Treffer: Time Capsule: Secure Recording of Accesses to a Protected Datastore

We present an approach for transparently recording accesses to protected storage. In particular, we provide a framework for data monitoring in a virtualized environment using only the abstractions exposed by the hypervisor. To achieve our goals, we explore techniques for efficiently harvesting ap-plication code pages resident in memory at the time disk operations hit the I/O ring, and subsequently apply novel heuristics to overcome the “semantic gap ” issue between file-system objects and disk blocks. Our forensic layer records all transactions in a version-based audit log that allows for faithful reconstruction of accesses to the datastore over time. We provide an empirical evaluation of our design that shows our approach to be promising, and very accurate in mapping application to block level access patterns—even under very noisy conditions.