An Automated Approach to Reveal Missing Logs Around Sensitive Operations

Log messages can play a significant role in different activities, including debugging, monitoring, and security analysis. Yet they are often placed only for the convenience of development rather than for security relevance. For reliable logging to support security and forensic investigations, logs should be positioned along all execution paths that lead to critical operations that process untrusted user input. This placement ensures that any such operation leaves a reliable and observable trace for forensic trail. In this paper, we present BlindSpot, an automated static analysis tool to extract inter-procedural paths where the parameters of critical calls appear within a log statement. Our approach incorporates data-flow and control-flow analysis to precisely capture the relationships between program nodes and model those log elements that are consistently encountered from input to untrusted critical calls (pre-execution), as well as those that always follow afterward (post-execution). We tested our approach on ten desktop applications, containing 124 sensitive operations that process untrusted input. Our tool revealed significant inconsistencies in logging practices: only 37 of these actions (29.8%) have any associated log statements, and just 8 are logged prior to execution. This reliance on post-execution logging presents a risk because if a critical operation is exploited or causes a crash or failure, the log statements that follow may never execute, leaving no trace for forensic analysis. We also find that log statements are very often conditional and executed only along specific paths. In our analysis, we found that only 5 out of 124 critical operations (4%) are associated with an unconditional log. Through BlindSpot, we demonstrate how the inconsistency, conditionality, and absence of logs around critical operations raise concerns about the reliability of logs as a source of evidence.