A Case for Secure Virtual Append-Only Storage for Virtual Machines

Traditional operating systems and applications use logs extensively to monitor system activity and perform intrusion detection. Consequently, logs have also become prime targets for intruders. When a malware or intruder obtains root privileges in a system, one of its first actions is to hide its footprint by deleting or modifying system logs, especially the log entry recording the intrusion activity (such as unauthorized root login). A key weakness of most current logging mechanisms is that logs are stored on a storage device over which the system being logged has complete control, including the ability to delete/modify the logs arbitrarily. Once the root privileges of such a system are compromised, so are the logs. Virtualization offers a unique opportunity to eliminate this point of weakness. In this paper, we propose a new virtual storage abstraction for virtual machines (VMs) called Virtual Append-only Storage (VAS) that secures and preserves all system and/or application logs in a VM and can prevent an intruder from deleting/modifying past logs even after the root privileges of a VM are compromised. Our VAS-based logging complements existing intrusion detection techniques which mainly monitor the in-memory execution state and data, but do not protect the storage device on which logs are stored. Since logs can become voluminous over time, VAS also provides administrators the ability to secure either system-wide or application-specific logs, rather than blindly logging all system activity.