SealFS: Storage-Based Tamper-Evident Logging

Abstract

Log analysis is essential for a forensic investigation. Upon intrusion, log files are usually forged in order to hide or fake evidence. If the system is completely compromised, malicious code can be executed in kernel or hypervisor mode making even signed log files vulnerable. As a countermeasure, some systems archive the log files on another system through the network. This solution is not always suitable or desirable and it just shifts the problem elsewhere. The log files need to be preserved on another networked machine which may itself be attacked. In this paper, we present a simple scheme to authenticate local log files based on a forward integrity model. The scheme is based on a realistic assumption: nowadays, storage is very cheap. We can authenticate the logged data generated, starting from boot time to the instant that the malicious code elevates privileges. This tamper-evident scheme does not depend on special security hardware or securing a distributed system. We also present a prototype implementation of this scheme, SealFS. Our implementation, which showcases this approach, is a novel stackable file system for Linux. It enables tamper-evident logging to all existing applications, provides backwards compatibility and instant deployability. Last, we present a performance evaluation of this prototype that shows the viability of this approach.