English

Rethinking Tamper-Evident Logging: A High-Performance, Co-Designed Auditing System

Cryptography and Security 2025-09-09 v2

Abstract

Existing tamper-evident logging systems suffer from high overhead and severe data loss in high-load settings, yet only provide coarse-grained tamper detection. Moreover, installing such systems requires recompiling kernel code. To address these challenges, we present Nitro, a high-performance, tamper-evident audit logging system that supports fine-grained detection of log tampering. Even better, our system avoids kernel recompilation by using the eBPF technology. To formally justify the security of Nitro, we provide a new definitional framework for logging systems, and give a practical cryptographic construction meeting this new goal. Unlike prior work that focus only on the cryptographic processing, we codesign the cryptographic part with the pre- and post-processing of the logs to exploit all system-level optimizations. Our evaluations demonstrate Nitro's superior performance, achieving 10X-25X improvements in high-stress conditions and 2X-10X in real-world scenarios while maintaining near-zero data loss. We also provide an advanced variant, Nitro-R that introduces in-kernel log reduction techniques to reduce runtime overhead even further.

Keywords

Cite

@article{arxiv.2509.03821,
  title  = {Rethinking Tamper-Evident Logging: A High-Performance, Co-Designed Auditing System},
  author = {Rui Zhao and Muhammad Shoaib and Viet Tung Hoang and Wajih Ul Hassan},
  journal= {arXiv preprint arXiv:2509.03821},
  year   = {2025}
}

Comments

This paper has been accepted to the ACM Conference on Computer and Communications Security (CCS) 2025

R2 v1 2026-07-01T05:20:15.309Z