Download presentation
Presentation is loading. Please wait.
Published byGiselle Winland Modified over 10 years ago
1
Hi-Fi: Collecting High-Fidelity Whole-System Provenance Devin J.Pohly 1, Stephen McLaughlin 1, Patrick McDaniel 1, Kevin Butler 2 1 Pennsylvania State University 2 University of Oregon Annual Computer Security Applications Conference (ACSAC) 2012 左昌國 12/11, 2012, Seminar @ ADLab, NCU
2
Introduction Design System-Level Object Model Implementation Evaluation Conclusion Outline 2
3
Data provenance A record of the origin and evolution of data in a system Useful for forensic analysis Current approaches System call interception Lineage File System PASSv2 Forensix Insufficient fidelity VFS handling Story Book provenance system FUSE API Insufficient breadth Introduction 3
4
Linux Security Modules (link)link LSM is a framework which was originally designed for integrating custom access control mechanisms into the Linux kernel “Security fields” in kernel data structures Ex: inodeinode “Hooks” in kernel code Ex: inode_permission in SELinuxinode_permission The hook placement has been repeatedly analyzed and refined in literature to ensure that every access is mediated Introduction 4
5
5
6
Provenance collector Provenance log Provenance handler Design 6
7
Threat Model Any userspace compromise Kernel-level compromise Isolated disk-level versioning system Write-once read-many storage system Design 7
8
Read/write file descriptor File operation IPC Network communication Program execution Creation/deletion of credential obj User transition Design – Provenance Collector 8
9
provid A small integer which is reserved for an object until it is destroyed System-Level Object Model 9
10
UUID A random UUID is created at boot time cred structure (ex: in task_struct ) cred task_struct Process fork New credential A provid for each created cred structure System-Level Object Model: System, Processes, and Threads 10
11
Files and Filesystems UUID + inode number Pipes and Message Queues Pipe The data queue is modeled as an file Message Queue A provid for each message System-Level Object Model 11
12
UUID + counter The sender chooses an identifier for the remote receive queue and transmit it along with the first data packet System-Level Object Model - Sockets 12
13
Efficient Data Transfer relay A kernel ring buffer made up of a set of preallocated sub-buffer Represented as a regular file in user space Early Boot Provenance LSM is initialized as early as possible The provenance is stored in a small temporary buffer before the VFS (for relay) is initialized Operating System Integration /etc/inittab Shutdown: Terminate other processes before handler Implementation Details 13
14
Provenance-Opaque Flag The handler calls “ read ” trigger file_permission hook adding another action in log, handler calls “ read ” loop A flag “security.hifi” is set in the handler process Implementation Details 14
15
Evaluation 15 A(attacker) B C compromise spread
16
Persistence and Stealth Evaluation 16
17
Remote Control Evaluation 17 Open shell Exfiltration Write a file
18
Spread Evaluation 18
19
Performance Microbenchmark Macrobenchmark 2.8% time overhead (build a kernel) Evaluation 19
20
This paper presents a high-fidelity provenance record This record can be used to observe the behavior of malware Low-overhead Conclusion 20
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.