Annual Computer Security Applications Conference (ACSAC) 2012

Full Program »

Hi-Fi: Collecting High-Fidelity Whole-System Provenance

Data provenance—a record of the origin and evolution of data in a system—is a useful tool for forensic analysis. However, existing provenance collection mechanisms fail to achieve sufficient breadth or fidelity to provide a holistic view of a system's operation over time. We present Hi-Fi, a kernel-level provenance system which leverages the Linux Security Modules framework to collect high-fidelity whole-system provenance. We demonstrate that Hi-Fi is able to record a variety of malicious behavior within a compromised system. In addition, our benchmarks show the collection overhead from Hi-Fi to be less than 1% for most system calls and 3% in a representative workload, while simultaneously generating a system measurement that fully reflects system evolution. In this way, we show that we can collect broad, high-fidelity provenance data which is capable of supporting detailed forensic analysis.

Author(s):

Devin Pohly    
Pennsylvania State University
United States

Stephen McLaughlin    
Pennsylvania State University
United States

Patrick McDaniel    
Pennsylvania State University
United States

Kevin Butler    
University of Oregon
United States

 

Powered by OpenConf®
Copyright©2002-2014 Zakon Group LLC