Abstract
Provenance is an increasingly important tool for understanding and even actively preventing system intrusion, but the excessive storage burden imposed by automatic provenance collection threatens to undermine its value in practice. This situation is made worse by the fact that the majority of this metadata is unlikely to be of interest to an administrator, instead describing system noise or other background activities that are not germane to the forensic investigation. To date, storing data provenance in perpetuity was a necessary concession in even the most advanced provenance tracking systems in order to ensure the completeness of the provenance record for future analyses. In this work, we overcome this obstacle by proposing a policy-based approach to provenance filtering, leveraging the confinement properties provided by Mandatory Access Control (MAC) systems in order to identify and isolate subdomains of system activity for which to collect provenance. We introduce the notion of minimal completeness for provenance graphs, and design and implement a system that provides this property by exclusively collecting provenance for the trusted computing base of a target application. In evaluation, we discover that, while the efficacy of our approach is domain dependent, storage costs can be reduced by as much as 89% in critical scenarios such as provenance tracking in cloud computing data centers. To the best of our knowledge, this is the first policy-based provenance monitor to appear in the literature.
- Umut A. Acar, Amal Ahmed, James Cheney, and Roly Perera. 2012. Principles of Security and Trust: First International Conference. Springer, Berlin, 410--429.Google Scholar
- Rocío Aldeco-Pérez and Luc Moreau. 2008. Provenance-based auditing of private data use. In Proceedings of the 2008 International Conference on Visions of Computer Science (VoCS’08).Google ScholarCross Ref
- James P. Anderson. 1972. Computer Security Technology Planning Study. Technical Report ESD-TR-73-51. Air Force Electronic Systems Division.Google Scholar
- Adam Bates, Kevin Butler, Andreas Haeberlen, Micah Sherr, and Wenchao Zhou. 2014. Let SDN be your eyes: Secure forensics in data center networks. In Proceedings of the NDSS Workshop on Security of Emerging Network Technologies (SENT).Google ScholarCross Ref
- Adam Bates, Kevin R. B. Butler, and Thomas Moyer. 2015. Take only what you need: Leveraging mandatory access control policy to reduce provenance storage costs. In Proceedings of the 7th International Workshop on Theory and Practice of Provenance (TaPP’15). Google ScholarDigital Library
- Adam Bates, Ben Mood, Masoud Valafar, and Kevin Butler. 2013. Towards secure provenance-based access control in cloud environments. In Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy (CODASPY’13). Google ScholarDigital Library
- Adam Bates, Dave (Jing) Tian, Kevin R. B. Butler, and Thomas Moyer. 2015. Trustworthy whole-system provenance for the Linux kernel. In Proceedings of the 24th USENIX Security Symposium (USENIX Security 15). Google ScholarDigital Library
- Uri Braun, Simson Garfinkel, David A. Holland, Kiran kumar Muniswamy-Reddy, and Margo I. Seltzer. 2006. Issues in automatic provenance collection. In International Provenance and Annotation Workshop (IPAW). Springer, 171--183. Google ScholarDigital Library
- Tyrone Cadenhead, Vaibhav Khadilkar, Murat Kantarcioglu, and Bhavani Thuraisingham. 2011. A language for provenance access control. In Proceedings of the 1st ACM Conference on Data and Application Security and Privacy (CODASPY’11). Google ScholarDigital Library
- P. Chen, B. Plale, and T. Evans. 2013. Dependency provenance in agent based modeling. In Proceedings of the IEEE 9th International Conference on eScience. Google ScholarDigital Library
- James Cheney. 2011. A formal framework for provenance security. In Proceedings of the 24th IEEE Computer Security Foundations Symposium. Google ScholarDigital Library
- World Wide Web Consortium and others. 2013. PROV-overview: An overview of the PROV family of documents. (2013).Google Scholar
