Hi-Fi: Collecting High-Fidelity Whole-System Provenance Devin J.Pohly 1, Stephen McLaughlin 1, Patrick McDaniel 1, Kevin Butler 2 1 Pennsylvania State.

Slides:



Advertisements
Similar presentations
TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST
Advertisements

Shared-Memory Model and Threads Intel Software College Introduction to Parallel Programming – Part 2.
Chapter 6 I/O Systems.
Chapter 13: I/O Systems I/O Hardware Application I/O Interface
1 Class-based prioritized resource control in Linux Amit Khanna Roll No 4134, BE - I.
Operating-System Structures
1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
1 Chapter 40 - Physiology and Pathophysiology of Diuretic Action Copyright © 2013 Elsevier Inc. All rights reserved.
By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.
Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination.
1 Copyright © 2005, Oracle. All rights reserved. Introduction.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
0 - 0.
ALGEBRAIC EXPRESSIONS
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
MULTIPLYING MONOMIALS TIMES POLYNOMIALS (DISTRIBUTIVE PROPERTY)
ADDING INTEGERS 1. POS. + POS. = POS. 2. NEG. + NEG. = NEG. 3. POS. + NEG. OR NEG. + POS. SUBTRACT TAKE SIGN OF BIGGER ABSOLUTE VALUE.
SUBTRACTING INTEGERS 1. CHANGE THE SUBTRACTION SIGN TO ADDITION
MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
Addition Facts
1 Processes and Threads Creation and Termination States Usage Implementations.
1 Interprocess Communication 1. Ways of passing information 2. Guarded critical activities (e.g. updating shared data) 3. Proper sequencing in case of.
1 Data Link Protocols By Erik Reeber. 2 Goals Use SPIN to model-check successively more complex protocols Using the protocols in Tannenbaums 3 rd Edition.
ZMQS ZMQS
Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.
CMPE 150- Introduction to Computer Networks 1 CMPE 150 Fall 2005 Lecture 14 Introduction to Computer Networks.
1 Communication in Distributed Systems REKs adaptation of Tanenbaums Distributed Systems Chapter 2.
BT Wholesale October Creating your own telephone network WHOLESALE CALLS LINE ASSOCIATED.
1 2 In a computer system, a file is a collection of information with a single name, such as addresses.doc, or filebackup.ppt, or ftwr.exe, or guidebook.xls.
I/O and Networking Fred Kuhns
CSI 400/500 Operating Systems Spring 2009 Lecture #14 – Device Management and Drivers Monday, March 23 rd, 2009.
INTRODUCTION TO SIMULATION WITH OMNET++ José Daniel García Sánchez ARCOS Group – University Carlos III of Madrid.
© S Haughton more than 3?
Virtual Switching Without a Hypervisor for a More Secure Cloud Xin Jin Princeton University Joint work with Eric Keller(UPenn) and Jennifer Rexford(Princeton)
Twenty Questions Subject: Twenty Questions
Linking Verb? Action Verb or. Question 1 Define the term: action verb.
Energy & Green Urbanism Markku Lappalainen Aalto University.
Database System Concepts and Architecture
Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 3: Operating Systems Computer Science: An Overview Tenth Edition.
Past Tense Probe. Past Tense Probe Past Tense Probe – Practice 1.
3.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Process An operating system executes a variety of programs: Batch system.
This, that, these, those Number your paper from 1-10.
Processes Management.
Processes Management.
Addition 1’s to 20.
25 seconds left…...
Test B, 100 Subtraction Facts
Week 1.
Chapter Ten Marketing Communications and Customer Response.
We will resume in: 25 Minutes.
1 Unit 1 Kinematics Chapter 1 Day
Xiao Zhang and Wenliang Du Dept. of Electrical Engineering & Computer Science Syracuse University.
Computer Net Lab/Praktikum Datenverarbeitung 2 1 Overview Sockets Sockets in C Sockets in Delphi.
FireDroid: Hardening Security in Almost-Stock Android Giovanni Russello, Arturo Blas Jimenez, Habib Naderi, Wannes van der Mark 1 University of Auckland,
Analysis of the Communication between Colluding Applications on Modern Smartphones Claudio Marforio 1, Hubert Ritzdorf 1, Aurélien Francillon 2, Srdjan.
1 Case Study 1: UNIX and LINUX Chapter History of unix 10.2 Overview of unix 10.3 Processes in unix 10.4 Memory management in unix 10.5 Input/output.
3.5 Interprocess Communication Many operating systems provide mechanisms for interprocess communication (IPC) –Processes must communicate with one another.
3.5 Interprocess Communication
Linux Operating System
Provenance-aware Storage Systems Kiran-Kumar Muniswamy-Reddy David A. Holland Uri Braun Margo Seltzer Harvard University.
OS provide a user-friendly environment and manage resources of the computer system. Operating systems manage: –Processes –Memory –Storage –I/O subsystem.
Lecture 3 Process Concepts. What is a Process? A process is the dynamic execution context of an executing program. Several processes may run concurrently,
30 October Agenda for Today Introduction and purpose of the course Introduction and purpose of the course Organization of a computer system Organization.
1 Linux Security Module: General Security Support for the Linux Kernel Presented by Chao-Sheng Lin 2005/11/1.
Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK
Kernel Modules – Introduction CSC/ECE 573, Sections 001 Fall, 2012.
Case Study 1: UNIX and LINUX
Operating Systems Lecture 1.
Following Malware Execution in IDA
Presentation transcript:

