1 / 20

Hi-Fi: Collecting High-Fidelity Whole-System Provenance

Annual Computer Security Applications Conference (ACSAC) 2012. Hi-Fi: Collecting High-Fidelity Whole-System Provenance. Devin J.Pohly 1 , Stephen McLaughlin 1 , Patrick McDaniel 1 , Kevin Butler 2 1 Pennsylvania State University 2 University of Oregon. 左昌國

naava
Download Presentation

Hi-Fi: Collecting High-Fidelity Whole-System Provenance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Annual Computer Security Applications Conference (ACSAC) 2012 Hi-Fi: Collecting High-Fidelity Whole-System Provenance Devin J.Pohly1, Stephen McLaughlin1, Patrick McDaniel1, Kevin Butler2 1Pennsylvania State University 2University of Oregon 左昌國 12/11, 2012, Seminar @ ADLab, NCU

  2. Outline • Introduction • Design • System-Level Object Model • Implementation • Evaluation • Conclusion

  3. Introduction • Data provenance • A record of the origin and evolution of data in a system • Useful for forensic analysis • Current approaches • System call interception • Lineage File System • PASSv2 • Forensix • Insufficient fidelity • VFS handling • Story Book provenance system • FUSE API • Insufficient breadth

  4. Introduction • Linux Security Modules (link) • LSM is a framework which was originally designed for integrating custom access control mechanisms into the Linux kernel • “Security fields” in kernel data structures • Ex: inode • “Hooks” in kernel code • Ex: inode_permission in SELinux • The hook placement has been repeatedly analyzed and refined in literature to ensure that every access is mediated

  5. Introduction

  6. Design • Provenance collector • Provenance log • Provenance handler

  7. Design • Threat Model • Any userspace compromise • Kernel-level compromise • Isolated disk-level versioning system • Write-once read-many storage system

  8. Design – Provenance Collector • Read/write file descriptor • File operation • IPC • Network communication • Program execution • Creation/deletion of credential obj • User transition

  9. System-Level Object Model • provid • A small integer which is reserved for an object until it is destroyed

  10. System-Level Object Model: System, Processes, and Threads • UUID • A random UUID is created at boot time • cred structure (ex: in task_struct) • Process fork • New credential • A provid for each created cred structure

  11. System-Level Object Model • Files and Filesystems • UUID + inode number • Pipes and Message Queues • Pipe • The data queue is modeled as an file • Message Queue • A provid for each message

  12. System-Level Object Model - Sockets • UUID + counter • The sender chooses an identifier for the remote receive queue and transmit it along with the first data packet

  13. Implementation Details • Efficient Data Transfer • relay • A kernel ring buffer made up of a set of preallocatedsub-buffer • Represented as a regular file in user space • Early Boot Provenance • LSM is initialized as early as possible • The provenance is stored in a small temporary buffer before the VFS (for relay) is initialized • Operating System Integration • /etc/inittab • Shutdown: Terminate other processes before handler

  14. Implementation Details • Provenance-Opaque Flag • The handler calls “read” • trigger file_permission hook • adding another action in log, handler calls “read” • loop • A flag “security.hifi” is set in the handler process

  15. Evaluation A(attacker) C compromise B spread

  16. Evaluation • Persistence and Stealth

  17. Evaluation • Remote Control Open shell Exfiltration Write a file

  18. Evaluation • Spread

  19. Evaluation • Performance • Microbenchmark • Macrobenchmark • 2.8% time overhead (build a kernel)

  20. Conclusion • This paper presents a high-fidelity provenance record • This record can be used to observe the behavior of malware • Low-overhead

More Related