Trustworthy Logging for Virtual Organisations
Jun Ho Huh
Abstract
In order to securely monitor user or system activities and detect malicious attempts across a distributed system, provision of trustworthy audit and logging services is necessary. Existing audit-based monitoring services, however, are often prone to compromise due to the lack of guarantees of log integrity, confidentiality, and availability. This thesis presents several use cases where these properties are essential, conducts a threat analysis on these use cases, and identifies key security requirements from the threats and their risks. Then, this thesis proposes a log generation and reconciliation infrastructure in which the requirements are satisfied and threats are mitigated.
Applications usually expose a weak link in the way logs are generated and protected. In the proposed logging system, important application events are involuntarily recorded through a trustworthy logging component operating inside a privileged virtual machine. Virtual machine isolation makes it infeasible for applications to bypass the logging component. Trusted Computing attestation allows users to verify the logging properties of remote systems, and ensure that the collected logs are trustworthy.
Despite ongoing research in the area of usable security for distributed systems, there remains a `trust gap' between the users' requirements and current technological capabilities. To bridge this `trust gap', this thesis also proposes two different types of distributed systems, one applicable for a computational system and the other for a distributed data system. Central to these systems is the configuration resolver which maintains a list of trustworthy participants available in the virtual organisation. Users submit their jobs to the configuration resolver, knowing that their jobs will be dispatched to trustworthy participants and executed in protected environments. As a form of evaluation, this thesis suggests how these ideas could be integrated with existing systems, and highlights the potential security enhancements.