Hi-Fi: Collecting High-Fidelity Whole-System Provenance Devin J.Pohly 1, Stephen McLaughlin 1, Patrick McDaniel 1, Kevin Butler 2 1 Pennsylvania State University 2 University of Oregon Annual Computer Security Applications Conference (ACSAC) 2012 左昌國 12/11, 2012, ADLab, NCU

Introduction Design System-Level Object Model Implementation Evaluation Conclusion Outline 2

Data provenance A record of the origin and evolution of data in a system Useful for forensic analysis Current approaches System call interception Lineage File System PASSv2 Forensix Insufficient fidelity VFS handling Story Book provenance system FUSE API Insufficient breadth Introduction 3

Linux Security Modules (link)link LSM is a framework which was originally designed for integrating custom access control mechanisms into the Linux kernel “Security fields” in kernel data structures Ex: inodeinode “Hooks” in kernel code Ex: inode_permission in SELinuxinode_permission The hook placement has been repeatedly analyzed and refined in literature to ensure that every access is mediated Introduction 4

5

Provenance collector Provenance log Provenance handler Design 6

Threat Model Any userspace compromise Kernel-level compromise Isolated disk-level versioning system Write-once read-many storage system Design 7

Read/write file descriptor File operation IPC Network communication Program execution Creation/deletion of credential obj User transition Design – Provenance Collector 8

provid A small integer which is reserved for an object until it is destroyed System-Level Object Model 9

UUID A random UUID is created at boot time cred structure (ex: in task_struct ) cred task_struct Process fork New credential A provid for each created cred structure System-Level Object Model: System, Processes, and Threads 10

Files and Filesystems UUID + inode number Pipes and Message Queues Pipe The data queue is modeled as an file Message Queue A provid for each message System-Level Object Model 11

UUID + counter The sender chooses an identifier for the remote receive queue and transmit it along with the first data packet System-Level Object Model - Sockets 12

Efficient Data Transfer relay A kernel ring buffer made up of a set of preallocated sub-buffer Represented as a regular file in user space Early Boot Provenance LSM is initialized as early as possible The provenance is stored in a small temporary buffer before the VFS (for relay) is initialized Operating System Integration /etc/inittab Shutdown: Terminate other processes before handler Implementation Details 13

Provenance-Opaque Flag The handler calls “ read ”  trigger file_permission hook  adding another action in log, handler calls “ read ”  loop A flag “security.hifi” is set in the handler process Implementation Details 14

Evaluation 15 A(attacker) B C compromise spread

Persistence and Stealth Evaluation 16

Remote Control Evaluation 17 Open shell Exfiltration Write a file

Spread Evaluation 18

Performance Microbenchmark Macrobenchmark 2.8% time overhead (build a kernel) Evaluation 19

This paper presents a high-fidelity provenance record This record can be used to observe the behavior of malware Low-overhead Conclusion 20