VMBLS: Virtual Machine Based Logging Scheme for Prevention of Tampering and Loss

  • Masaya Sato
  • Toshihiro Yamauchi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6908)


Logging information is necessary in order to understand a computer’s behavior. However, there is a possibility that attackers will delete logs to hide the evidence of their attacking and cheating. Moreover, various problems might cause the loss of logging information. In homeland security, the plans for counter terrorism are based on data. The reliability of the data is depends on that of data collector. Because the reliability of the data collector is ensured by logs, the protection of it is important problem. To address these issues, we propose a system to prevent tampering and loss of logging information using a virtual machine monitor (VMM). In this system, logging information generated by the operating system (OS) and application program (AP) working on the target virtual machine (VM) is gathered by the VMM without any modification of the OS. The security of the logging information is ensured by its isolation from the VM. In addition, the isolation and multiple copying of logs can help in the detection of tampering.


Log security virtualization virtual machine monitor digital forensics 


  1. 1.
    Apvrille, A., Gordon, D., Hallyn, S., Pourzandi, M., Roy, V.: Digsig: Runtime authentication of binaries at kernel level. In: Proceedings of the 18th USENIX Conference on System Administration, pp. 59–66 (2004)Google Scholar
  2. 2.
    Ashino, Y., Sasaki, R.: Proposal of digital forensic system using security device and hysteresis signature. In: Proceedings of the Third International Conference on International Information Hiding and Multimedia Signal Processing (IIH-MSP 2007), vol. 02, pp. 3–7 (2007)Google Scholar
  3. 3.
    Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the art of virtualization. In: Proceedings of the 19th ACM Symposium on Operating Systems Principles, pp. 164–177 (2003)Google Scholar
  4. 4.
    Bock, B., Huemer, D., Tjoa, A.: Towards more trustable log files for digital forensics by means of “trusted computing”. In: 24th IEEE International Conference on Advanced Information Networking and Applications, pp. 1020–1027 (2010)Google Scholar
  5. 5.
    Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 51–62 (2008)Google Scholar
  6. 6.
    IETF Syslog Working Group: IETF Syslog Working Group Home Page,
  7. 7.
    Intel: Intel 64 and IA-32 Architectures Software Developer’s Manual Volume 3B: System Programming Guide, Part 2 (2009),
  8. 8.
    Isohara, T., Takemori, K., Miyake, Y., Qu, N., Perrig, A.: Lsm-based secure system monitoring using kernel protection schemes. In: International Conference on Availability, Reliability, and Security, pp. 591–596 (2010)Google Scholar
  9. 9.
    Seshadri, A., Luk, M., Qu, N., Perrig, A.: Secvisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In: Proceedings of 21st ACM SIGOPS Symposium on Operating Systems Principles, pp. 335–350 (2007)Google Scholar
  10. 10.
    Takada, T., Koike, H.: Nigelog: Protecting logging information by hiding multiple backups in directories. In: International Workshop on Database and Expert Systems Applications, pp. 874–878 (1999)Google Scholar
  11. 11.
    Zhao, S., Chen, K., Zheng, W.: Secure logging for auditable file system using separate virtual machines. In: IEEE International Symposium on Parallel and Distributed Processing with Applications, pp. 153–160 (2009)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2011

Authors and Affiliations

  • Masaya Sato
    • 1
  • Toshihiro Yamauchi
    • 1
  1. 1.Graduate School of Natural Science and TechnologyOkayama UniversityOkayamaJapan

Personalised recommendations