Existing tamper-evident logging systems suffer from high overhead and severe log loss under heavy load, support only coarse-grained tampering detection, and require kernel recompilation. This paper proposes Nitro—the first high-performance, verifiable audit logging system built entirely on eBPF. (1) We establish a formal security definition framework and co-design a lightweight cryptographic mechanism (hash chains + authenticated data structures) with log pre- and post-processing pipelines to enable fine-grained tamper localization and near-zero log loss. (2) We introduce Nitro-R, a variant integrating kernel-space log compression to further reduce overhead. (3) Nitro requires no kernel modifications—neither recompilation nor patching. Evaluation shows Nitro improves throughput by 10–25× under synthetic high-load workloads and by 2–10× in realistic deployments, significantly outperforming state-of-the-art approaches.

Existing tamper-evident logging systems suffer from high overhead and severe data loss in high-load settings, yet only provide coarse-grained tamper detection. Moreover, installing such systems requires recompiling kernel code. To address these challenges, we present Nitro, a high-performance, tamper-evident audit logging system that supports fine-grained detection of log tampering. Even better, our system avoids kernel recompilation by using the eBPF technology. To formally justify the security of Nitro, we provide a new definitional framework for logging systems, and give a practical cryptographic construction meeting this new goal. Unlike prior work that focus only on the cryptographic processing, we codesign the cryptographic part with the pre- and post-processing of the logs to exploit all system-level optimizations. Our evaluations demonstrate Nitro's superior performance, achieving 10X-25X improvements in high-stress conditions and 2X-10X in real-world scenarios while maintaining near-zero data loss. We also provide an advanced variant, Nitro-R that introduces in-kernel log reduction techniques to reduce runtime overhead even further.