- Roxana Danger, Vasa Curcin, Paolo Missier, and Jeremy Bryans. 2015. Access control and view generation for provenance graphs. Future Generation Computer Systems 49 (2015), 8--27. Google ScholarDigital Library
- A. Gehani, B. Baig, S. Mahmood, D. Tariq, and F. Zaffar. 2010. Fine-grained tracking of grid infections. In Proceedings of the 11th IEEE/ACM International Conference on Grid Computing (GRID’10).Google Scholar
- Ashish Gehani and Dawood Tariq. 2012. SPADE: Support for provenance auditing in distributed environments. In Proceedings of the 13th International Middleware Conference (Middleware’12). Google ScholarDigital Library
- Ragib Hasan, Radu Sion, and Marianne Winslett. 2009. The case of the fake Picasso: Preventing history forgery with secure provenance. In Proceedings of the 7th USENIX Conference on File and Storage Technologies (FAST’09). Google ScholarDigital Library
- Jon Inouye, Ravindranath Konuru, Jonathan Walpole, and Bart Sears. 1992. The effects of virtually addressed caches on virtual memory design and performance. SIGOPS Opering Systems Review 26, 4 (Oct.1992), 14--29. Google ScholarDigital Library
- Trent Jaeger, Reiner Sailer, and Umesh Shankar. 2006. PRIMA: Policy-reduced integrity measurement architecture. In Proceedings of the 11th ACM Symposium on Access Control Models and Technologies (SACMAT’06). Google ScholarDigital Library
- Kyu Hyung Lee, Xiangyu Zhang, and Dongyan Xu. 2013a. High accuracy attack provenance via binary-based execution partition. In Proceedings of the 20th ISOC Network and Distributed System Security Symposium (NDSS).Google Scholar
- Kyu Hyung Lee, Xiangyu Zhang, and Dongyan Xu. 2013b. LogGC: Garbage collecting audit log. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS’13). Google ScholarDigital Library
- Shiqing Ma, Xiangyu Zhang, and Dongyan Xu. 2016. ProTracer: Towards practical provenance tracing by alternating between logging and tainting. In Proceedings of the 23rd ISOC Network and Distributed System Security Symposium (NDSS).Google ScholarCross Ref
- Peter Macko and Margo Seltzer. 2012. A general-purpose provenance library. In 4th Workshop on the Theory and Practice of Provenance (TaPP’12). Google ScholarDigital Library
- P. McDaniel, K. Butler, S. McLaughlin, R. Sion, E. Zadok, and M. Winslett. 2010. Towards a secure and efficient system for end-to-end provenance. In Proceedings of the 2nd Conference on Theory and Practice of Provenance (TaPP’11). Google ScholarDigital Library
- Luc Moreau, Trung Dong Huynh, Mike Jewell, Amir Sezavar Keshavarz, Jamal A. Hussein, and Danius Michaelides. 2011. ProvToolbox. Retrieved from http://lucmoreau.github.io/ProvToolbox/.Google Scholar
- Kiran-Kumar Muniswamy-Reddy, David A. Holland, Uri Braun, and Margo Seltzer. 2006. Provenance-aware storage systems. In Proceedings of the 2006 USENIX Annual Technical Conference. Google ScholarDigital Library
- Kiran-Kumar Muniswamy-Reddy, Uri Braun, David A. Holland, Peter Macko, Diana Maclean, Daniel Margo, Margo Seltzer, and Robin Smogor. 2009. Layering in provenance systems. In Proceedings of the 2009 Conference on USENIX Annual Technical Conference (ATC’09). Google ScholarDigital Library
- Dang Nguyen, Jaehong Park, and Ravi Sandhu. 2012. Dependency path patterns as the foundation of access control in provenance-aware systems. In Proceedings of the 4th USENIX Conference on Theory and Practice of Provenance (TaPP’12). Google ScholarDigital Library
- Qun Ni, Shouhuai Xu, Elisa Bertino, Ravi Sandhu, and Weili Han. 2009. An access control language for a general provenance model. In Secure Data Management. Google ScholarDigital Library
- Jaehong Park, Dang Nguyen, and R. Sandhu. 2012. A provenance-based access control model. In Proceedings of the 10th Annual International Conference on Privacy, Security and Trust (PST). Google ScholarDigital Library
- D. J. Pohly, S. McLaughlin, P. McDaniel, and K. Butler. 2012. Hi-Fi: Collecting high-fidelity whole-system provenance. In Proceedings of the 2012 Annual Computer Security Applications Conference (ACSAC’12). Google ScholarDigital Library
- Chris Runge. 2004. SELinux: A new approach to secure systems. (July2004).Google Scholar
