Annual Computer Security Applications Conference (ACSAC) 2012

Full Program »

Hi-Fi: Collecting High-Fidelity Whole-System Provenance

Presentation
View File
pdf
1.2MB
Paper
View File
pdf
120KB

Devin Pohly
Pennsylvania State University
United States

Stephen McLaughlin
Pennsylvania State University
United States

Patrick McDaniel
Pennsylvania State University
United States

Kevin Butler
University of Oregon
United States

Abstract:
Data provenance—a record of the origin and evolution of data in a system—is a useful tool for forensic analysis. However, existing provenance collection mechanisms fail to achieve sufficient breadth or fidelity to provide a holistic view of a system's operation over time. We present Hi-Fi, a kernel-level provenance system which leverages the Linux Security Modules framework to collect high-fidelity whole-system provenance. We demonstrate that Hi-Fi is able to record a variety of malicious behavior within a compromised system. In addition, our benchmarks show the collection overhead from Hi-Fi to be less than 1% for most system calls and 3% in a representative workload, while simultaneously generating a system measurement that fully reflects system evolution. In this way, we show that we can collect broad, high-fidelity provenance data which is capable of supporting detailed forensic analysis.

 

Powered by OpenConf®
Copyright ©2002-2012 Zakon Group LLC