Persistent memory device with hardware-enforced write control for secure logging
Publication Date: 2013-Jun-11
The IP.com Prior Art Database
Special-purpose NVRAM (like PRAM DIMM) with special logic to restrict writing to the device. The intention is that computer system logs can be used for forensic analysis, as it is not possible for software to overwrite the ring-buffer data before a well defined point in time.
Page 01 of 6
Persistent memory device with hardware -enforced write control for secure logging
Disclosed is a special non-volatile memory DIMM (like PRAM) with modified write logic in a way in can be used as a special log device embedded into a computer system in a way it is impossible for the computer software to temper the already written log file data before a given time. It is possible to size the capacity of the log device in a way it can be guaranteed that log data younger than N days is not overwritten.
When a computer system is intruded by a malicious piece of software, the intruder usually gains write access to the computer system's logs and can alter the log entries in order to hide traces of suspicious activities. This severely hampers the detection and analysis of intrusions into computer systems, which is especially critical for servers and other enterprise computer systems.
Operating-system software or additional security software running on a computer system can try to prevent manipulations of system logs, but it can not completely prevent them.
Sending log entries to another computer system provides a separate
repository of log entries, but it does not keep the intruder from deactivating or rerouting the log stream. In addition, network transfer of log entries has various other drawbacks, including the need of the availability of the remote server including the network link to the server and the fact that (potentially sensitive) log data has to be transferred over network.
Only a solution that provides hardware-level protection and is tightly integrated into the physical system can provide maximum security.
We describe a physical log device based on non-volatile random access memory (NVRAM) whose write access is controlled by additional hardware logic in order to make sure that software can not manipulate log entries stored on the log device.
The content of the log device, once written, can not be modified by software for a certain period of time, e.g., 14 days. This means that if a computer system with a log device is intruded, the intruder can not remove evidence of the intrusion, even with full root access to the system. This allows detailed forensic analysis.
The physical security of the log data is coupled to the physical security of the comprising computer system. For critical computer systems, this is usually the best security possible.
Data access is as fast as with other RAM devices. This means that write
operations are performed immediately, so if the computer system's kernel crashes directly after writing to the log device, the last log entry is still accessible.
Throttling: Conditions in which too much data is written to the log device can
be detected easily and throttling makes sure that the log device is not flooded. Optionally, an error/warning indication may be generated if the throttling threshold is being exceeded.
Time-stamp based limitation: An alert mechanism can be...