I have been working on a project lately that I don’t really get to talk about much, but it is a technology that I am quite fond of: Immutable Log Files. For those of you who do not know what these are, immutable logs are log files protected from tampering and erroneous insertion. Depending upon the implementation, the files can have additional protections from poisoning and fictional recreation/forgery as well. There are many other names for this type of technology, such as content integrity verification, court admissible evidentiary data, incontrovertible data, and even “signed and sequenced” data. Regardless of name, the intent is to create a tamper-resistant archive of events. A high level overview of the process might look like the following:
Take a log entry, syslog for example, and add a time stamp and/or sequence number to that entry. Create a digital hash of the log entry to ensure integrity, and cryptographically sign it so you know the hash was produced by whatever authority is entrusted with managing the log. Now the log entry contains self-validating information as well. Each subsequent log entry would be bundled with one or more data points from previous log entries prior to creating the hash, to ensure that the sequence of events has not been altered. What you end up with is a chain of events that can be verified for data integrity.
There are many variants to this process that offer additional assurances, but that is the gist of it. I had the opportunity back in 1998 to implement a variant of this technology based upon what I consider to be ground-breaking work by John Kelsey, then of Counterpane. We had a specific problem with dispute resolution we needed to address in our e-Commerce system, and this paper describes both a generic approach to solving the problem, but also includes some references that were specific to our technology and not applicable to most needs. There are a few vendors that have advanced the state of the art in this area, but they largely go unnoticed by the security community at large. While this is a valuable technology for solving certain problems, it remains a rare feature.
I am writing this post as I have a request from both the security and the IT practitioner community. I am interested in knowing if you or your organization uses this type of technology today, or if it is something you have considered? If you are a product vendor and you are thinking about implementing such a technology as a competitive differentiator, I would greatly appreciate a heads-up. I am seeing some indications that this may be a requirement for government based upon the recent draft for tamper resistant syslog files by John Kelsey of NIST, J Callas of PGP, and A Clemm from Cisco, but the status of this draft work remains elusive. I have spoken with a half dozen security strategists who consider this a compelling solution to several different data integrity problems in the areas of eDiscovery and electronic data archival. If this is something you have interest in, please take a minute and post a comment or shoot me an email at alane at securosis with the obligatory dot and com postfix. I would very much like to know what your thoughts are.
Reader interactions
7 Replies to “Immutable Log Files”
I suspect the fact that there is no market merely means that whatever crimes one could facilitate by falsifying the logs are currently more easily done some other way.
It’s like when I was a young auditor in one of my past lives: Having a technical background, I would find technically interesting ways that someone could break into the system. My boss would say “Maybe we should concentrate on the fact that they have cleartext passwords in their publicly-accessible scripts.”
Or it may be that falsified logs are part of an attack that is so complicated that it does not happen very often.
Either way, until there are some high-profile attacks using falsified logs in the news, it will be a hard sell as a business model.
@Michael – Thanks for the comment. There has not been a lack of research, just a lack of market, as you pointed out. There have been a half dozen companies who seriously went after this market, and a handful of private individuals, all chasing the same sales ideas. Just not a viable market. But as you say, it might be one day. Like DRM. Been waiting for 12 years on both …
-Adrian
Hello Adrian,
I have pondered this for awhile, too. I have even put together a plan for putting signed log hashes to CD (but not the logs themselves, for practical reasons).
I somewhat agree with Anton that this is a solution looking for a problem. I haven’t heard of any cases where log integrity was ripped apart in a court of law (it doesn’t mean they don’t exist—they probably do—but it’s not making any headlines that I read). My sense is that a typical jury is not technical enough to appreciate the complexities of log integrity, and that logs which have no evidence of modification are “good enough.”
From a technical point of view, there’s always a system component that has to be trusted. If I sign my logs, how do I know the binary I am using to sign them hasn’t been compromised? And if I am worried about compromised logs, does it make sense to do the validation on the same system that could be compromising the log?
Another technical challenge is that it’s computationally expensive to do this on a log-by-log basis, which is why a daily rotation may be good enough. Then again, if it is a solution looking for a problem…
I think more research needs to be done here, and I welcome the discussion. Just because it may not be important today doesn’t mean that it won’t be important tomorrow.
-Michael Starks
ImmutableSecurity.com
Actually, voting machines is where is does have a chance, albeit slight.
Also, a lot of discussion re: immutable logs focused on “so, why isn’t it a good idea?” which is misplaced.
OBVIOUSLY, it IS a good idea…
… that nobody cares about.
Why not voting machines? Isn’t this one area where an attestation of previous events with certifiable integrity be a problem in need of a solution? I think so, but your point is well taken that the vendors have not demonstrated urgency in terms of securing their machines or the results they produce. Nor have the states that use the devices mandated this effort.
Whenever I’ve heard about this, I always thought “solution looking for a problem”…
[…] Rich: Adrian’s post on Immutable Log Files. […]