Nitro is a high-performance, tamper-evident logging system built entirely on Linux eBPF. It ensures forward security (FA) and offers provable security guarantees through the XLog secure logging protocol proposed in our paper.
Nitro is based on our paper published at ACM Conference on Computer and Communications Security (CCS) 2025:
Rethinking Tamper-Evident Logging: A High-Performance, Co-Designed Auditing System
Rui Zhao, Muhammad Shoaib, Viet Tung Hoang, and Wajih Ul Hassan
🏅 Distinguished Paper Award
@inproceedings{nitro,
title = {Rethinking Tamper-Evident Logging: A High-Performance, Co-Designed Auditing System},
author = {Zhao, Rui and Shoaib, Muhammad and Hoang, Viet Tung and Hassan, Wajih Ul},
booktitle = {ACM Conference on Computer and Communications Security (CCS)},
year = {2025},
}Security teams rely on logs to reconstruct attacks — but traditional loggers are too slow, lose data, or require expensive hardware. Nitro brings together cryptography, operating systems, and modern kernel technology to deliver logs that are:
- Tamper-evident (attackers cannot silently alter history)
- Fast and scalable (handles enterprise-level workloads)
- Practical to deploy (no kernel patches, works with standard Linux)
-
🔒 Stronger Security
Every log entry is cryptographically protected, making it obvious if attackers try to modify or delete logs. -
⚡ High Performance
Nitro handles massive workloads with 10×–25× speedups in stress tests and 2×–10× faster performance in real-world scenarios — all while avoiding data loss. -
🛠 Easy to Deploy
Runs fully in eBPF, meaning no kernel recompilation, no special hardware, and smooth integration on modern Linux systems. -
🧩 Built for Today’s SOCs
Designed to support security teams with reliable logs for forensics, incident response, and compliance. -
🗂 Nitro-R Extension
An optional add-on that reduces duplicate or redundant logs before they leave the kernel, cutting down storage and runtime costs even further.
Run the provided script to install all necessary components:
./bcc_install.shFor CentOS systems, you need to install BCC (BPF Compiler Collection) manually:
- Clone the BCC repository:
git clone https://github.com/iovisor/bcc- Install dependencies and build:
Follow the official BCC installation instructions from the repository you just cloned.
📌 Tip: You can also refer to bcc_install.sh in this repo for version-specific dependencies and setup guidance.
We provide a prebuilt Ubuntu 22.04 image with kernel 6.8.0, including Nitro and all dependencies preinstalled.
You can download the VM here.
- Default credentials
username: nitro
password: Nitro
- Place the image on the host, e.g.
/tmp/Nitro.qcow2. - Create the VM by importing the existing disk:
sudo virt-install \
--name Nitro \
--ram 307200 --vcpus 36 \
--cpu host-passthrough \
--disk path=/tmp/Nitro.qcow2,format=qcow2,bus=virtio \
--os-variant ubuntu22.04 \
--network network=default,model=virtio \
--import \
--graphics none-
Get the VM’s IP:
virsh domifaddr Nitro
-
Log in:
ssh nitro@<vm-ip>
- Open virt-manager → “Import existing disk image”.
- Select
Nitro.qcow2, set OS type to Ubuntu 22.04, and choose virtio for disk/NIC. - Assign vCPUs/RAM (use paper or dev profile), finish, boot, and log in as
nitro.
Tips
• Disable unnecessary background services in the guest to reduce noise during benchmarking.
• If you need stable timings, pin vCPUs and consider using hugepages on the host.
This repository contains the following key scripts and sources:
-
Nitro.py
Loader/runner for the C-side programs Nitro and Nitro-R.It compiles/loads the eBPF program, opens the ring buffer, captures logs streamed from kernel space, and writes them to disk. It also exposes command-line options for runtime configuration.
-
Nitro.c&Nitro.h
Core eBPF logic of Nitro and its header definitions.Including MAC processing (XLog), log capture, two-level buffers (Per-CPU Array/ring buffer), and two-level time controllers (SGAP/GAP).
-
Nitro-R.c&Nitro-R.h
Variant of the core logic (Nitro-R) and its headers.Including all Nitro features plus kernel-side log reduction.
-
Decoder.py
Userspace decoder for kernel-encoded records. It can be invoked at runtime (decode on the fly) or post-hoc (decode after capture).Post-hoc decoding provides better runtime performance. For easier auditing and inspection, runtime decoding is enabled by default.
-
bcc_install.sh
One-step script to install eBPF/BCC dependencies (primarily for Ubuntu).
See Evaluation Readme for more Details.
Nitro includes two main components:
Nitro.c– the eBPF-based system call loggerNitro.py– the Python-based log parser and printer
To start capturing system calls with the general default settings, run:
python3 Nitro.py --full-fixed-len 3000 \
--full-flex 8000 \
--flexsize 32 \
--ring-size 64 \
--total-max-flex 100 \
--commsize 64 \
--gap 1000000000 \
--sgap 200000000 \
--output-file "./log.txt"This setting works well for most scenarios.
| Option | Description | Default |
|---|---|---|
-f, --full-fixed-len |
Full fixed buffer length | 3000 |
-x, --full-flex |
Full flex buffer length | 8000 |
-z, --flexsize |
Flex MAC size | 32 |
-r, --ring-size |
Ring buffer size (MB) | 64 |
-t, --total-max-flex |
Total max flex entries | 100 |
-c, --commsize |
Communication buffer size | 64 |
-s, --sgap |
First-level time threshold (ns) | 200000000 |
-g, --gap |
Second-level time threshold (ns) | 1000000000 |
-o, --output-file |
Output file path | ./log.txt |
Running Nitro-R:
- Open Nitro.py, and go to line 28.
- Replace:
BPF_SOURCE_CODE = open('Nitro.c', 'rb').read().decode()with
BPF_SOURCE_CODE = open('Nitro-R.c', 'rb').read().decode()Nitro is licensed under the GNU General Public License v3.0 (GPLv3).