Abstract

In a system audit and verification, it is critical to collect logs and preserve them as evidence of execution environments, execution processes, and program execution results. In order to effectively use logs as effective evidence, it is necessary to guarantee the authenticity of logs as well as the authenticity of files and other information related to program execution. This paper proposes a system for preserving evidence of program execution using a VMM (Virtual Machine Monitor), called ECoPS. ECoPS uses a VMM to isolate the acquired information and the information acquisition mechanism from the monitored guest OS. This study provides a solution to the semantic gap issue for information that could be needed as evidence. Moreover, it also provides examples of program execution evidence and demonstrates that it can detect a specific attack. Furthermore, we report the results of measuring the performance overhead of benchmark programs and KVM compilation processing.