Continuous Tamper-Proof Logging Using TPM 2.0

  • Arunesh Sinha
  • Limin Jia
  • Paul England
  • Jacob R. Lorch
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8564)


Auditing system logs is an important means of ensuring systems’ security in situations where run-time security mechanisms are not sufficient to completely prevent potentially malicious activities. A fundamental requirement for reliable auditing is the integrity of the log entries. This paper presents an infrastructure for secure logging that is capable of detecting the tampering of logs by powerful adversaries residing on the device where logs are generated. We rely on novel features of trusted hardware (TPM) to ensure the continuity of the logging infrastructure across power cycles without help from a remote server. Our infrastructure also addresses practical concerns including how to handle high-frequency log updates, how to conserve disk space for storing logs, and how to efficiently verify an arbitrary subset of the log. Importantly, we formally state the tamper-proofness guarantee of our infrastructure and verify that our basic secure logging protocol provides the desired guarantee. To demonstrate that our infrastructure is practical, we implement a prototype and evaluate its performance.


Power Cycle Disk Location Storage Overhead Power Failure Adversary Model 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Schneier, B., Kelsey, J.: Cryptographic support for secure logs on untrusted machines. In: USENIX Security (1998)Google Scholar
  2. 2.
    Levin, D., Douceur, J.R., Lorch, J.R., Moscibroda, T.: Trinc: Small trusted hardware for large distributed systems. In: NSDI (2009)Google Scholar
  3. 3.
    Crosby, S.A., Wallach, D.S.: Efficient data structures for tamper evident logging. In: USENIX Security (2009)Google Scholar
  4. 4.
    Chun, B.-G., Maniatis, P., Shenker, S., Kubiatowicz, J.: Attested append-only memory: Making adversaries stick to their word. ACM SIGOPS Operating Systems Review 41(6), 189–204 (2007)CrossRefGoogle Scholar
  5. 5.
    Snodgrass, R.T., Yao, S.S., Collberg, C.: Tamper detection in audit logs. In: VLDB (2004)Google Scholar
  6. 6.
    Von Eye, F., Schmitz, D., Hommel, W.: A framework for secure logging with privacy protection and integrity. In: ICIMP (2014)Google Scholar
  7. 7.
    Sarmenta, L.F.G., van Dijk, M., O’Donnell, C.W., Rhodes, J., Devadas, S.: Virtual monotonic counters and count-limited objects using a TPM without a trusted OS. In: ACM STC (2006)Google Scholar
  8. 8.
    van Dijk, M., Rhodes, J., Sarmenta, L.F.G., Devadas, S.: Offline untrusted storage with immediate detection of forking and replay attacks. In: ACM STC (2007)Google Scholar
  9. 9.
    Bellare, M., Yee, B.: Forward integrity for secure audit logs. Technical report, University of California at San Diego (1997)Google Scholar
  10. 10.
    Sinha, A., Jia, L., England, P., Lorch, J.: Continuous tamper-proof logging using TPM 2.0. Technical Report CMU-CyLab-13-008, Carngie Mellon University (2013)Google Scholar
  11. 11.
    TrustedComputingGroup: TPM library specification,
  12. 12.
    Parno, B., Lorch, J.R., Douceur, J.R., Mickens, J.W., McCune, J.M.: Memoir: Practical state continuity for protected modules. In: IEEE S&P (2011)Google Scholar
  13. 13.
    Garg, D., Franklin, J., Kaynar, D.K., Datta, A.: Compositional system security with interface-confined adversaries. In: MFPS (2010)Google Scholar
  14. 14.
    Datta, A., Franklin, J., Garg, D., Kaynar, D.K.: A logic of secure systems and its application to trusted computing. In: IEEE S&P (2009)Google Scholar
  15. 15.
    Vaughan, J.A., Jia, L., Mazurak, K., Zdancewic, S.: Evidence-based audit. In: CSF (2008)Google Scholar
  16. 16.
    Bauer, L., Garriss, S., Reiter, M.K.: Detecting and resolving policy misconfigurations in access-control systems. ACM Transactions on Information and System Security 14(1) (2011)Google Scholar
  17. 17.
    Feigenbaum, J., Jaggard, A.D., Wright, R.N.: Towards a formal model of accountability. In: NSPW (2011)Google Scholar
  18. 18.
    Kelsey, J., Schneier, B.: Minimizing bandwidth for remote access to cryptographically protected audit logs. In: RAID (1999)Google Scholar
  19. 19.
    Waters, B.R., Balfanz, D., Durfee, G., Smetters, D.K.: Building an encrypted and searchable audit log. In: NDSS (2004)Google Scholar
  20. 20.
    Chong, C.N., Peng, Z.: Secure audit logging with tamper-resistant hardware. In: IFIP SEC (2003)Google Scholar
  21. 21.
    Naor, M., Nissim, K.: Certificate revocation and certificate update. In: USENIX Security (1998)Google Scholar
  22. 22.
    Goodrich, M.T., Tamassia, R., Schwerin, A.: Implementation of an authenticated dictionary with skip lists and commutative hashing. In: DISCEX (2001)Google Scholar
  23. 23.
    Martel, C., Nuckolls, G., Devanbu, P., Gertz, M., Kwong, A., Stubblebine, S.G.: A general model for authenticated data structures. Algorithmica 39(1), 21–41 (2004)CrossRefzbMATHMathSciNetGoogle Scholar
  24. 24.
    McCune, J.M., Parno, B.J., Perrig, A., Reiter, M.K., Isozaki, H.: Flicker: An execution infrastructure for TCB minimization. ACM SIGOPS Operating Systems Review 42(4), 315–328 (2008)CrossRefGoogle Scholar
  25. 25.
    Parno, B., McCune, J.M., Perrig, A.: Bootstrapping trust in commodity computers. In: IEEE S&P (2010)Google Scholar
  26. 26.
    MaximIntegrated: What is an iButton device?
  27. 27.
    Jang, D., Tatlock, Z., Lerner, S.: Establishing browser security guarantees through formal shim verification. In: USENIX Security (2012)Google Scholar
  28. 28.
    Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: seL4: formal verification of an OS kernel. In: SOSP (2009)Google Scholar
  29. 29.
    Ma, D., Tsudik, G.: Forward-secure sequential aggregate authentication. In: IEEE S&P (2007)Google Scholar
  30. 30.
    Ma, D., Tsudik, G.: A new approach to secure logging. Trans. Storage 5(1), 1–2 (2009)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Arunesh Sinha
    • 1
  • Limin Jia
    • 1
  • Paul England
    • 2
  • Jacob R. Lorch
    • 2
  1. 1.Carnegie Mellon UniversityPittsburghUSA
  2. 2.Microsoft ResearchRedmondUSA

Personalised recommendations