Full Program »
Hi-Fi: Collecting High-Fidelity Whole-System Provenance
Presentation 1.2MB | Paper 120KB |
Devin Pohly
Pennsylvania State University
United States
Stephen McLaughlin
Pennsylvania State University
United States
Patrick McDaniel
Pennsylvania State University
United States
Kevin Butler
University of Oregon
United States
Abstract:
Data provenance—a record of the origin and evolution of data in a system—is a useful tool for forensic analysis. However, existing provenance collection mechanisms fail to achieve sufficient breadth or fidelity to provide a holistic view of a system's operation over time. We present Hi-Fi, a kernel-level provenance system which leverages the Linux Security Modules framework to collect high-fidelity whole-system provenance. We demonstrate that Hi-Fi is able to record a variety of malicious behavior within a compromised system. In addition, our benchmarks show the collection overhead from Hi-Fi to be less than 1% for most system calls and 3% in a representative workload, while simultaneously generating a system measurement that fully reflects system evolution. In this way, we show that we can collect broad, high-fidelity provenance data which is capable of supporting detailed forensic analysis.