Article

Continuous Tamper-Proof Logging Using TPM 2.0

Authors:

Jacob R. LorchAuthors Info & Claims

Proceedings of the 7th International Conference on Trust and Trustworthy Computing - Volume 8564

Pages 19 - 36

https://doi.org/10.1007/978-3-319-08593-7_2

Published: 30 June 2014 Publication History

Abstract

Auditing system logs is an important means of ensuring systems' security in situations where run-time security mechanisms are not sufficient to completely prevent potentially malicious activities. A fundamental requirement for reliable auditing is the integrity of the log entries. This paper presents an infrastructure for secure logging that is capable of detecting the tampering of logs by powerful adversaries residing on the device where logs are generated. We rely on novel features of trusted hardware TPM to ensure the continuity of the logging infrastructure across power cycles without help from a remote server. Our infrastructure also addresses practical concerns including how to handle high-frequency log updates, how to conserve disk space for storing logs, and how to efficiently verify an arbitrary subset of the log. Importantly, we formally state the tamper-proofness guarantee of our infrastructure and verify that our basic secure logging protocol provides the desired guarantee. To demonstrate that our infrastructure is practical, we implement a prototype and evaluate its performance.

References

[1]

Schneier, B., Kelsey, J.: Cryptographic support for secure logs on untrusted machines. In: USENIX Security 1998

Digital Library

[2]

Levin, D., Douceur, J.R., Lorch, J.R., Moscibroda, T.: Trinc: Small trusted hardware for large distributed systems. In: NSDI 2009

Digital Library

[3]

Crosby, S.A., Wallach, D.S.: Efficient data structures for tamper evident logging. In: USENIX Security 2009

Digital Library

[4]

Chun, B.-G., Maniatis, P., Shenker, S., Kubiatowicz, J.: Attested append-only memory: Making adversaries stick to their word. ACM SIGOPS Operating Systems Review 416, 189---204 2007

Digital Library

[5]

Snodgrass, R.T., Yao, S.S., Collberg, C.: Tamper detection in audit logs. In: VLDB 2004

Digital Library

[6]

Von Eye, F., Schmitz, D., Hommel, W.: A framework for secure logging with privacy protection and integrity. In: ICIMP 2014

[7]

Sarmenta, L.F.G., van Dijk, M., O'Donnell, C.W., Rhodes, J., Devadas, S.: Virtual monotonic counters and count-limited objects using a TPM without a trusted OS. In: ACM STC 2006

Digital Library

[8]

van Dijk, M., Rhodes, J., Sarmenta, L.F.G., Devadas, S.: Offline untrusted storage with immediate detection of forking and replay attacks. In: ACM STC 2007

Digital Library

[9]

Bellare, M., Yee, B.: Forward integrity for secure audit logs. Technical report, University of California at San Diego 1997

[10]

Sinha, A., Jia, L., England, P., Lorch, J.: Continuous tamper-proof logging using TPM 2.0. Technical Report CMU-CyLab-13-008, Carngie Mellon University 2013

[11]

TrustedComputingGroup: TPM library specification, http://www.trustedcomputinggroup.org/resources/tpm_library_specification

[12]

Parno, B., Lorch, J.R., Douceur, J.R., Mickens, J.W., McCune, J.M.: Memoir: Practical state continuity for protected modules. In: IEEE S&P 2011

Digital Library

[13]

Garg, D., Franklin, J., Kaynar, D.K., Datta, A.: Compositional system security with interface-confined adversaries. In: MFPS 2010

[14]

Datta, A., Franklin, J., Garg, D., Kaynar, D.K.: A logic of secure systems and its application to trusted computing. In: IEEE S&P 2009

Digital Library

[15]

Vaughan, J.A., Jia, L., Mazurak, K., Zdancewic, S.: Evidence-based audit. In: CSF 2008

Digital Library

[16]

Bauer, L., Garriss, S., Reiter, M.K.: Detecting and resolving policy misconfigurations in access-control systems. ACM Transactions on Information and System Security 141 2011

Digital Library

[17]

Feigenbaum, J., Jaggard, A.D., Wright, R.N.: Towards a formal model of accountability. In: NSPW 2011

Digital Library

[18]

Kelsey, J., Schneier, B.: Minimizing bandwidth for remote access to cryptographically protected audit logs. In: RAID 1999

[19]

Waters, B.R., Balfanz, D., Durfee, G., Smetters, D.K.: Building an encrypted and searchable audit log. In: NDSS 2004

[20]

Chong, C.N., Peng, Z.: Secure audit logging with tamper-resistant hardware. In: IFIP SEC 2003

[21]

Naor, M., Nissim, K.: Certificate revocation and certificate update. In: USENIX Security 1998

Digital Library

[22]

Goodrich, M.T., Tamassia, R., Schwerin, A.: Implementation of an authenticated dictionary with skip lists and commutative hashing. In: DISCEX 2001

[23]

Martel, C., Nuckolls, G., Devanbu, P., Gertz, M., Kwong, A., Stubblebine, S.G.: A general model for authenticated data structures. Algorithmica 391, 21---41 2004

Digital Library

[24]

McCune, J.M., Parno, B.J., Perrig, A., Reiter, M.K., Isozaki, H.: Flicker: An execution infrastructure for TCB minimization. ACM SIGOPS Operating Systems Review 424, 315---328 2008

