Secure log transfer by replacing a library in a virtual machine

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Citations (Scopus)

Abstract

Ensuring the integrity of logs is essential to reliably detect and counteract attacks, because adversaries tamper with logs to hide their activities on a computer. Even though some research studies proposed different ways to protect log files, adversaries can tamper with logs in kernel space with kernel-level malicious software (malware). In an environment where Virtual Machines (VM) are utilized, VM Introspection (VMI) is capable of collecting logs from VMs. However, VMI is not optimized for log protection and unnecessary overhead is incurred, because VMI does not specialize in log collection. To transfer logs out of a VM securely, we propose a secure log transfer method of replacing a library. In our proposed method, a process on a VM requests a log transfer by using the modified library, which contains a trigger for a log transfer. When a VM Monitor (VMM) detects the trigger, it collects logs from the VM and sends them to another VM. The proposed method provides VM-level log isolation and security for the mechanism itself. This paper describes design, implementation, and evaluation of the proposed method.

Original languageEnglish
Title of host publicationLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Pages1-18
Number of pages18
Volume8231 LNCS
DOIs
Publication statusPublished - 2013
Event8th International Workshop on Security, IWSEC 2013 - Okinawa, Japan
Duration: Nov 18 2013Nov 20 2013

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume8231 LNCS
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

Other8th International Workshop on Security, IWSEC 2013
CountryJapan
CityOkinawa
Period11/18/1311/20/13

Fingerprint

Virtual Machine
Trigger
kernel
Libraries
Virtual machine
Integrity
Isolation
Monitor
Attack
Software
Evaluation

Keywords

  • digital forensics
  • log protection
  • Log transfer
  • virtual machine

ASJC Scopus subject areas

  • Computer Science(all)
  • Theoretical Computer Science

Cite this

Sato, M., & Yamauchi, T. (2013). Secure log transfer by replacing a library in a virtual machine. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 8231 LNCS, pp. 1-18). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 8231 LNCS). https://doi.org/10.1007/978-3-642-41383-4_1

Secure log transfer by replacing a library in a virtual machine. / Sato, Masaya; Yamauchi, Toshihiro.

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol. 8231 LNCS 2013. p. 1-18 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 8231 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Sato, M & Yamauchi, T 2013, Secure log transfer by replacing a library in a virtual machine. in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). vol. 8231 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 8231 LNCS, pp. 1-18, 8th International Workshop on Security, IWSEC 2013, Okinawa, Japan, 11/18/13. https://doi.org/10.1007/978-3-642-41383-4_1
Sato M, Yamauchi T. Secure log transfer by replacing a library in a virtual machine. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol. 8231 LNCS. 2013. p. 1-18. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-642-41383-4_1
Sato, Masaya ; Yamauchi, Toshihiro. / Secure log transfer by replacing a library in a virtual machine. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol. 8231 LNCS 2013. pp. 1-18 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{adc8746273af4866a407b10bab113245,
title = "Secure log transfer by replacing a library in a virtual machine",
abstract = "Ensuring the integrity of logs is essential to reliably detect and counteract attacks, because adversaries tamper with logs to hide their activities on a computer. Even though some research studies proposed different ways to protect log files, adversaries can tamper with logs in kernel space with kernel-level malicious software (malware). In an environment where Virtual Machines (VM) are utilized, VM Introspection (VMI) is capable of collecting logs from VMs. However, VMI is not optimized for log protection and unnecessary overhead is incurred, because VMI does not specialize in log collection. To transfer logs out of a VM securely, we propose a secure log transfer method of replacing a library. In our proposed method, a process on a VM requests a log transfer by using the modified library, which contains a trigger for a log transfer. When a VM Monitor (VMM) detects the trigger, it collects logs from the VM and sends them to another VM. The proposed method provides VM-level log isolation and security for the mechanism itself. This paper describes design, implementation, and evaluation of the proposed method.",
keywords = "digital forensics, log protection, Log transfer, virtual machine",
author = "Masaya Sato and Toshihiro Yamauchi",
year = "2013",
doi = "10.1007/978-3-642-41383-4_1",
language = "English",
isbn = "9783642413827",
volume = "8231 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "1--18",
booktitle = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

}

TY - GEN

T1 - Secure log transfer by replacing a library in a virtual machine

AU - Sato, Masaya

AU - Yamauchi, Toshihiro

PY - 2013

Y1 - 2013

N2 - Ensuring the integrity of logs is essential to reliably detect and counteract attacks, because adversaries tamper with logs to hide their activities on a computer. Even though some research studies proposed different ways to protect log files, adversaries can tamper with logs in kernel space with kernel-level malicious software (malware). In an environment where Virtual Machines (VM) are utilized, VM Introspection (VMI) is capable of collecting logs from VMs. However, VMI is not optimized for log protection and unnecessary overhead is incurred, because VMI does not specialize in log collection. To transfer logs out of a VM securely, we propose a secure log transfer method of replacing a library. In our proposed method, a process on a VM requests a log transfer by using the modified library, which contains a trigger for a log transfer. When a VM Monitor (VMM) detects the trigger, it collects logs from the VM and sends them to another VM. The proposed method provides VM-level log isolation and security for the mechanism itself. This paper describes design, implementation, and evaluation of the proposed method.

AB - Ensuring the integrity of logs is essential to reliably detect and counteract attacks, because adversaries tamper with logs to hide their activities on a computer. Even though some research studies proposed different ways to protect log files, adversaries can tamper with logs in kernel space with kernel-level malicious software (malware). In an environment where Virtual Machines (VM) are utilized, VM Introspection (VMI) is capable of collecting logs from VMs. However, VMI is not optimized for log protection and unnecessary overhead is incurred, because VMI does not specialize in log collection. To transfer logs out of a VM securely, we propose a secure log transfer method of replacing a library. In our proposed method, a process on a VM requests a log transfer by using the modified library, which contains a trigger for a log transfer. When a VM Monitor (VMM) detects the trigger, it collects logs from the VM and sends them to another VM. The proposed method provides VM-level log isolation and security for the mechanism itself. This paper describes design, implementation, and evaluation of the proposed method.

KW - digital forensics

KW - log protection

KW - Log transfer

KW - virtual machine

UR - http://www.scopus.com/inward/record.url?scp=84891910899&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84891910899&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-41383-4_1

DO - 10.1007/978-3-642-41383-4_1

M3 - Conference contribution

AN - SCOPUS:84891910899

SN - 9783642413827

VL - 8231 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 1

EP - 18

BT - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

ER -