Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hi-Fi: Collecting High-Fidelity Whole-System Provenance Devin J.Pohly 1, Stephen McLaughlin 1, Patrick McDaniel 1, Kevin Butler 2 1 Pennsylvania State.

Published byGiselle Winland Modified over 9 years ago

Similar presentations

Presentation on theme: "Hi-Fi: Collecting High-Fidelity Whole-System Provenance Devin J.Pohly 1, Stephen McLaughlin 1, Patrick McDaniel 1, Kevin Butler 2 1 Pennsylvania State."— Presentation transcript:

1 Hi-Fi: Collecting High-Fidelity Whole-System Provenance Devin J.Pohly 1, Stephen McLaughlin 1, Patrick McDaniel 1, Kevin Butler 2 1 Pennsylvania State University 2 University of Oregon Annual Computer Security Applications Conference (ACSAC) 2012 左昌國 12/11, 2012, Seminar @ ADLab, NCU

2 Introduction Design System-Level Object Model Implementation Evaluation Conclusion Outline 2

3 Data provenance A record of the origin and evolution of data in a system Useful for forensic analysis Current approaches System call interception Lineage File System PASSv2 Forensix Insufficient fidelity VFS handling Story Book provenance system FUSE API Insufficient breadth Introduction 3

4 Linux Security Modules (link)link LSM is a framework which was originally designed for integrating custom access control mechanisms into the Linux kernel “Security fields” in kernel data structures Ex: inodeinode “Hooks” in kernel code Ex: inode_permission in SELinuxinode_permission The hook placement has been repeatedly analyzed and refined in literature to ensure that every access is mediated Introduction 4

5 5

6 Provenance collector Provenance log Provenance handler Design 6

7 Threat Model Any userspace compromise Kernel-level compromise Isolated disk-level versioning system Write-once read-many storage system Design 7

8 Read/write file descriptor File operation IPC Network communication Program execution Creation/deletion of credential obj User transition Design – Provenance Collector 8

9 provid A small integer which is reserved for an object until it is destroyed System-Level Object Model 9

10 UUID A random UUID is created at boot time cred structure (ex: in task_struct ) cred task_struct Process fork New credential A provid for each created cred structure System-Level Object Model: System, Processes, and Threads 10

11 Files and Filesystems UUID + inode number Pipes and Message Queues Pipe The data queue is modeled as an file Message Queue A provid for each message System-Level Object Model 11

12 UUID + counter The sender chooses an identifier for the remote receive queue and transmit it along with the first data packet System-Level Object Model - Sockets 12

13 Efficient Data Transfer relay A kernel ring buffer made up of a set of preallocated sub-buffer Represented as a regular file in user space Early Boot Provenance LSM is initialized as early as possible The provenance is stored in a small temporary buffer before the VFS (for relay) is initialized Operating System Integration /etc/inittab Shutdown: Terminate other processes before handler Implementation Details 13

14 Provenance-Opaque Flag The handler calls “ read ”  trigger file_permission hook  adding another action in log, handler calls “ read ”  loop A flag “security.hifi” is set in the handler process Implementation Details 14

15 Evaluation 15 A(attacker) B C compromise spread

16 Persistence and Stealth Evaluation 16

17 Remote Control Evaluation 17 Open shell Exfiltration Write a file

18 Spread Evaluation 18

19 Performance Microbenchmark Macrobenchmark 2.8% time overhead (build a kernel) Evaluation 19

20 This paper presents a high-fidelity provenance record This record can be used to observe the behavior of malware Low-overhead Conclusion 20

Download ppt "Hi-Fi: Collecting High-Fidelity Whole-System Provenance Devin J.Pohly 1, Stephen McLaughlin 1, Patrick McDaniel 1, Kevin Butler 2 1 Pennsylvania State."

Similar presentations

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST
Shared-Memory Model and Threads Intel Software College Introduction to Parallel Programming – Part 2.

Shared-Memory Model and Threads Intel Software College Introduction to Parallel Programming – Part 2.
Chapter 6 I/O Systems.

Chapter 6 I/O Systems.
Chapter 13: I/O Systems I/O Hardware Application I/O Interface

Chapter 13: I/O Systems I/O Hardware Application I/O Interface
1 Class-based prioritized resource control in Linux Amit Khanna Roll No 4134, BE - I.

1 Class-based prioritized resource control in Linux Amit Khanna Roll No 4134, BE - I.
Operating-System Structures

Operating-System Structures
1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.

1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
1 Chapter 40 - Physiology and Pathophysiology of Diuretic Action Copyright © 2013 Elsevier Inc. All rights reserved.

1 Chapter 40 - Physiology and Pathophysiology of Diuretic Action Copyright © 2013 Elsevier Inc. All rights reserved.
By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.

By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.
Business Transaction Management Software for Application Coordination 1 www.choreology.com Business Processes and Coordination.

Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination.
1 Copyright © 2005, Oracle. All rights reserved. Introduction.

1 Copyright © 2005, Oracle. All rights reserved. Introduction.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
0 - 0.

0 - 0.
ALGEBRAIC EXPRESSIONS

ALGEBRAIC EXPRESSIONS
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
MULTIPLYING MONOMIALS TIMES POLYNOMIALS (DISTRIBUTIVE PROPERTY)

MULTIPLYING MONOMIALS TIMES POLYNOMIALS (DISTRIBUTIVE PROPERTY)
ADDING INTEGERS 1. POS. + POS. = POS. 2. NEG. + NEG. = NEG. 3. POS. + NEG. OR NEG. + POS. SUBTRACT TAKE SIGN OF BIGGER ABSOLUTE VALUE.

ADDING INTEGERS 1. POS. + POS. = POS. 2. NEG. + NEG. = NEG. 3. POS. + NEG. OR NEG. + POS. SUBTRACT TAKE SIGN OF BIGGER ABSOLUTE VALUE.
SUBTRACTING INTEGERS 1. CHANGE THE SUBTRACTION SIGN TO ADDITION

SUBTRACTING INTEGERS 1. CHANGE THE SUBTRACTION SIGN TO ADDITION
MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

Similar presentations

Ads by Google