Secure and fast log transfer mechanism for virtual machine

Research output: Contribution to journalArticle

1 Citation (Scopus)

Abstract

Ensuring the integrity of logs is essential to reliably detect and counteract attacks because adversaries tamper with logs to hide their activities on a computer. Even though some studies proposed various protections of log files, adversaries can tamper with logs in kernel space with kernel-level malicious software (malware) because file access and inter-process communication are provided by an OS kernel. Virtual machine introspection (VMI) can collect logs from virtual machines (VMs) without interposition of a kernel. It is difficult for malware to hinder that log collection, because a VM and VM monitor (VMM) are strongly separated. However, complexity and unnecessary performance overhead arise because VMI is not specialized for log collection. This paper proposes a secure and fast log transfer method using library replacement for VMs. In the proposed method, a process on a VM requests a log transfer to a VMM using the modified library, which contains a trigger for a log transfer. The VMM collects logs from the VM and isolate them to another VM. The proposed method provides VM-level log isolation and security for the mechanism itself with low performance overhead.

Original languageEnglish
Pages (from-to)597-608
Number of pages12
JournalJournal of Information Processing
Volume22
Issue number4
DOIs
Publication statusPublished - Oct 1 2014

Fingerprint

Virtual machine
Computer monitors
Communication
Malware

Keywords

  • Digital forensics
  • Library modification
  • Secure logging
  • Virtual machine

ASJC Scopus subject areas

  • Computer Science(all)

Cite this

Secure and fast log transfer mechanism for virtual machine. / Sato, Masaya; Yamauchi, Toshihiro.

In: Journal of Information Processing, Vol. 22, No. 4, 01.10.2014, p. 597-608.

Research output: Contribution to journalArticle

@article{606df3fc34954a629dad71f82594ab3e,
title = "Secure and fast log transfer mechanism for virtual machine",
abstract = "Ensuring the integrity of logs is essential to reliably detect and counteract attacks because adversaries tamper with logs to hide their activities on a computer. Even though some studies proposed various protections of log files, adversaries can tamper with logs in kernel space with kernel-level malicious software (malware) because file access and inter-process communication are provided by an OS kernel. Virtual machine introspection (VMI) can collect logs from virtual machines (VMs) without interposition of a kernel. It is difficult for malware to hinder that log collection, because a VM and VM monitor (VMM) are strongly separated. However, complexity and unnecessary performance overhead arise because VMI is not specialized for log collection. This paper proposes a secure and fast log transfer method using library replacement for VMs. In the proposed method, a process on a VM requests a log transfer to a VMM using the modified library, which contains a trigger for a log transfer. The VMM collects logs from the VM and isolate them to another VM. The proposed method provides VM-level log isolation and security for the mechanism itself with low performance overhead.",
keywords = "Digital forensics, Library modification, Secure logging, Virtual machine",
author = "Masaya Sato and Toshihiro Yamauchi",
year = "2014",
month = "10",
day = "1",
doi = "10.2197/ipsjjip.22.597",
language = "English",
volume = "22",
pages = "597--608",
journal = "Journal of Information Processing",
issn = "0387-5806",
publisher = "Information Processing Society of Japan",
number = "4",

}

TY - JOUR

T1 - Secure and fast log transfer mechanism for virtual machine

AU - Sato, Masaya

AU - Yamauchi, Toshihiro

PY - 2014/10/1

Y1 - 2014/10/1

N2 - Ensuring the integrity of logs is essential to reliably detect and counteract attacks because adversaries tamper with logs to hide their activities on a computer. Even though some studies proposed various protections of log files, adversaries can tamper with logs in kernel space with kernel-level malicious software (malware) because file access and inter-process communication are provided by an OS kernel. Virtual machine introspection (VMI) can collect logs from virtual machines (VMs) without interposition of a kernel. It is difficult for malware to hinder that log collection, because a VM and VM monitor (VMM) are strongly separated. However, complexity and unnecessary performance overhead arise because VMI is not specialized for log collection. This paper proposes a secure and fast log transfer method using library replacement for VMs. In the proposed method, a process on a VM requests a log transfer to a VMM using the modified library, which contains a trigger for a log transfer. The VMM collects logs from the VM and isolate them to another VM. The proposed method provides VM-level log isolation and security for the mechanism itself with low performance overhead.

AB - Ensuring the integrity of logs is essential to reliably detect and counteract attacks because adversaries tamper with logs to hide their activities on a computer. Even though some studies proposed various protections of log files, adversaries can tamper with logs in kernel space with kernel-level malicious software (malware) because file access and inter-process communication are provided by an OS kernel. Virtual machine introspection (VMI) can collect logs from virtual machines (VMs) without interposition of a kernel. It is difficult for malware to hinder that log collection, because a VM and VM monitor (VMM) are strongly separated. However, complexity and unnecessary performance overhead arise because VMI is not specialized for log collection. This paper proposes a secure and fast log transfer method using library replacement for VMs. In the proposed method, a process on a VM requests a log transfer to a VMM using the modified library, which contains a trigger for a log transfer. The VMM collects logs from the VM and isolate them to another VM. The proposed method provides VM-level log isolation and security for the mechanism itself with low performance overhead.

KW - Digital forensics

KW - Library modification

KW - Secure logging

KW - Virtual machine

UR - http://www.scopus.com/inward/record.url?scp=84908024732&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84908024732&partnerID=8YFLogxK

U2 - 10.2197/ipsjjip.22.597

DO - 10.2197/ipsjjip.22.597

M3 - Article

AN - SCOPUS:84908024732

VL - 22

SP - 597

EP - 608

JO - Journal of Information Processing

JF - Journal of Information Processing

SN - 0387-5806

IS - 4

ER -