Advertisement

Tamper Resistant Secure Digital Silo for Log Storage in Critical Infrastructures

  • Khan Ferdous WahidEmail author
  • Helmut Kaufmann
  • Kevin Jones
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10242)

Abstract

Tamper resistant secure data storage is necessary to store event logs in critical environments, as it enables trustworthy evidence collection during an incident, and subsequently allows investigators to analyze attack behaviour, impact of the incident, source of attacks, risk factors, and if necessary it should also offer the procurement of admissible proof at trial. Recent advancements in hardware based security allows us to build such storage mechanisms, and cope with the advanced threats. In this paper, we describe the existing problems in secure storage of logs, and generate requirements to address those problems. Finally, we present our solution with commercial off-the-shelf (COTS) hardware based security technologies, which assures that the system is practical and suitable for integration with current systems. In order to show the feasibility of design, we also implement the solution using open source platforms.

Keywords

Secure logging Secure storage Anti-tamper storage Secure log architecture 

Notes

Acknowledgements

This work is funded by the European FP7 security project ECOSSIAN (607577).

References

  1. 1.
    EU FP7-Security: PERSEUS - Protection of European seas and borders through the intelligent use of surveillance, Project reference: 261748 (2011–2015)Google Scholar
  2. 2.
    EU Horizon 2020: EU CIRCLE - A pan-European framework for strengthening Critical Infrastructure resilience to climate change, Project reference: 653824 (2015–2018)Google Scholar
  3. 3.
    EU EPCIP: NEISAS - National and European Information Sharing and Alerting System, Project reference: JLS/2008/CIPS/016 (2008–2011)Google Scholar
  4. 4.
    EU FP5-EESD: EFFS - An european flood forecasting system, Project reference: EVG1-CT-1999-00011 (2000–2003)Google Scholar
  5. 5.
    EU FP7-Security: ECOSSIAN - European COntrol System Security Incident Analysis Network, Project reference: 607577 (2014–2017)Google Scholar
  6. 6.
    EU FP7-SEC-2010-1: BRIDGE - Bridging resources and agencies in large-scale emergency management, Project reference: 261817 (2011–2015)Google Scholar
  7. 7.
    Younis, Y.A., Merabti, M., Kifayat, K.: Secure cloud computing for critical. infrastructure: a survey. In: 14th Annual PostGraduate Symposium on the Convergence of Telecommunications, Networking and Broadcasting (2013)Google Scholar
  8. 8.
    Ma, D., Tsudik, G.: A new approach to secure logging. Cryptology ePrint Archive: Report 2008/185 (2008)Google Scholar
  9. 9.
    Bellare, M., Yee, B.: Forward integrity for secure audit logs. Technical report, Computer Science and Engineering Department, University of San Diego (1997)Google Scholar
  10. 10.
    Schneier, B., Kelsey, J.: Cryptographic support for secure logs on untrusted machines. In: Proceedings of the 7th USENIX Security Symposium (1998)Google Scholar
  11. 11.
    Holt, J.E.: Logcrypt: forward security and public verification for secure audit logs. In: Proceedings of the 2006 Australasian Workshops on Grid Computing and e-Research, Australia (2006)Google Scholar
  12. 12.
    Waters, B., Balfanz, D., Durfee, G., Smeters, D.K.: Building an encrypted and searchable audit log. In: ACM Annual Symposium on Network and Distributed System Security (NDSS04) (2004)Google Scholar
  13. 13.
    Crossby, S.A., Wallach, D.S.: Efficient data structures for tamper-evident logging. In: Proceedings of the 18th Conference on USENIX Security Symposium (2009)Google Scholar
  14. 14.
    Chong, C., Peng, Z., Hartel, P.: Secure audit logging with tamper resistant hardware. Technical report TR-CTIT-02-29, Centre for Telematics and Information Technology, University Twente, The Netherlands (2002)Google Scholar
  15. 15.
