TY - GEN
T1 - Secure log transfer by replacing a library in a virtual machine
AU - Sato, Masaya
AU - Yamauchi, Toshihiro
PY - 2013/12/1
Y1 - 2013/12/1
N2 - Ensuring the integrity of logs is essential to reliably detect and counteract attacks, because adversaries tamper with logs to hide their activities on a computer. Even though some research studies proposed different ways to protect log files, adversaries can tamper with logs in kernel space with kernel-level malicious software (malware). In an environment where Virtual Machines (VM) are utilized, VM Introspection (VMI) is capable of collecting logs from VMs. However, VMI is not optimized for log protection and unnecessary overhead is incurred, because VMI does not specialize in log collection. To transfer logs out of a VM securely, we propose a secure log transfer method of replacing a library. In our proposed method, a process on a VM requests a log transfer by using the modified library, which contains a trigger for a log transfer. When a VM Monitor (VMM) detects the trigger, it collects logs from the VM and sends them to another VM. The proposed method provides VM-level log isolation and security for the mechanism itself. This paper describes design, implementation, and evaluation of the proposed method.
AB - Ensuring the integrity of logs is essential to reliably detect and counteract attacks, because adversaries tamper with logs to hide their activities on a computer. Even though some research studies proposed different ways to protect log files, adversaries can tamper with logs in kernel space with kernel-level malicious software (malware). In an environment where Virtual Machines (VM) are utilized, VM Introspection (VMI) is capable of collecting logs from VMs. However, VMI is not optimized for log protection and unnecessary overhead is incurred, because VMI does not specialize in log collection. To transfer logs out of a VM securely, we propose a secure log transfer method of replacing a library. In our proposed method, a process on a VM requests a log transfer by using the modified library, which contains a trigger for a log transfer. When a VM Monitor (VMM) detects the trigger, it collects logs from the VM and sends them to another VM. The proposed method provides VM-level log isolation and security for the mechanism itself. This paper describes design, implementation, and evaluation of the proposed method.
KW - Log transfer
KW - digital forensics
KW - log protection
KW - virtual machine
UR - http://www.scopus.com/inward/record.url?scp=84891910899&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84891910899&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-41383-4_1
DO - 10.1007/978-3-642-41383-4_1
M3 - Conference contribution
AN - SCOPUS:84891910899
SN - 9783642413827
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 1
EP - 18
BT - Advances in Information and Computer Security - 8th International Workshop on Security, IWSEC 2013, Proceedings
T2 - 8th International Workshop on Security, IWSEC 2013
Y2 - 18 November 2013 through 20 November 2013
ER -