- Reiner Sailer, Xiaolan Zhang, Trent Jaeger, and Leendert van Doorn. 2004. Design and implementation of a TCG-based integrity measurement architecture. In Proceedings of the 13th USENIX Security Symposium. Google ScholarDigital Library
- Stephen Smalley, Chris Vance, and Wayne Salamon. 2002. Implementing SELinux as a Linux Security Module. Technical Report. NAI Labs Report #01-043.Google Scholar
- Dawood Tariq, Basim Baig, Ashish Gehani, Salman Mahmood, Rashid Tahir, Azeem Aqil, and Fareed Zaffar. 2011. Identifying the provenance of correlated anomalies. In Proceedings of the 2011 ACM Symposium on Applied Computing (SAC’11). Google ScholarDigital Library
- United States Computer Emergency Readiness Team. 2008. Vulnerability Summary for CVE-2008-1270. Retrieved from https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1270.Google Scholar
- United States Computer Emergency Readiness Team. 2015. Vulnerability Summary for CVE-2015-3306. Retrieved from https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3306.Google Scholar
- Hayawardh Vijayakumar, Guruprasad Jakka, Sandra Rueda, Joshua Schiffman, and Trent Jaeger. 2012. Integrity walls: Finding attack surfaces from mandatory access control policies. In Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security (ASIACCS’12). Google ScholarDigital Library
- Chris Wright, Crispin Cowan, Stephen Smalley, James Morris, and Greg Kroah-Hartman. 2002. Linux security modules: General security support for the linux kernel. In Proceedings of the 11th USENIX Security Symposium. Google ScholarDigital Library
- Yulai Xie, Dan Feng, Zhipeng Tan, Lei Chen, Kiran-Kumar Muniswamy-Reddy, Yan Li, and Darrell D. E. Long. 2012. A hybrid approach for efficient provenance storage. In Proceedings of the 21st ACM International Conference on Information and Knowledge Management (CIKM’12). Google ScholarDigital Library
- Yulai Xie, Kiran-Kumar Muniswamy-Reddy, Dan Feng, Yan Li, and Darrell D. E. Long. 2013. Evaluation of a hybrid approach for efficient provenance storage. Transactions on Storage 9, 4 (Nov.2013), Article 14, 29 pages. Google ScholarDigital Library
- Yulai Xie, Kiran-Kumar Muniswamy-Reddy, Darrell D. E. Long, Ahmed Amer, Dan Feng, and Zhipeng Tan. 2011. Compressing provenance graphs. In Proceedings of the 3rd Workshop on the Theory and Practice of Provenance (TAPP’11).Google Scholar
- Xiaolan Zhang, Antony Edwards, and Trent Jaeger. 2002. Using CQUAL for static analysis of authorization hook placement. In Proceedings of the 11th USENIX Security Symposium. Google ScholarDigital Library
- Wenchao Zhou, Qiong Fei, Arjun Narayan, Andreas Haeberlen, Boon Thau Loo, and Micah Sherr. 2011. Secure network provenance. In Proceedings of the ACM Symposium on Operating Systems Principles (SOSP). Google ScholarDigital Library
- Wenchao Zhou, Micah Sherr, Tao Tao, Xiaozhou Li, Boon Thau Loo, and Yun Mao. 2010. Efficient querying and maintenance of network provenance at internet-scale. In Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD). Google ScholarDigital Library
Index Terms
- Taming the Costs of Trustworthy Provenance through Policy Reduction
Recommendations
Cross-application data provenance and policy enforcement
We present a new technique that can trace data provenance and enforce data access policies across multiple applications and machines. We have developed Garm, a tool that uses binary rewriting to implement this technique on arbitrary binaries. Users can ...
The perm provenance management system in action
SIGMOD '09: Proceedings of the 2009 ACM SIGMOD International Conference on Management of dataIn this demonstration we present the Perm provenance management system (PMS). Perm is capable of computing, storing and querying provenance information for the relational data model. Provenance is computed by using query rewriting techniques to annotate ...
A logic for authorization provenance
ASIACCS '10: Proceedings of the 5th ACM Symposium on Information, Computer and Communications SecurityIn distributed environments, statements from a number of principals, besides the central trusted party, may influence the derivations of authorization decisions. However, existing authorization logics put few emphasis on this set of principals - ...
Comments