    Wouters, K.: Hash-chain based protocols for time-stamping and secure logging: formats, analysis and design. Dissertation report. Arenberg Doctoral School of Science, Engineering and Technology, Katholieke Universiteit Leuven, Belgium (2012)Google Scholar
  16. 16.
    Pulls, T., Wouters, K., Vliegen, J., Grahn, C.: Distributed Privacy-Preserving Log Trails. Faculty of Economic Sciences, Communication and IT, Computer Science, Karlstad University Studies, Sweden (2012)Google Scholar
  17. 17.
    Accorsi, R.: BBox: a distributed secure log architecture. In: Camenisch, J., Lambrinoudakis, C. (eds.) EuroPKI 2010. LNCS, vol. 6711, pp. 109–124. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-22633-5_8 CrossRefGoogle Scholar
  18. 18.
    Sinha, A., Jia, L., England, P., Lorch, J.R.: Continuous tamper-proof logging using TPM 2.0. In: Holz, T., Ioannidis, S. (eds.) Trust 2014. LNCS, vol. 8564, pp. 19–36. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-08593-7_2 Google Scholar
  19. 19.
    Andersson, M., Nilsson, A.: Improving integrity assurances of log entries from the perspective of intermittently disconnected devices. Masters thesis no. MECS-2014-10, Faculty of Computing, Blekinge Institute of Technology, Sweden (2014)Google Scholar
  20. 20.
    Trusted Computing Group: Trusted Computing Group, TPM Library Specification. http://www.trustedcomputinggroup.org/tpm-library-specification/
  21. 21.
    Dijk, M.V., Sarmenta, L.F.G., Rhodes, J., Devadas, S.: Securing shared untrusted storage by using TPM 1.2 without requiring a trusted OS. Technical report, MIT Computer Science and Artificial Intelligence Laboratory (CSAIL) (2007)Google Scholar
  22. 22.
    Trusted Computing Group: ISO/IEC 11889–2:2009(E), Information technology Trusted Platform Module Part 2: Design principles, 2009 (2009). http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=50971
  23. 23.
    McCune, J.M., Parno, B., Perrig, A., Reiter, M.K., Isozaki, H.: Flicker: an Execution Infrastructure for TCB Minimization. In: Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems (2008)Google Scholar
  24. 24.
    Jain, P., Desai, S., Kim, S., Shih, M.W., Lee, J., Choi, C., Shin, Y., Kim, T., Kang, B.B., Han, D.: OpenSGX: an open platform for SGX research. In: Proceedings of the Network and Distributed System Security Symposium, NDSS (2016)Google Scholar
  25. 25.
    McKeen, F., Alexandrovich, I., Berenzon, A., Rozas, C., Shafi, H., Shanbhogue, V., Savagaonkar, U.: Innovative instructions and software model for isolated execution. In: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy (2013)Google Scholar
  26. 26.
    Anati, I., Gueron, S., Johnson, S.P., Scarlata, V.R.: Innovative technology for CPU based attestation and sealing. In: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy (2013)Google Scholar
  27. 27.
    Hoekstra, M., Lal, R., Rozas, C., Phegade, V., Cuvillo, J.D.: Using innovative instructions to create trustworthy software solutions. In: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy (2013)Google Scholar
  28. 28.
    Linux Integrity Measurement Architecture (IMA): Linux Integrity Subsystem. http://linux-ima.sourceforge.net/
  29. 29.
    Halcrow, M.A.: eCryptfs: An Enterprise-class Encrypted Filesystem for Linux. https://www.kernel.org/doc/ols/2005/ols2005v1-pages-209-226.pdf
  30. 30.
    Hein, D., Winter, J., Fitzek, A.: Secure block device - secure, flexible, and efficient data storage for ARM TrustZone Systems. In: TrustCom (2015)Google Scholar
  31. 31.
    Bratus, S., D’Cunha, N., Sparks, E., Smith, S.W.: TOCTOU, traps, and trusted computing. In: Lipp, P., Sadeghi, A.-R., Koch, K.-M. (eds.) Trust 2008. LNCS, vol. 4968, pp. 14–32. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-68979-9_2 CrossRefGoogle Scholar
  32. 32.
    rsyslog: The rocket-fast system for log processing. http://www.rsyslog.com/
  33. 33.

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Khan Ferdous Wahid
    • 1
    Email author
  • Helmut Kaufmann
    • 1
  • Kevin Jones
    • 2
  1. 1.Airbus Group InnovationsMunichGermany
  2. 2.Airbus Group InnovationsNewportUK

Personalised recommendations