Numerous event-based probing methods exist for cloud computing environments allowing a trusted hypervisor to gain insight into guest activities. Such event based probing has been shown to be useful for detecting attacks, system hangs through watchdogs, and also for inserting exploit detectors before a system can be patched, among others. In this paper, we illustrate how to use such probing for trustworthy logging and highlight some of the challenges that existing event based probing mechanisms do not address. These challenges include ensuring a probe inserted at given address is trustworthy despite the lack of attestation available for probes that have been inserted dynamically. We show how probes can be inserted to ensure proper logging of every invocation of a probed instruction. When combined with attested boot of the hypervisor and guest machines, we can ensure the output stream of monitored events is trustworthy. Using these techniques we build a trustworthy log of certain guest-system-call events powering a cloud-tuned Intrusion Detection System (IDS). Additionally, we identify new types of events that must be added to existing probing systems to ensure attempts to circumvent probes within the guest appear in the log. We highlight the overhead penalties paid by guests to ensure log completeness when faced with probabilistic attacks and show promising results (less that 10% for guests) when a guest is willing to relax the trade-off between log completeness and overhead. Our demonstrative IDS shows the ability to detect common attack scenarios with simple policies built using our guest behavior recording system