Digital Library

[25]

Parno, B., McCune, J.M., Perrig, A.: Bootstrapping trust in commodity computers. In: IEEE S&P 2010

Digital Library

[26]

MaximIntegrated: What is an iButton device? http://www.maximintegrated.com/products/ibutton/ibuttons/

[27]

Jang, D., Tatlock, Z., Lerner, S.: Establishing browser security guarantees through formal shim verification. In: USENIX Security 2012

Digital Library

[28]

Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: seL4: formal verification of an OS kernel. In: SOSP 2009

Digital Library

[29]

Ma, D., Tsudik, G.: Forward-secure sequential aggregate authentication. In: IEEE S&P 2007

Digital Library

[30]

Ma, D., Tsudik, G.: A new approach to secure logging. Trans. Storage 51, 1---2 2009

Digital Library

Cited By

Gandhi VBanerjee SAgrawal AAhmad ALee SPeinado MCalandrino JTroncoso C(2023)Rethinking system audit architectures for high event coverage and synchronous log availabilityProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620260(391-408)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620260
Guardiola-Múzquiz GSoriano-Salvador E(2023)SealFSv2: combining storage-based and ratcheting for tamper-evident loggingInternational Journal of Information Security10.1007/s10207-022-00643-122:2(447-466)Online publication date: 1-Apr-2023
https://dl.acm.org/doi/10.1007/s10207-022-00643-1
Trivedi DTriandopoulos N(2023)VaultBox: Enhancing the Security and Effectiveness of Security AnalyticsScience of Cyber Security 10.1007/978-3-031-45933-7_24(401-422)Online publication date: 11-Jul-2023
https://dl.acm.org/doi/10.1007/978-3-031-45933-7_24
Show More Cited By

Continuous Tamper-Proof Logging Using TPM 2.0
1. Security and privacy
  1. Systems security
2. Social and professional topics
  1. Computing / technology policy

Recommendations

Logging and Log Management: The Authoritative Guide to Understanding the Concepts Surrounding Logging and Log Management
Logging and Log Management: The Authoritative Guide to Understanding the Concepts Surrounding Logging and Log Management
Unconditional and composable security using a single stateful tamper-proof hardware token
TCC'11: Proceedings of the 8th conference on Theory of cryptography

Cryptographic assumptions regarding tamper proof hardware tokens have gained increasing attention. Even if the tamperproof hardware is issued by one of the parties, and hence not necessarily trusted by the other, many tasks become possible: Tamper proof ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

Proceedings of the 7th International Conference on Trust and Trustworthy Computing - Volume 8564

June 2014

223 pages

ISBN:9783319085920

Editors:
Thorsten Holz
Chair for Systems Security, Ruhr-University Bochum, Bochum, Germany
,
Sotiris Ioannidis
Institute of Computer Science, Foundation for Research and Technology - Hellas FORTH, Greece

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 30 June 2014

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 22 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Gandhi VBanerjee SAgrawal AAhmad ALee SPeinado MCalandrino JTroncoso C(2023)Rethinking system audit architectures for high event coverage and synchronous log availabilityProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620260(391-408)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620260
Guardiola-Múzquiz GSoriano-Salvador E(2023)SealFSv2: combining storage-based and ratcheting for tamper-evident loggingInternational Journal of Information Security10.1007/s10207-022-00643-122:2(447-466)Online publication date: 1-Apr-2023
https://dl.acm.org/doi/10.1007/s10207-022-00643-1
Trivedi DTriandopoulos N(2023)VaultBox: Enhancing the Security and Effectiveness of Security AnalyticsScience of Cyber Security 10.1007/978-3-031-45933-7_24(401-422)Online publication date: 11-Jul-2023
https://dl.acm.org/doi/10.1007/978-3-031-45933-7_24
Paccagnella RLiao KTian DBates ALigatti JOu XKatz JVigna G(2020)Logging to the Danger Zone: Race Condition Attacks and Defenses on System Audit FrameworksProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security10.1145/3372297.3417862(1551-1574)Online publication date: 30-Oct-2020
https://dl.acm.org/doi/10.1145/3372297.3417862
Lee SChoi WJo HLee DGalbraith SRussello GSusilo WGollmann DKirda ELiang Z(2019)How to Securely Record Logs based on ARM TrustZoneProceedings of the 2019 ACM Asia Conference on Computer and Communications Security10.1145/3321705.3331001(664-666)Online publication date: 2-Jul-2019
https://dl.acm.org/doi/10.1145/3321705.3331001
Karande VBauman ELin ZKhan LKarri RSinanoglu OSadeghi AYi X(2017)SGX-LogProceedings of the 2017 ACM on Asia Conference on Computer and Communications Security10.1145/3052973.3053034(19-30)Online publication date: 2-Apr-2017
https://dl.acm.org/doi/10.1145/3052973.3053034
Wagner JRasin AGlavic BHeart KFurst JBressan LGrier J(2017)Carving database storage to detect and trace security breachesDigital Investigation: The International Journal of Digital Forensics & Incident Response10.1016/j.diin.2017.06.00622:S(S127-S136)Online publication date: 1-Aug-2017
https://dl.acm.org/doi/10.1016/j.diin.2017.06.006

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents