Embed Size (px)
DESCRIPTION
Annual Computer Security Applications Conference (ACSAC) 2012. Hi-Fi: Collecting High-Fidelity Whole-System Provenance. Devin J.Pohly 1 , Stephen McLaughlin 1 , Patrick McDaniel 1 , Kevin Butler 2 1 Pennsylvania State University 2 University of Oregon. 左昌國 - PowerPoint PPT Presentation
Citation preview
Hi-Fi: Collecting High-Fidelity Whole-System ProvenanceDevin J.Pohly1, Stephen McLaughlin1, Patrick McDaniel1, Kevin Butler2
1Pennsylvania State University2University of Oregon
Annual Computer Security Applications Conference (ACSAC) 2012
左昌國12/11, 2012, Seminar @ ADLab, NCU
• Introduction• Design• System-Level Object Model• Implementation• Evaluation• Conclusion
Outline
2
• Data provenance• A record of the origin and evolution of data in a system• Useful for forensic analysis
• Current approaches• System call interception
• Lineage File System• PASSv2• Forensix• Insufficient fidelity
• VFS handling• Story Book provenance system• FUSE API• Insufficient breadth
Introduction
3
• Linux Security Modules (link)• LSM is a framework which was originally designed for integrating
custom access control mechanisms into the Linux kernel• “Security fields” in kernel data structures
• Ex: inode• “Hooks” in kernel code
• Ex: inode_permission in SELinux• The hook placement has been repeatedly analyzed and refined in
literature to ensure that every access is mediated
Introduction
4
Introduction
5
• Provenance collector• Provenance log• Provenance handler
Design
6
• Threat Model• Any userspace compromise• Kernel-level compromise
• Isolated disk-level versioning system• Write-once read-many storage system
Design
7
• Read/write file descriptor• File operation• IPC• Network communication• Program execution• Creation/deletion of credential obj• User transition
Design – Provenance Collector
8
• provid• A small integer which is reserved for an object until it is destroyed
System-Level Object Model
9
• UUID• A random UUID is created at boot time
• cred structure (ex: in task_struct)• Process fork• New credential• A provid for each created cred structure
System-Level Object Model: System, Processes, and Threads
10
• Files and Filesystems• UUID + inode number
• Pipes and Message Queues• Pipe
• The data queue is modeled as an file• Message Queue
• A provid for each message
System-Level Object Model
11
• UUID + counter• The sender chooses an identifier for the remote receive
queue and transmit it along with the first data packet
System-Level Object Model - Sockets
12
• Efficient Data Transfer• relay
• A kernel ring buffer made up of a set of preallocated sub-buffer• Represented as a regular file in user space
• Early Boot Provenance• LSM is initialized as early as possible• The provenance is stored in a small temporary buffer before the
VFS (for relay) is initialized• Operating System Integration
• /etc/inittab• Shutdown: Terminate other processes before handler
Implementation Details
13
• Provenance-Opaque Flag• The handler calls “read”• trigger file_permission hook• adding another action in log, handler calls “read”• loop
• A flag “security.hifi” is set in the handler process
Implementation Details
14
Evaluation
15
A(attacker)
B
C
compromisespread
• Persistence and Stealth
Evaluation
16
• Remote Control
Evaluation
17
Open shell
Exfiltration
Write a file
• Spread
Evaluation
18
• Performance• Microbenchmark
• Macrobenchmark• 2.8% time overhead (build a kernel)
Evaluation
19
• This paper presents a high-fidelity provenance record• This record can be used to observe the behavior of
malware• Low-overhead
Conclusion
20
