb files. [~]$ cd /home/johndoe [~]$ rm -rf auditdb You're done!