2014 Volume 22 Issue 4 Pages 597-608
Ensuring the integrity of logs is essential to reliably detect and counteract attacks because adversaries tamper with logs to hide their activities on a computer. Even though some studies proposed various protections of log files, adversaries can tamper with logs in kernel space with kernel-level malicious software (malware) because file access and inter-process communication are provided by an OS kernel. Virtual machine introspection (VMI) can collect logs from virtual machines (VMs) without interposition of a kernel. It is difficult for malware to hinder that log collection, because a VM and VM monitor (VMM) are strongly separated. However, complexity and unnecessary performance overhead arise because VMI is not specialized for log collection. This paper proposes a secure and fast log transfer method using library replacement for VMs. In the proposed method, a process on a VM requests a log transfer to a VMM using the modified library, which contains a trigger for a log transfer. The VMM collects logs from the VM and isolate them to another VM. The proposed method provides VM-level log isolation and security for the mechanism itself with low performance overhead.