TY - JOUR
T1 - Taming the costs of trustworthy provenance through policy reduction
AU - Bates, Adam
AU - Tian, Dave Jing
AU - Hernandez, Grant
AU - Moyer, Thomas
AU - Butler, Kevin R.B.
AU - Jaeger, Trent
N1 - This material is based upon work supported by the National Science Foundation under Grants No. CNS-1408880, No. CNS-1540216, No. CNS-1540217, and No. CNS-1657534. Authors from Penn State acknowledge support from the Air Force Office of Scientific Research (AFOSR) under Grant No. AFOSR-FA9550-12-1-0166. The Lincoln Laboratory portion of this work was sponsored by the Assistant Secretary of Defense for Research & Engineering under Air Force Contract #FA8721-05-C-0002. Opinions, interpretations, conclusions, and recommendations are those of the author and are not necessarily endorsed by the United States Government. Authors’ addresses: A. Bates, Department of Computer Science, Siebel Center, 201 N. Goodwin, Urbana, IL, 61801-2302; email: [email protected]; D. (Jing) Tian, G. Hernandez, and K. R. B. Butler, E301 CSE Building, PO Box 116120, Gainesville, FL 32611 USA; emails: {daveti, grant.hernandez, butler}@ufl.edu; T. Moyer, Lincoln Laboratory, Massachusetts Institute of Technology, Secure Resilient Systems and Technology Group, 244 Wood Street, Lexington, MA 02420-9108; email: [email protected]; T. Jaeger, The Pennsylvania State University, Department of Computer Science and Engineering, 346A IST Building, University Park, PA 16802; email: [email protected]. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies show this notice on the first page or initial screen of a display along with the full citation. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, to redistribute to lists, or to use any component of this work in other works requires prior specific permission and/or a fee. Permissions may be requested from Publications Dept., ACM, Inc., 2 Penn Plaza, Suite 701, New York, NY 10121-0701 USA, fax + 1 (212) 869-0481, or [email protected]. © 2017 ACM 1533-5399/2017/09-ART34 $15.00 https://doi.org/10.1145/3062180
PY - 2017/9
Y1 - 2017/9
N2 - Provenance is an increasingly important tool for understanding and even actively preventing system intrusion, but the excessive storage burden imposed by automatic provenance collection threatens to undermine its value in practice. This situation is made worse by the fact that the majority of this metadata is unlikely to be of interest to an administrator, instead describing system noise or other background activities that are not germane to the forensic investigation. To date, storing data provenance in perpetuity was a necessary concession in even the most advanced provenance tracking systems in order to ensure the completeness of the provenance record for future analyses. In this work, we overcome this obstacle by proposing a policybased approach to provenance filtering, leveraging the confinement properties provided by Mandatory Access Control (MAC) systems in order to identify and isolate subdomains of system activity for which to collect provenance. We introduce the notion of minimal completeness for provenance graphs, and design and implement a system that provides this property by exclusively collecting provenance for the trusted computing base of a target application. In evaluation, we discover that, while the efficacy of our approach is domain dependent, storage costs can be reduced by as much as 89% in critical scenarios such as provenance tracking in cloud computing data centers. To the best of our knowledge, this is the first policy-based provenance monitor to appear in the literature.
AB - Provenance is an increasingly important tool for understanding and even actively preventing system intrusion, but the excessive storage burden imposed by automatic provenance collection threatens to undermine its value in practice. This situation is made worse by the fact that the majority of this metadata is unlikely to be of interest to an administrator, instead describing system noise or other background activities that are not germane to the forensic investigation. To date, storing data provenance in perpetuity was a necessary concession in even the most advanced provenance tracking systems in order to ensure the completeness of the provenance record for future analyses. In this work, we overcome this obstacle by proposing a policybased approach to provenance filtering, leveraging the confinement properties provided by Mandatory Access Control (MAC) systems in order to identify and isolate subdomains of system activity for which to collect provenance. We introduce the notion of minimal completeness for provenance graphs, and design and implement a system that provides this property by exclusively collecting provenance for the trusted computing base of a target application. In evaluation, we discover that, while the efficacy of our approach is domain dependent, storage costs can be reduced by as much as 89% in critical scenarios such as provenance tracking in cloud computing data centers. To the best of our knowledge, this is the first policy-based provenance monitor to appear in the literature.
KW - Integrity
KW - Mandatory policy
KW - Provenance
KW - TCB
UR - http://www.scopus.com/inward/record.url?scp=85029504490&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85029504490&partnerID=8YFLogxK
U2 - 10.1145/3062180
DO - 10.1145/3062180
M3 - Article
AN - SCOPUS:85029504490
SN - 1533-5399
VL - 17
JO - ACM Transactions on Internet Technology
JF - ACM Transactions on Internet Technology
IS - 4
M1 - 3062180
ER -