Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hi-Fi: Collecting High-Fidelity Whole-System Provenance Devin J.Pohly 1, Stephen McLaughlin 1, Patrick McDaniel 1, Kevin Butler 2 1 Pennsylvania State.

Similar presentations


Presentation on theme: "Hi-Fi: Collecting High-Fidelity Whole-System Provenance Devin J.Pohly 1, Stephen McLaughlin 1, Patrick McDaniel 1, Kevin Butler 2 1 Pennsylvania State."— Presentation transcript:

1 Hi-Fi: Collecting High-Fidelity Whole-System Provenance Devin J.Pohly 1, Stephen McLaughlin 1, Patrick McDaniel 1, Kevin Butler 2 1 Pennsylvania State University 2 University of Oregon Annual Computer Security Applications Conference (ACSAC) 2012 左昌國 12/11, 2012, Seminar @ ADLab, NCU

2 Introduction Design System-Level Object Model Implementation Evaluation Conclusion Outline 2

3 Data provenance A record of the origin and evolution of data in a system Useful for forensic analysis Current approaches System call interception Lineage File System PASSv2 Forensix Insufficient fidelity VFS handling Story Book provenance system FUSE API Insufficient breadth Introduction 3

4 Linux Security Modules (link)link LSM is a framework which was originally designed for integrating custom access control mechanisms into the Linux kernel “Security fields” in kernel data structures Ex: inodeinode “Hooks” in kernel code Ex: inode_permission in SELinuxinode_permission The hook placement has been repeatedly analyzed and refined in literature to ensure that every access is mediated Introduction 4

5 5

6 Provenance collector Provenance log Provenance handler Design 6

7 Threat Model Any userspace compromise Kernel-level compromise Isolated disk-level versioning system Write-once read-many storage system Design 7

8 Read/write file descriptor File operation IPC Network communication Program execution Creation/deletion of credential obj User transition Design – Provenance Collector 8

9 provid A small integer which is reserved for an object until it is destroyed System-Level Object Model 9

10 UUID A random UUID is created at boot time cred structure (ex: in task_struct ) cred task_struct Process fork New credential A provid for each created cred structure System-Level Object Model: System, Processes, and Threads 10

11 Files and Filesystems UUID + inode number Pipes and Message Queues Pipe The data queue is modeled as an file Message Queue A provid for each message System-Level Object Model 11

12 UUID + counter The sender chooses an identifier for the remote receive queue and transmit it along with the first data packet System-Level Object Model - Sockets 12

13 Efficient Data Transfer relay A kernel ring buffer made up of a set of preallocated sub-buffer Represented as a regular file in user space Early Boot Provenance LSM is initialized as early as possible The provenance is stored in a small temporary buffer before the VFS (for relay) is initialized Operating System Integration /etc/inittab Shutdown: Terminate other processes before handler Implementation Details 13

14 Provenance-Opaque Flag The handler calls “ read ”  trigger file_permission hook  adding another action in log, handler calls “ read ”  loop A flag “security.hifi” is set in the handler process Implementation Details 14

15 Evaluation 15 A(attacker) B C compromise spread

16 Persistence and Stealth Evaluation 16

17 Remote Control Evaluation 17 Open shell Exfiltration Write a file

18 Spread Evaluation 18

19 Performance Microbenchmark Macrobenchmark 2.8% time overhead (build a kernel) Evaluation 19

20 This paper presents a high-fidelity provenance record This record can be used to observe the behavior of malware Low-overhead Conclusion 20


Download ppt "Hi-Fi: Collecting High-Fidelity Whole-System Provenance Devin J.Pohly 1, Stephen McLaughlin 1, Patrick McDaniel 1, Kevin Butler 2 1 Pennsylvania State."

Similar presentations


Ads by Google