JISE

[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]

Journal of Information Science and Engineering, Vol. 32 No. 5, pp. 1131-1143

A Secure and Efficient Kernel Log Transfer Mechanism for Virtualization Environments

DONGHAI TIAN^1,2, JUNHUA CHEN^3,+, CHANGZHEN HU¹ AND JINGFENG XUE¹
¹Beijing Key Laboratory of Software Security Engineering Technique Beijing Institute of Technology
Beijing, 100081 P.R. China
²Shanghai Key Laboratory of Integrated Administration Technologies for Information Security
³Key Laboratory of IOT Application Technology of Universities in Yunnan Province
Yunnan Minzu University
Kunming, 650500 P.R. China
E-mail: ¹{dhai; chzhoo; xuejf}@bit.edu.cn; ³chenjunhuabj@163.com

Kernel logs are very important source of information for administrators to reconstruct security events. Once a sophisticated attacker intrudes a computer system, he (or she) may manipulate the kernel log to clear up the intrusion evidence. Previous solutions suffer from limitations in that: 1) Some methods do not provide adequate protection; 2) Some methods are not compatible with the existing systems or hardware; 3) Some methods incur considerable performance overhead. In this paper, we present SEKEL, a secure and efficient kernel log transfer mechanism based on virtualization technology. The basic idea of our approach is to decouple the kernel log collection and transfer procedures into two concurrent components. On one hand, the log collection component protected by the SIM framework is deployed in the target VM. On the other hand, the log transfer component is placed into a trusted execution environment for performance isolation. To deal with the synchronization problem introduced by our concurrent components, we extend Lamport’s ring buffer algorithm. The evaluation shows that SEKEL can protect kernel logs effectively with little performance degradation.

Keywords: kernel log transfer, virtualization, concurrent, synchronization, protect

Retrieve PDF document (JISE_201605_01.pdf)