Taming the Costs of Trustworthy Provenance through Policy Reduction

Authors:
Adam Bates

University of Illinois at Urbana-Champaign, Urbana, IL

University of Illinois at Urbana-Champaign, Urbana, IL
View Profile

,
Dave (Jing) Tian

University of Florida, Gainesville, FL, USA

University of Florida, Gainesville, FL, USA
View Profile

,
Grant Hernandez

University of Florida, Gainesville, FL, USA

University of Florida, Gainesville, FL, USA
View Profile

,
Thomas Moyer

MIT Lincoln Laboratory, Lexington, MA

MIT Lincoln Laboratory, Lexington, MA
View Profile

,
Kevin R. B. Butler

University of Florida, Gainesville, FL, USA

University of Florida, Gainesville, FL, USA
View Profile

,
Trent Jaeger

Pennsylvania State University, University Park, PA

Pennsylvania State University, University Park, PA
View Profile

Authors Info & Claims

ACM Transactions on Internet Technology Volume 17 Issue 4Article No.: 34pp 1–21https://doi.org/10.1145/3062180

Published:09 September 2017Publication History

ACM Transactions on Internet Technology

Abstract

Provenance is an increasingly important tool for understanding and even actively preventing system intrusion, but the excessive storage burden imposed by automatic provenance collection threatens to undermine its value in practice. This situation is made worse by the fact that the majority of this metadata is unlikely to be of interest to an administrator, instead describing system noise or other background activities that are not germane to the forensic investigation. To date, storing data provenance in perpetuity was a necessary concession in even the most advanced provenance tracking systems in order to ensure the completeness of the provenance record for future analyses. In this work, we overcome this obstacle by proposing a policy-based approach to provenance filtering, leveraging the confinement properties provided by Mandatory Access Control (MAC) systems in order to identify and isolate subdomains of system activity for which to collect provenance. We introduce the notion of minimal completeness for provenance graphs, and design and implement a system that provides this property by exclusively collecting provenance for the trusted computing base of a target application. In evaluation, we discover that, while the efficacy of our approach is domain dependent, storage costs can be reduced by as much as 89% in critical scenarios such as provenance tracking in cloud computing data centers. To the best of our knowledge, this is the first policy-based provenance monitor to appear in the literature.

