PillarBox: Combating Next-Generation Malware with Fast Forward-Secure Logging

  • Kevin D. Bowers
  • Catherine Hart
  • Ari Juels
  • Nikos Triandopoulos
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8688)


Security analytics is a catchall term for vulnerability assessment and intrusion detection leveraging security logs from a wide array of Security Analytics Sources (SASs), which include firewalls, VPNs, and endpoint instrumentation. Today, nearly all security analytics systems suffer from a lack of even basic data protections. An adversary can eavesdrop on SAS outputs and advanced malware can undetectably suppress or tamper with SAS messages to conceal attacks.

We introduce PillarBox, a tool that enforces integrity for SAS data even when such data is buffered on a compromised host within an adversarially controlled network. Additionally, PillarBox (optionally) offers stealth, concealing SAS data and potentially even alerting rules on a compromised host. Using data from a large enterprise and on-host performance measurements, we show experimentally that PillarBox has minimal overhead and is practical for real-world systems.


Security analytics forward-secure logging log integrity and secrecy self-protecting alerting secure chain of custody 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
    Bellare, M., Namprempre, C.: Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. J. Cryptol. 21, 469–491 (2008)CrossRefzbMATHMathSciNetGoogle Scholar
  3. 3.
    Bellare, M., Yee, B.: Forward-security in private-key cryptography. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 1–18. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  4. 4.
    Bowers, K.D., Hart, C., Juels, A., Triandopoulos, N.: PillarBox: Combating next-generation malware with fast forward-secure logging. Cryptology ePrint Archive, Report 2013/625 (2013)Google Scholar
  5. 5.
    Crosby, S.A., Wallach, D.S.: Efficient data structures for tamper-evident logging. In: USENIX Sec., pp. 317–334 (2009)Google Scholar
  6. 6.
    Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Trans. on Inf. Theory 29(2), 198–207 (1983)CrossRefzbMATHMathSciNetGoogle Scholar
  7. 7.
    Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., Boneh, D.: Terra: A virtual machine-based platform for trusted computing. In: SOSP, pp. 193–206 (2003)Google Scholar
  8. 8.
    Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)CrossRefzbMATHMathSciNetGoogle Scholar
  9. 9.
    Håstad, J., Jonsson, J., Juels, A., Yung, M.: Funkspiel schemes: An alternative to conventional tamper resistance. In: CCS, pp. 125–133 (2000)Google Scholar
  10. 10.
    Itkis, G.: Handbook of Inf. Security, Forward Security: Adaptive Cryptography—Time Evolution. John Wiley & Sons (2006)Google Scholar
  11. 11.
    Karger, P.A.: Securing virtual machine monitors: what is needed? In: ASIACCS, pp. 1–2 (2009)Google Scholar
  12. 12.
    Kelsey, J., Callas, J., Clemm, A.: RFC 5848: Signed syslog messages (2010)Google Scholar
  13. 13.
    Kelsey, J., Schneier, B.: Minimizing bandwidth for remote access to cryptographically protected audit logs. In: RAID, p. 9 (1999)Google Scholar
  14. 14.
    Ma, D., Tsudik, G.: A new approach to secure logging. Trans. Storage 5(1), 2:1–2:21 (2009)Google Scholar
  15. 15.
    Mandiant. M-trends: The advanced persistent threat (2010),
  16. 16.
    Marson, G.A., Poettering, B.: Practical secure logging: Seekable sequential key generators. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 111–128. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  17. 17.
    Oltsik, J.: Defining big data security analytics. Networkworld, 1 (April 2013)Google Scholar
  18. 18.
    Ristenpart, T., Maganis, G., Krishnamurthy, A., Kohno, T.: Privacy-preserving location tracking of lost or stolen devices: Cryptographic techniques and replacing trusted third parties with DHTs. In: USENIX Sec., pp. 275–290 (2008)Google Scholar
  19. 19.
    Schneier, B., Kelsey, J.: Cryptographic support for secure logs on untrusted machines. In: USENIX Sec., p. 4 (1998)Google Scholar
  20. 20.
    Schneier, B., Kelsey, J.: Tamperproof audit logs as a forensics tool for intrusion detection systems. Comp. Networks and ISDN Systems (1999)Google Scholar
  21. 21.
    Shacham, H., Page, M., Pfaff, B., Goh, E.J., Modadugu, N., Boneh, D.: On the Effectiveness of Address-Space Randomization. In: CCS, pp. 298–307 (2004)Google Scholar
  22. 22.
    Sharif, M.I., Lee, W., Cui, W., Lanzi, A.: Secure in-VM monitoring using hardware virtualization. In: CCS, pp. 477–487 (2009)Google Scholar
  23. 23.
    Waters, B.R., Balfanz, D., Durfee, G., Smetters, D.K.: Building an encrypted and searchable audit log. In: NDSS (2004)Google Scholar
  24. 24.
    Chen, Y., Chen, Y., Paxson, V., Katz, R.: What’s new about cloud computing security? Technical Report UCB/EECS-2010-5, UC Berkeley (2010)Google Scholar
  25. 25.
    Yavuz, A.A., Ning, P.: BAF: An efficient publicly verifiable secure audit logging scheme for distributed systems. In: ACSAC, pp. 219–228 (2009)Google Scholar
  26. 26.
    Yavuz, A.A., Ning, P., Reiter, M.K.: Efficient, compromise resilient and append-only cryptographic schemes for secure audit logging. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 148–163. Springer, Heidelberg (2012)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Kevin D. Bowers
    • 1
  • Catherine Hart
    • 2
  • Ari Juels
    • 3
  • Nikos Triandopoulos
    • 1
  1. 1.RSA LaboratoriesCambridgeUSA
  2. 2.Bell CanadaVancouverCanada
  3. 3.Cornell Tech (Jacobs Institute)New YorkUSA

Personalised recommendations