Trustworthy whole-system provenance for the Linux kernel

Adam Bates; Dave Tian; Kevin R.B. Butler; Thomas Moyer

Trustworthy whole-system provenance for the Linux kernel

Adam Bates, Dave Tian, Kevin R.B. Butler, Thomas Moyer

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

In a provenance-aware system, mechanisms gather and report metadata that describes the history of each object being processed on the system, allowing users to understand how data objects came to exist in their present state. However, while past work has demonstrated the usefulness of provenance, less attention has been given to securing provenance-aware systems. Provenance itself is a ripe attack vector, and its authenticity and integrity must be guaranteed before it can be put to use. We present Linux Provenance Modules (LPM), the first general framework for the development of provenance-aware systems. We demonstrate that LPM creates a trusted provenance-aware execution environment, collecting complete whole-system provenance while imposing as little as 2.7% performance overhead on normal system operation. LPM introduces new mechanisms for secure provenance layering and authenticated communication between provenance-aware hosts, and also interoperates with existing mechanisms to provide strong security assurances. To demonstrate the potential uses of LPM, we design a Provenance-Based Data Loss Prevention (PB-DLP) system. We implement PB-DLP as a file transfer application that blocks the transmission of files derived from sensitive ancestors while imposing just tens of milliseconds overhead. LPM is the first step towards widespread deployment of trustworthy provenance-aware applications.

Original language	English (US)
Title of host publication	Proceedings of the 24th USENIX Security Symposium
Publisher	USENIX Association
Pages	319-334
Number of pages	16
ISBN (Electronic)	9781931971232
State	Published - 2015
Externally published	Yes
Event	24th USENIX Security Symposium - Washington, United States Duration: Aug 12 2015 → Aug 14 2015

Publication series

Name	Proceedings of the 24th USENIX Security Symposium

Conference

Conference	24th USENIX Security Symposium
Country/Territory	United States
City	Washington
Period	8/12/15 → 8/14/15

ASJC Scopus subject areas

Computer Networks and Communications
Information Systems
Safety, Risk, Reliability and Quality

Library availability

Discover UIUC Full Text

Cite this

@inproceedings{fc0d1ad197464b558460db711baccdb2,

title = "Trustworthy whole-system provenance for the Linux kernel",

abstract = "In a provenance-aware system, mechanisms gather and report metadata that describes the history of each object being processed on the system, allowing users to understand how data objects came to exist in their present state. However, while past work has demonstrated the usefulness of provenance, less attention has been given to securing provenance-aware systems. Provenance itself is a ripe attack vector, and its authenticity and integrity must be guaranteed before it can be put to use. We present Linux Provenance Modules (LPM), the first general framework for the development of provenance-aware systems. We demonstrate that LPM creates a trusted provenance-aware execution environment, collecting complete whole-system provenance while imposing as little as 2.7% performance overhead on normal system operation. LPM introduces new mechanisms for secure provenance layering and authenticated communication between provenance-aware hosts, and also interoperates with existing mechanisms to provide strong security assurances. To demonstrate the potential uses of LPM, we design a Provenance-Based Data Loss Prevention (PB-DLP) system. We implement PB-DLP as a file transfer application that blocks the transmission of files derived from sensitive ancestors while imposing just tens of milliseconds overhead. LPM is the first step towards widespread deployment of trustworthy provenance-aware applications.",

author = "Adam Bates and Dave Tian and Butler, {Kevin R.B.} and Thomas Moyer",

note = "Funding Information: The Lincoln Laboratory portion of this work was sponsored by the Assistant Secretary of Defense for Research & Engineering under Air Force Contract #FA8721-05-C-0002. Opinions, interpretations, conclusions and recommendations are those of the author and are not necessarily endorsed by the United States Government. Funding Information: We would like to thank Rob Cunningham, Alin Dobra, Will Enck, Jun Li, Al Malony, Patrick McDaniel, Daniela Oliveira, Nabil Schear, Micah Sherr, and Patrick Traynor for their valuable comments and insight, as well as Devin Pohly for his sustained assistance in working with Hi-Fi, and Mugdha Kumar for her help developing LPM SPADE support. This work was supported in part by the US National Science Foundation under grant numbers CNS-1118046, CNS-1254198, and CNS-1445983. Publisher Copyright: {\textcopyright} 2015 Proceedings of the 24th USENIX Security Symposium. All rights reserved.; 24th USENIX Security Symposium ; Conference date: 12-08-2015 Through 14-08-2015",

year = "2015",

language = "English (US)",

series = "Proceedings of the 24th USENIX Security Symposium",

publisher = "USENIX Association",

pages = "319--334",

booktitle = "Proceedings of the 24th USENIX Security Symposium",

}

TY - GEN

T1 - Trustworthy whole-system provenance for the Linux kernel

AU - Bates, Adam

AU - Tian, Dave

AU - Butler, Kevin R.B.

