Secure log transfer by replacing a library in a virtual machine

Masaya Sato; Toshihiro Yamauchi

doi:10.1007/978-3-642-41383-4_1

Secure log transfer by replacing a library in a virtual machine

Masaya Sato, Toshihiro Yamauchi

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

2 Citations (Scopus)

Abstract

Ensuring the integrity of logs is essential to reliably detect and counteract attacks, because adversaries tamper with logs to hide their activities on a computer. Even though some research studies proposed different ways to protect log files, adversaries can tamper with logs in kernel space with kernel-level malicious software (malware). In an environment where Virtual Machines (VM) are utilized, VM Introspection (VMI) is capable of collecting logs from VMs. However, VMI is not optimized for log protection and unnecessary overhead is incurred, because VMI does not specialize in log collection. To transfer logs out of a VM securely, we propose a secure log transfer method of replacing a library. In our proposed method, a process on a VM requests a log transfer by using the modified library, which contains a trigger for a log transfer. When a VM Monitor (VMM) detects the trigger, it collects logs from the VM and sends them to another VM. The proposed method provides VM-level log isolation and security for the mechanism itself. This paper describes design, implementation, and evaluation of the proposed method.

Original language	English
Title of host publication	Advances in Information and Computer Security - 8th International Workshop on Security, IWSEC 2013, Proceedings
Pages	1-18
Number of pages	18
DOIs	https://doi.org/10.1007/978-3-642-41383-4_1
Publication status	Published - Dec 1 2013
Event	8th International Workshop on Security, IWSEC 2013 - Okinawa, Japan Duration: Nov 18 2013 → Nov 20 2013

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	8231 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Other

Other	8th International Workshop on Security, IWSEC 2013
Country	Japan
City	Okinawa
Period	11/18/13 → 11/20/13

Keywords

Log transfer
digital forensics
log protection
virtual machine

ASJC Scopus subject areas

Theoretical Computer Science
Computer Science(all)

Access to Document

10.1007/978-3-642-41383-4_1

Fingerprint Dive into the research topics of 'Secure log transfer by replacing a library in a virtual machine'. Together they form a unique fingerprint.

Cite this

Sato, M., & Yamauchi, T. (2013). Secure log transfer by replacing a library in a virtual machine. In Advances in Information and Computer Security - 8th International Workshop on Security, IWSEC 2013, Proceedings (pp. 1-18). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 8231 LNCS). https://doi.org/10.1007/978-3-642-41383-4_1

Secure log transfer by replacing a library in a virtual machine. / Sato, Masaya ; Yamauchi, Toshihiro.

Advances in Information and Computer Security - 8th International Workshop on Security, IWSEC 2013, Proceedings. 2013. p. 1-18 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 8231 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Sato, M & Yamauchi, T 2013, Secure log transfer by replacing a library in a virtual machine. in Advances in Information and Computer Security - 8th International Workshop on Security, IWSEC 2013, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 8231 LNCS, pp. 1-18, 8th International Workshop on Security, IWSEC 2013, Okinawa, Japan, 11/18/13. https://doi.org/10.1007/978-3-642-41383-4_1

Sato M , Yamauchi T. Secure log transfer by replacing a library in a virtual machine. In Advances in Information and Computer Security - 8th International Workshop on Security, IWSEC 2013, Proceedings. 2013. p. 1-18. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-642-41383-4_1

@inproceedings{adc8746273af4866a407b10bab113245,

title = "Secure log transfer by replacing a library in a virtual machine",

abstract = "Ensuring the integrity of logs is essential to reliably detect and counteract attacks, because adversaries tamper with logs to hide their activities on a computer. Even though some research studies proposed different ways to protect log files, adversaries can tamper with logs in kernel space with kernel-level malicious software (malware). In an environment where Virtual Machines (VM) are utilized, VM Introspection (VMI) is capable of collecting logs from VMs. However, VMI is not optimized for log protection and unnecessary overhead is incurred, because VMI does not specialize in log collection. To transfer logs out of a VM securely, we propose a secure log transfer method of replacing a library. In our proposed method, a process on a VM requests a log transfer by using the modified library, which contains a trigger for a log transfer. When a VM Monitor (VMM) detects the trigger, it collects logs from the VM and sends them to another VM. The proposed method provides VM-level log isolation and security for the mechanism itself. This paper describes design, implementation, and evaluation of the proposed method.",

keywords = "Log transfer, digital forensics, log protection, virtual machine",

author = "Masaya Sato and Toshihiro Yamauchi",

year = "2013",

month = dec,

day = "1",

doi = "10.1007/978-3-642-41383-4_1",

language = "English",

isbn = "9783642413827",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

pages = "1--18",

booktitle = "Advances in Information and Computer Security - 8th International Workshop on Security, IWSEC 2013, Proceedings",

note = "8th International Workshop on Security, IWSEC 2013 ; Conference date: 18-11-2013 Through 20-11-2013",

}

TY - GEN

T1 - Secure log transfer by replacing a library in a virtual machine

AU - Sato, Masaya

AU - Yamauchi, Toshihiro

PY - 2013/12/1

Y1 - 2013/12/1

N2 - Ensuring the integrity of logs is essential to reliably detect and counteract attacks, because adversaries tamper with logs to hide their activities on a computer. Even though some research studies proposed different ways to protect log files, adversaries can tamper with logs in kernel space with kernel-level malicious software (malware). In an environment where Virtual Machines (VM) are utilized, VM Introspection (VMI) is capable of collecting logs from VMs. However, VMI is not optimized for log protection and unnecessary overhead is incurred, because VMI does not specialize in log collection. To transfer logs out of a VM securely, we propose a secure log transfer method of replacing a library. In our proposed method, a process on a VM requests a log transfer by using the modified library, which contains a trigger for a log transfer. When a VM Monitor (VMM) detects the trigger, it collects logs from the VM and sends them to another VM. The proposed method provides VM-level log isolation and security for the mechanism itself. This paper describes design, implementation, and evaluation of the proposed method.

AB - Ensuring the integrity of logs is essential to reliably detect and counteract attacks, because adversaries tamper with logs to hide their activities on a computer. Even though some research studies proposed different ways to protect log files, adversaries can tamper with logs in kernel space with kernel-level malicious software (malware). In an environment where Virtual Machines (VM) are utilized, VM Introspection (VMI) is capable of collecting logs from VMs. However, VMI is not optimized for log protection and unnecessary overhead is incurred, because VMI does not specialize in log collection. To transfer logs out of a VM securely, we propose a secure log transfer method of replacing a library. In our proposed method, a process on a VM requests a log transfer by using the modified library, which contains a trigger for a log transfer. When a VM Monitor (VMM) detects the trigger, it collects logs from the VM and sends them to another VM. The proposed method provides VM-level log isolation and security for the mechanism itself. This paper describes design, implementation, and evaluation of the proposed method.

KW - Log transfer

KW - digital forensics

KW - log protection

KW - virtual machine

UR - http://www.scopus.com/inward/record.url?scp=84891910899&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84891910899&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-41383-4_1

DO - 10.1007/978-3-642-41383-4_1

M3 - Conference contribution

AN - SCOPUS:84891910899

SN - 9783642413827

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 1

EP - 18

BT - Advances in Information and Computer Security - 8th International Workshop on Security, IWSEC 2013, Proceedings

T2 - 8th International Workshop on Security, IWSEC 2013

Y2 - 18 November 2013 through 20 November 2013

ER -