Secure Log Transfer by Replacing a Library in a Virtual Machine

  • Masaya Sato
  • Toshihiro Yamauchi
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8231)


Ensuring the integrity of logs is essential to reliably detect and counteract attacks, because adversaries tamper with logs to hide their activities on a computer. Even though some research studies proposed different ways to protect log files, adversaries can tamper with logs in kernel space with kernel-level malicious software (malware). In an environment where Virtual Machines (VM) are utilized, VM Introspection (VMI) is capable of collecting logs from VMs. However, VMI is not optimized for log protection and unnecessary overhead is incurred, because VMI does not specialize in log collection. To transfer logs out of a VM securely, we propose a secure log transfer method of replacing a library. In our proposed method, a process on a VM requests a log transfer by using the modified library, which contains a trigger for a log transfer. When a VM Monitor (VMM) detects the trigger, it collects logs from the VM and sends them to another VM. The proposed method provides VM-level log isolation and security for the mechanism itself. This paper describes design, implementation, and evaluation of the proposed method.


Log transfer log protection virtual machine digital forensics 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Kent, K., Souppaya, M.: Guide to computer security log management, special publication 800-92 (September 2006)Google Scholar
  2. 2.
    spoonfork: Analysis of a rootkit: Tuxkit,
  3. 3.
    stealth: Announcing full functional adore-ng rootkit for 2.6 kernel,
  4. 4.
  5. 5.
    Subashini, S., Kavitha, V.: A survey on security issues in service delivery models of cloud computing. Journal of Network and Computer Applications 34(1), 1–11 (2011)CrossRefGoogle Scholar
  6. 6.
    Grobauer, B., Walloschek, T., Stocker, E.: Understanding cloud computing vulnerabilities. IEEE Security & Privacy 9(2), 50–57 (2011)CrossRefGoogle Scholar
  7. 7.
    Marty, R.: Cloud application logging for forensics. In: Proceedings of the 2011 ACM Symposium on Applied Computing, SAC 2011, pp. 178–184 (2011)Google Scholar
  8. 8.
    Chen, P.M., Noble, B.D.: When virtual is better than real. In: Proceedings of the Eighth Workshop on Hot Topics in Operating Systems, HOTOS 2001, pp. 133–138. IEEE Computer Society (2001)Google Scholar
  9. 9.
    Boeck, B., Huemer, D., Tjoa, A.M.: Towards more trustable log files for digital forensics by means of “trusted computing”. In: International Conference on Advanced Information Networking and Applications, pp. 1020–1027 (2010)Google Scholar
  10. 10.
    Seshadri, A., Luk, M., Qu, N., Perrig, A.: Secvisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity oses. SIGOPS Oper. Syst. Rev. 41(6), 335–350 (2007)CrossRefGoogle Scholar
  11. 11.
    Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings of the Network and Distributed Systems Security Symposium, pp. 191–206 (2003)Google Scholar
  12. 12.
    Dewan, P., Durham, D., Khosravi, H., Long, M., Nagabhushan, G.: A hypervisor-based system for protecting software runtime memory and persistent storage. In: Proceedings of the 2008 Spring Simulation Multiconference, SpringSim 2008, pp. 828–835 (2008)Google Scholar
  13. 13.
    Sharif, M.I., Lee, W., Cui, W., Lanzi, A.: Secure in-vm monitoring using hardware virtualization. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009, pp. 477–487 (2009)Google Scholar
  14. 14.
    Adiscon: rsyslogm,
  15. 15.
    Security, B.I.: Syslog server | syslog-ng logging system,
  16. 16.
    Kelsey, J., Callas, J., Clemm, A.: Signed syslog messages (May 2010),
  17. 17.
    New, D., Rose, M.: Reliable delivery for syslog (November 2001),
  18. 18.
    Dunlap, G.W., King, S.T., Cinar, S., Basrai, M.A., Chen, P.M.: Revirt: enabling intrusion analysis through virtual-machine logging and replay. SIGOPS Oper. Syst. Rev. 36(SI), 211–224 (2002)CrossRefGoogle Scholar
  19. 19.
    Ibrahim, A., Hamlyn-Harris, J., Grundy, J., Almorsy, M.: Cloudsec: A security monitoring appliance for virtual machines in the iaas cloud model. In: 5th International Conference on Network and System Security, pp. 113–120 (September 2011)Google Scholar
  20. 20.
    Sato, M., Yamauchi, T.: Vmm-based log-tampering and loss detection scheme. Journal of Internet Technology 13(4), 655–666 (2012)Google Scholar
  21. 21.
    Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the art of virtualization. SIGOPS Oper. Syst. Rev. 37(5), 164–177 (2003)CrossRefGoogle Scholar
  22. 22.
    Accorsi, R.: Log data as digital evidence: What secure logging protocols have to offer? In: Proceedings of the 33rd Annual IEEE International Computer Software and Applications Conference, vol. 02, pp. 398–403 (2009)Google Scholar
  23. 23.
    Zhao, S., Chen, K., Zheng, W.: Secure logging for auditable file system using separate virtual machines. In: 2009 IEEE International Symposium on Parallel and Distributed Processing with Applications, pp. 153–160 (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Masaya Sato
    • 1
  • Toshihiro Yamauchi
    • 1
  1. 1.Graduate School of Natural Science and TechnologyOkayama UniversityOkayamaJapan

Personalised recommendations