AU - Moyer, Thomas

N1 - Funding Information: The Lincoln Laboratory portion of this work was sponsored by the Assistant Secretary of Defense for Research & Engineering under Air Force Contract #FA8721-05-C-0002. Opinions, interpretations, conclusions and recommendations are those of the author and are not necessarily endorsed by the United States Government. Funding Information: We would like to thank Rob Cunningham, Alin Dobra, Will Enck, Jun Li, Al Malony, Patrick McDaniel, Daniela Oliveira, Nabil Schear, Micah Sherr, and Patrick Traynor for their valuable comments and insight, as well as Devin Pohly for his sustained assistance in working with Hi-Fi, and Mugdha Kumar for her help developing LPM SPADE support. This work was supported in part by the US National Science Foundation under grant numbers CNS-1118046, CNS-1254198, and CNS-1445983. Publisher Copyright: © 2015 Proceedings of the 24th USENIX Security Symposium. All rights reserved.

PY - 2015

Y1 - 2015

N2 - In a provenance-aware system, mechanisms gather and report metadata that describes the history of each object being processed on the system, allowing users to understand how data objects came to exist in their present state. However, while past work has demonstrated the usefulness of provenance, less attention has been given to securing provenance-aware systems. Provenance itself is a ripe attack vector, and its authenticity and integrity must be guaranteed before it can be put to use. We present Linux Provenance Modules (LPM), the first general framework for the development of provenance-aware systems. We demonstrate that LPM creates a trusted provenance-aware execution environment, collecting complete whole-system provenance while imposing as little as 2.7% performance overhead on normal system operation. LPM introduces new mechanisms for secure provenance layering and authenticated communication between provenance-aware hosts, and also interoperates with existing mechanisms to provide strong security assurances. To demonstrate the potential uses of LPM, we design a Provenance-Based Data Loss Prevention (PB-DLP) system. We implement PB-DLP as a file transfer application that blocks the transmission of files derived from sensitive ancestors while imposing just tens of milliseconds overhead. LPM is the first step towards widespread deployment of trustworthy provenance-aware applications.

AB - In a provenance-aware system, mechanisms gather and report metadata that describes the history of each object being processed on the system, allowing users to understand how data objects came to exist in their present state. However, while past work has demonstrated the usefulness of provenance, less attention has been given to securing provenance-aware systems. Provenance itself is a ripe attack vector, and its authenticity and integrity must be guaranteed before it can be put to use. We present Linux Provenance Modules (LPM), the first general framework for the development of provenance-aware systems. We demonstrate that LPM creates a trusted provenance-aware execution environment, collecting complete whole-system provenance while imposing as little as 2.7% performance overhead on normal system operation. LPM introduces new mechanisms for secure provenance layering and authenticated communication between provenance-aware hosts, and also interoperates with existing mechanisms to provide strong security assurances. To demonstrate the potential uses of LPM, we design a Provenance-Based Data Loss Prevention (PB-DLP) system. We implement PB-DLP as a file transfer application that blocks the transmission of files derived from sensitive ancestors while imposing just tens of milliseconds overhead. LPM is the first step towards widespread deployment of trustworthy provenance-aware applications.

UR - http://www.scopus.com/inward/record.url?scp=85076270528&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85076270528&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:85076270528

T3 - Proceedings of the 24th USENIX Security Symposium

SP - 319

EP - 334

BT - Proceedings of the 24th USENIX Security Symposium

PB - USENIX Association

T2 - 24th USENIX Security Symposium

Y2 - 12 August 2015 through 14 August 2015

ER -

Trustworthy whole-system provenance for the Linux kernel

Abstract

Publication series

Conference

ASJC Scopus subject areas

Library availability

Related links

Fingerprint

Cite this