A secure and efficient kernel log transfer mechanism for virtualization environments

Kernel logs are very important source of information for administrators to reconstruct security events. Once a sophisticated attacker intrudes a computer system, he (or she) may manipulate the kernel log to clear up the intrusion evidence. Previous solutions suffer from limitations in that: 1) Some methods do not provide adequate protection; 2) Some methods are not compatible with the existing systems or hardware; 3) Some methods incur considerable performance overhead. In this paper, we present SEKEL, a secure and efficient kernel log transfer mechanism based on virtualization technology. The basic idea of our approach is to decouple the kernel log collection and transfer procedures into two concurrent components. On one hand, the log collection component protected by the SIM framework is deployed in the target VM. On the other hand, the log transfer component is placed into a trusted execution environment for performance isolation. To deal with the synchronization problem introduced by our concurrent components, we extend Lamport's ring buffer algorithm. The evaluation shows that SEKEL can protect kernel logs effectively with little performance degradation.