EmLog: Tamper-Resistant System Logging for Constrained Devices with TEEs

Shepherd, Carlton; Akram, Raja Naeem; Markantonakis, Konstantinos

doi:10.1007/978-3-319-93524-9_5

Cited by 14 publications

(11 citation statements)

References 27 publications

(55 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Protection for flow tracking application [59] Trusted framework to develop IoT applications [36] Protection for health data [73] Secure architecture for P2P scenarios [24] Protection for edge computing [63] Comparison between TEE and secure multi-party computation application [62] Protection for video application [46], [69] Secure logger [13], [76] Protection for system analyser [49] Societal model for IoT security [68] Protection for location-based services [60] Trusted auditor [47] Protection for data dissemination [61] Data encryption mechanism [56] Protection for data management [14] Data protection (app) [71] Protection for data aggregation (app) [75] Checker for Industrial gateway communications [52] Lightweithg anonymous authentication [25] Remote attestation mechanism [38] Device snapshot authentication system [32] Control-flow attestation [37] Authentication scheme [58] Remote attestation and channel protection [44] Secure authentication and key distribution [67] Boot attestation [53] Protection for data through authentication [50] Protection and attestation for remote terminal [65] Device private keys protection architecture [28] Remote attestation [64] Keys derivation from device characteristics [31] Authenticity detection service [40] Keys protection against cold boot attacks [55] Cache rootkit exploiting TrustZone [35] vendors, e.g., ARM and Intel, already present many of the general advantages, such as hardware isolation (normal world and the secure world) and mem...…”

Section: Tee Advantages and Disadvantagesmentioning

confidence: 99%

See 1 more Smart Citation

Systematic Literature Review on the Use of Trusted Execution Environments to Protect Cloud/Fog-Based Internet of Things Applications

et al. 2021

View full text Add to dashboard Cite

Trusted Execution Environments have been applied to improve data security in many distinct application scenarios since they enable data processing in a separate and protected region of memory. To investigate how this technology has been applied to the different IoT scenarios, which commonly deal with specific characteristics such as device resource constraints, we carried out a systematic literature review. For this, we selected and analyzed 58 papers from different conferences and journals, identifying the main IoT solutions and scenarios in which TEE has been employed. We also gathered the mentioned TEE advantages and disadvantages as well as the suggestions for future works. This study gives a general overview of the use of TEEs for cloud/fog-based IoT applications, bringing some challenges and directions.

show abstract

Section: Tee Advantages and Disadvantagesmentioning

confidence: 99%

“…Shepherd et al [76] proposed group logging schemes for multiple devices and comparing the TEE performance for the secure logger solution. Pinto et al [43] proposed implementing the protection for real-time OS in edge devices and integrating it with other hardware anchors.…”

Section: Suggested Future Workmentioning

confidence: 99%

Systematic Literature Review on the Use of Trusted Execution Environments to Protect Cloud/Fog-Based Internet of Things Applications

et al. 2021

View full text Add to dashboard Cite

show abstract

“…Tamper Proof Storage of Logs using Trusted Platform Module 2.0 is explained in (Sinha et al,2014). EmLog as a Tamper-Resistant System Logging introduced for Constrained Devices with Trusted Execution Environments (TEEs) (Shepherd et al, 2017). Secure Audit Logging with iButton based tamper resistant hardware solution was proposed in (Chong et al, 2003) which further use encryption and ROM storage.…”

Section: Related Workmentioning

confidence: 99%

Audit Logs Management and Security - A Survey

Ali

Ahmed

Khan

2021

KJS publishes peer-review articles in Mathematics, Computer Sci

View full text Add to dashboard Cite

Audit logs are key resources that show the current state of the systems and user activities and are used for cyber forensics and maintenance. These logs are the only source that can help in finding traces of some malicious activities or troubleshooting a system failure. Insight view for troublefree availability of computing resources and performance monitoring and meaningful forensic audit depends on the management and archival system of audit logs. These logs are prone to multidimensional threats and superusers or system administrators have unprecedented access to these logs and can alter these logs as and when required. Similarly, repudiation is another serious issue in computer forensics and non-repudiation can be provided by a secure recording of event logs. Periodic backups, encrypted data transfer, off-site storage and certificate based storage of these logs are commonly being used. In this survey, we searched for the requirements of securing audit logs and available approaches to secure these logs. Based on the available literature, a taxonomy of audit log management is developed. We have drawn a comparison between these approaches and also highlighted the current challenges to these logs security and their available options.

show abstract

“…While the aid of trusted hardware (as in [57], [89], [111]) can help overcome these issues (e.g., by protecting the secrecy of the current key after full system compromise), it is not a panacea. Interacting with a TEE still requires addressing attack vectors such as rollback attacks and protocol termination attacks, and accounting for these issues often leads to large overheads [46], [78], [80].…”

Section: Threat Model and Goalsmentioning

confidence: 99%

Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution

Paccagnella

Datta

Hassan

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

System auditing is a central concern when investigating and responding to security incidents. Unfortunately, attackers regularly engage in anti-forensic activities after a breakin, covering their tracks from the system logs in order to frustrate the efforts of investigators. While a variety of tamper-evident logging solutions have appeared throughout the industry and the literature, these techniques do not meet the operational and scalability requirements of system-layer audit frameworks. In this work, we introduce CUSTOS, a practical framework for the detection of tampering in system logs. CUSTOS consists of a tamper-evident logging layer and a decentralized auditing protocol. The former enables the verification of log integrity with minimal changes to the underlying logging framework, while the latter enables near real-time detection of log integrity violations within an enterprise-class network. CUSTOS is made practical by the observation that we can decouple the costs of cryptographic log commitments from the act of creating and storing log events, without trading off security, leveraging features of off-the-shelf trusted execution environments. Supporting over one million events per second, we show that CUSTOS' tamper-evident logging protocol is three orders of magnitude (1000×) faster than prior solutions and incurs only between 2% and 7% runtime overhead over insecure logging on intensive workloads. Further, we show that CUSTOS' auditing protocol can detect violations in near realtime even in the presence of a powerful distributed adversary and with minimal (3%) network overhead. Our case study on a real-world APT attack scenario demonstrates that CUSTOS forces anti-forensic attackers into a "lose-lose" situation, where they can either be covert and not tamper with logs (which can be used for forensics), or erase logs but then be detected by CUSTOS.

show abstract

EmLog: Tamper-Resistant System Logging for Constrained Devices with TEEs

Cited by 14 publications

References 27 publications

Systematic Literature Review on the Use of Trusted Execution Environments to Protect Cloud/Fog-Based Internet of Things Applications

Systematic Literature Review on the Use of Trusted Execution Environments to Protect Cloud/Fog-Based Internet of Things Applications

Audit Logs Management and Security - A Survey

Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution

Contact Info

Product

Resources

About