Blog on Logs
February 8, 2022•315 words
I am brainstorming security requirements for system logging. Can you think of others? Are some of these too lame to bother with? Do you know of specific attacks that might be relevant?
You can reply using an issue or email.
(Update Feb 21: This is documented by OWASP as Log Injection and by CWE as CWE-117. That documentation includes well-defined threat models).
Confidentiality
Who should be able to read what? A confidentiality attack enables an unauthorized party to access sensitive information stored in logs.
- Logs contain PII of users. Attackers gather PII, then either release it or use it as a stepping stone for futher attacks on those users.
- Logs contain technical secrets such as passwords. Attackers use it as a stepping stone for deeper attacks.
Integrity
Which information should be modifiable by whom?
- An attacker with read access to a log uses it to exfiltrate secrets.
- An attack leverages logs to connect with exploitable facets of logging platforms, such as sending in a payload over syslog in order to cause an out-of-bounds write.
Availability
What downtime is acceptable?
- An attacker floods log files in order to exhaust disk space available for non-logging facets of system functioning. For example, the same disk used for log files might be used for SQL storage of application data.
- An attacker floods log files in order to exhaust disk space available for further logging.
- An attacker uses one log entry to destroy other log entries.
- An attacker leverages poor performance of logging code to reduce application performance
Accountability
Who is responsible for harm?
- An attacker prevent writes in order to cover their tracks.
- An attacker prevent damages the log in order to cover their tracks.
- An attacker causes the wrong identity to be logged in order to conceal the responsible party.