| |||||||||||||
The Journal - a proposed syslog replacementThe Journal - a proposed syslog replacementPosted Nov 18, 2011 23:03 UTC (Fri) by endecotp (guest, #36428)Parent article: The Journal - a proposed syslog replacement
> posted a detailed document
This seems to need a Google account to read :-(
> the top-most hash is regularly saved to a secure write-only location
Does anyone know what that "secure write-only location" is, in practice? Does my existing computer have one, or is this a new piece of hardware?
I'm also not certain how it avoid this:
blah blah [hash=1]
Now the "secure write only location" stores 3. The attacker truncates the last entry from the log, and writes 2 to the "secure write-only location".
What have I missed?
(Log in to post comments)
The Journal - a proposed syslog replacement Posted Nov 19, 2011 2:36 UTC (Sat) by nybble41 (subscriber, #55106) [Link]
> Does anyone know what that "secure write-only location" is, in practice? Does my existing computer have one, or is this a new piece of hardware?
Most modern computers have one. On UNIX systems it's generally known as /dev/null. :)
More seriously, I suspect the intent was "write-once", a.k.a. "append-only". A CD-R or DVR+/-R in packet mode would probably qualify. For that matter, an old line printer (or a receipt printer) could probably be rigged to do the job.
The Journal - a proposed syslog replacement Posted Nov 19, 2011 8:54 UTC (Sat) by PO8 (guest, #41661) [Link]
Yeah, please excuse my skepticism of this proposal, coming from a group of people advocating a major security change that can't even get basic terminology right. Back in the day, BYTE Magazine used to run an annual April Fools ad for various kinds of write-only memory chips; they reportedly got lots of serious responses from folks interested in purchasing.
Note that just storing the recent hash isn't good enough: the attacker could simply write over it with the last hash on their reconstructed chain, using whatever mechanism the OS was using to write the store. The whole hash chain needs to be kept on the secure store, and append-only is the obvious way to do this. For an append-only store I'd suggest flash and a dedicated microcontroller; see my post above.
Note also that even in this scheme the defender has the sometimes-difficult burden of figuring out at what timestamp the attacker compromised the system, so that the defender can tell which log messages to ignore.
The Journal - a proposed syslog replacement Posted Nov 19, 2011 14:39 UTC (Sat) by endecotp (guest, #36428) [Link]
> I suspect the intent was "write-once", a.k.a. "append-only"
Ah OK. But:
- I don't have any append-only hardware on any of my systems (apart from optical drives and printers, but thye're not serious options in most cases). So this is still going to require new hardware, in other words it's a non-starter.
- If I did have append-only hardware, I could just save the log in it. Yes it's bigger than the hashes, but not dramatically bigger, and it has the advantage of actually being tamper-proof rather than just tamper-evident.
(Again, have I missed something?)
The Journal - a proposed syslog replacement Posted Nov 19, 2011 17:19 UTC (Sat) by PO8 (guest, #41661) [Link]
I certainly agree with your second statement; see my comments above.
For the first, I'm not sure requiring HW is a non-starter. It would have to be cheap---say $20 or less---to start with. Eventually, motherboard manufacturers would just start throwing it on the board, increasing the price of the board by $.50 given reduced costs and increased volume. We've seen that pattern over and over with dedicated hardware. Another possible path in this case is to make an append-only store controller part of the TPM spec (if it isn't already---I haven't looked).
There was a time (and I lived through it) where it was believed that memory protection hardware for microprocessors was a non-starter. Eventually people decided to pay: partly for security reasons. So there's some hope.
The Journal - a proposed syslog replacement Posted Nov 19, 2011 17:57 UTC (Sat) by endecotp (guest, #36428) [Link]
> I'm not sure requiring HW is a non-starter. It would
> have to be cheap---say $20 or less---to start with.
Here's an idea that I had a while ago: make a USB dongle that appears to be a USB-to-serial converter. Data that is sent to it is recorded in its flash; you configure your system to send log messages to it like a serial console.
My aim was to have a "dying breath" log for machines where networked logging wasn't feasible, e.g. a single co-located server. The idea is that if there is a kernel panic and the critical last log messages don't make it to the disk, they might still make it to this device. You could then re-mount it, potentially on another machine, where it would appear as a storage device containing the log files.
You could make this relatively secure by not allowing a transition from logging mode to read mode without re-plugging.
This could be implemented by a simplish microcontroller with USB device functionality. Maybe a bit more than a PIC, but not much more.
One thing that I was unsure of was how likely it would be that the host's USB system would keep running for long enough after a kernel crash. Perhaps a real serial device, or a console video recorder, would work in more cases. This device would be rather pointless if it were no more reliable than the disk.
Anyway, just a tangential thought for you all...
There are already such devices on the market... Posted Nov 20, 2011 8:04 UTC (Sun) by khim (subscriber, #9252) [Link] What you are describing looks awfully close to the "P33 JailBreak dongle". PS3 Jailbreak works by overflowing receiving buffer in the PS3 so it needs to emulate four or five (depending on Jailbreak payload) USB devices, return bogus information with jailbreak code, etc. Significantly more then what your "logging device" should do. These devices price is starting from about $10 retail and this is with tiny runs so not much of the "economy of scale". More expensive ones (in the aforementioned range of about $20) may even emulate USB stick to make use after successfull JailBreak more pleasant! In short: what you are describing looks perfectly doable.
The Journal - a proposed syslog replacement Posted Nov 23, 2011 22:42 UTC (Wed) by cas (subscriber, #52554) [Link] Here's an idea that I had a while ago: make a USB dongle that appears to be a USB-to-serial converter. Data that is sent to it is recorded in its flash; you configure your system to send log messages to it like a serial console. This bit of the idea is good You could make this relatively secure by not allowing a transition from logging mode to read mode without re-plugging. but this bit isn't. It would make more sense and be far more usable if the USB dongle presented two devices. The first device being a (perhaps serial) output device for writing log entries with maybe a control option for rotating log files by YYYYMMDD or whatever. each line sent to the device should have a "filename" (or syslog facility, or some other identifier) as the first word/field, with the remainder of the line being the log entry The second a *read-only* USB storage device for reading the logs whenever you like. so, the one device would provide write-once/append-only logging, and random read access to those logs such a device could be made dirt cheap, too. it's just a USB flash disk with a slightly more capable processor & USB interface
The Journal - a proposed syslog replacement Posted Dec 20, 2011 7:46 UTC (Tue) by topher (guest, #2223) [Link] For the first, I'm not sure requiring HW is a non-starter. It would have to be cheap---say $20 or less---to start with. Yes, it is a non-starter. There is no computer (or parts) manufacturer that is going to start including specialized hardware, even if it only cost $0.01us, for a system that doesn't exist yet, and that hasn't been adopted. Especially when a lot of people, including some of us who have spent years dealing with logging retention, access, security, processing, alerting, etc, look at this and think it's a bad idea.
|
|||||||||||||