References

Umut A. Acar, Amal Ahmed, James Cheney, and Roly Perera. 2012. Principles of Security and Trust: First International Conference. Springer, Berlin, 410--429.Google Scholar
Rocío Aldeco-Pérez and Luc Moreau. 2008. Provenance-based auditing of private data use. In Proceedings of the 2008 International Conference on Visions of Computer Science (VoCS’08).Google ScholarCross Ref
James P. Anderson. 1972. Computer Security Technology Planning Study. Technical Report ESD-TR-73-51. Air Force Electronic Systems Division.Google Scholar
Adam Bates, Kevin Butler, Andreas Haeberlen, Micah Sherr, and Wenchao Zhou. 2014. Let SDN be your eyes: Secure forensics in data center networks. In Proceedings of the NDSS Workshop on Security of Emerging Network Technologies (SENT).Google ScholarCross Ref
Adam Bates, Kevin R. B. Butler, and Thomas Moyer. 2015. Take only what you need: Leveraging mandatory access control policy to reduce provenance storage costs. In Proceedings of the 7th International Workshop on Theory and Practice of Provenance (TaPP’15). Google ScholarDigital Library
Adam Bates, Ben Mood, Masoud Valafar, and Kevin Butler. 2013. Towards secure provenance-based access control in cloud environments. In Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy (CODASPY’13). Google ScholarDigital Library
Adam Bates, Dave (Jing) Tian, Kevin R. B. Butler, and Thomas Moyer. 2015. Trustworthy whole-system provenance for the Linux kernel. In Proceedings of the 24th USENIX Security Symposium (USENIX Security 15). Google ScholarDigital Library
Uri Braun, Simson Garfinkel, David A. Holland, Kiran kumar Muniswamy-Reddy, and Margo I. Seltzer. 2006. Issues in automatic provenance collection. In International Provenance and Annotation Workshop (IPAW). Springer, 171--183. Google ScholarDigital Library
Tyrone Cadenhead, Vaibhav Khadilkar, Murat Kantarcioglu, and Bhavani Thuraisingham. 2011. A language for provenance access control. In Proceedings of the 1st ACM Conference on Data and Application Security and Privacy (CODASPY’11). Google ScholarDigital Library
P. Chen, B. Plale, and T. Evans. 2013. Dependency provenance in agent based modeling. In Proceedings of the IEEE 9th International Conference on eScience. Google ScholarDigital Library
James Cheney. 2011. A formal framework for provenance security. In Proceedings of the 24th IEEE Computer Security Foundations Symposium. Google ScholarDigital Library
World Wide Web Consortium and others. 2013. PROV-overview: An overview of the PROV family of documents. (2013).Google Scholar
Roxana Danger, Vasa Curcin, Paolo Missier, and Jeremy Bryans. 2015. Access control and view generation for provenance graphs. Future Generation Computer Systems 49 (2015), 8--27. Google ScholarDigital Library
A. Gehani, B. Baig, S. Mahmood, D. Tariq, and F. Zaffar. 2010. Fine-grained tracking of grid infections. In Proceedings of the 11th IEEE/ACM International Conference on Grid Computing (GRID’10).Google Scholar
Ashish Gehani and Dawood Tariq. 2012. SPADE: Support for provenance auditing in distributed environments. In Proceedings of the 13th International Middleware Conference (Middleware’12). Google ScholarDigital Library
Ragib Hasan, Radu Sion, and Marianne Winslett. 2009. The case of the fake Picasso: Preventing history forgery with secure provenance. In Proceedings of the 7th USENIX Conference on File and Storage Technologies (FAST’09). Google ScholarDigital Library
Jon Inouye, Ravindranath Konuru, Jonathan Walpole, and Bart Sears. 1992. The effects of virtually addressed caches on virtual memory design and performance. SIGOPS Opering Systems Review 26, 4 (Oct.1992), 14--29. Google ScholarDigital Library
Trent Jaeger, Reiner Sailer, and Umesh Shankar. 2006. PRIMA: Policy-reduced integrity measurement architecture. In Proceedings of the 11th ACM Symposium on Access Control Models and Technologies (SACMAT’06). Google ScholarDigital Library
Kyu Hyung Lee, Xiangyu Zhang, and Dongyan Xu. 2013a. High accuracy attack provenance via binary-based execution partition. In Proceedings of the 20th ISOC Network and Distributed System Security Symposium (NDSS).Google Scholar
Kyu Hyung Lee, Xiangyu Zhang, and Dongyan Xu. 2013b. LogGC: Garbage collecting audit log. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS’13). Google ScholarDigital Library
Shiqing Ma, Xiangyu Zhang, and Dongyan Xu. 2016. ProTracer: Towards practical provenance tracing by alternating between logging and tainting. In Proceedings of the 23rd ISOC Network and Distributed System Security Symposium (NDSS).Google ScholarCross Ref
Peter Macko and Margo Seltzer. 2012. A general-purpose provenance library. In 4th Workshop on the Theory and Practice of Provenance (TaPP’12). Google ScholarDigital Library
P. McDaniel, K. Butler, S. McLaughlin, R. Sion, E. Zadok, and M. Winslett. 2010. Towards a secure and efficient system for end-to-end provenance. In Proceedings of the 2nd Conference on Theory and Practice of Provenance (TaPP’11). Google ScholarDigital Library
