SGX-Log: Securing System Logs With SGX

Abstract

System logs are the greatest forensics assets that capture how an operating system or a program behaves. System logs are often the next immediate attack target once a system is compromised, and it is thus paramount to protect them. This paper introduces SGX-Log, a new logging system that ensures the integrity and confidentiality of log data. The key idea is to redesign a logging system by leveraging a recent hardware extension, called Intel SGX, which provides a secure enclave with sealing and unsealing primitives to protect program code and data in both memory and disk from being modified in an unauthorized manner even from high privilege code. We have implemented SGX-Log atop the recent Ubuntu 14.04 for secure logging using real SGX hardware. Our evaluation shows that SGX-Log introduces no observable performance overhead to the programs that generate the log requests, and it also imposes very small overhead to the log daemons.