Luc Moreau, Trung Dong Huynh, Mike Jewell, Amir Sezavar Keshavarz, Jamal A. Hussein, and Danius Michaelides. 2011. ProvToolbox. Retrieved from http://lucmoreau.github.io/ProvToolbox/.Google Scholar
Kiran-Kumar Muniswamy-Reddy, David A. Holland, Uri Braun, and Margo Seltzer. 2006. Provenance-aware storage systems. In Proceedings of the 2006 USENIX Annual Technical Conference. Google ScholarDigital Library
Kiran-Kumar Muniswamy-Reddy, Uri Braun, David A. Holland, Peter Macko, Diana Maclean, Daniel Margo, Margo Seltzer, and Robin Smogor. 2009. Layering in provenance systems. In Proceedings of the 2009 Conference on USENIX Annual Technical Conference (ATC’09). Google ScholarDigital Library
Dang Nguyen, Jaehong Park, and Ravi Sandhu. 2012. Dependency path patterns as the foundation of access control in provenance-aware systems. In Proceedings of the 4th USENIX Conference on Theory and Practice of Provenance (TaPP’12). Google ScholarDigital Library
Qun Ni, Shouhuai Xu, Elisa Bertino, Ravi Sandhu, and Weili Han. 2009. An access control language for a general provenance model. In Secure Data Management. Google ScholarDigital Library
Jaehong Park, Dang Nguyen, and R. Sandhu. 2012. A provenance-based access control model. In Proceedings of the 10th Annual International Conference on Privacy, Security and Trust (PST). Google ScholarDigital Library
D. J. Pohly, S. McLaughlin, P. McDaniel, and K. Butler. 2012. Hi-Fi: Collecting high-fidelity whole-system provenance. In Proceedings of the 2012 Annual Computer Security Applications Conference (ACSAC’12). Google ScholarDigital Library
Chris Runge. 2004. SELinux: A new approach to secure systems. (July2004).Google Scholar
Reiner Sailer, Xiaolan Zhang, Trent Jaeger, and Leendert van Doorn. 2004. Design and implementation of a TCG-based integrity measurement architecture. In Proceedings of the 13th USENIX Security Symposium. Google ScholarDigital Library
Stephen Smalley, Chris Vance, and Wayne Salamon. 2002. Implementing SELinux as a Linux Security Module. Technical Report. NAI Labs Report #01-043.Google Scholar
Dawood Tariq, Basim Baig, Ashish Gehani, Salman Mahmood, Rashid Tahir, Azeem Aqil, and Fareed Zaffar. 2011. Identifying the provenance of correlated anomalies. In Proceedings of the 2011 ACM Symposium on Applied Computing (SAC’11). Google ScholarDigital Library
United States Computer Emergency Readiness Team. 2008. Vulnerability Summary for CVE-2008-1270. Retrieved from https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1270.Google Scholar
United States Computer Emergency Readiness Team. 2015. Vulnerability Summary for CVE-2015-3306. Retrieved from https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3306.Google Scholar
Hayawardh Vijayakumar, Guruprasad Jakka, Sandra Rueda, Joshua Schiffman, and Trent Jaeger. 2012. Integrity walls: Finding attack surfaces from mandatory access control policies. In Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security (ASIACCS’12). Google ScholarDigital Library
Chris Wright, Crispin Cowan, Stephen Smalley, James Morris, and Greg Kroah-Hartman. 2002. Linux security modules: General security support for the linux kernel. In Proceedings of the 11th USENIX Security Symposium. Google ScholarDigital Library
Yulai Xie, Dan Feng, Zhipeng Tan, Lei Chen, Kiran-Kumar Muniswamy-Reddy, Yan Li, and Darrell D. E. Long. 2012. A hybrid approach for efficient provenance storage. In Proceedings of the 21st ACM International Conference on Information and Knowledge Management (CIKM’12). Google ScholarDigital Library
Yulai Xie, Kiran-Kumar Muniswamy-Reddy, Dan Feng, Yan Li, and Darrell D. E. Long. 2013. Evaluation of a hybrid approach for efficient provenance storage. Transactions on Storage 9, 4 (Nov.2013), Article 14, 29 pages. Google ScholarDigital Library
Yulai Xie, Kiran-Kumar Muniswamy-Reddy, Darrell D. E. Long, Ahmed Amer, Dan Feng, and Zhipeng Tan. 2011. Compressing provenance graphs. In Proceedings of the 3rd Workshop on the Theory and Practice of Provenance (TAPP’11).Google Scholar
Xiaolan Zhang, Antony Edwards, and Trent Jaeger. 2002. Using CQUAL for static analysis of authorization hook placement. In Proceedings of the 11th USENIX Security Symposium. Google ScholarDigital Library
Wenchao Zhou, Qiong Fei, Arjun Narayan, Andreas Haeberlen, Boon Thau Loo, and Micah Sherr. 2011. Secure network provenance. In Proceedings of the ACM Symposium on Operating Systems Principles (SOSP). Google ScholarDigital Library
Wenchao Zhou, Micah Sherr, Tao Tao, Xiaozhou Li, Boon Thau Loo, and Yun Mao. 2010. Efficient querying and maintenance of network provenance at internet-scale. In Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD). Google ScholarDigital Library

Index Terms

Taming the Costs of Trustworthy Provenance through Policy Reduction
1. Security and privacy
  1. Systems security
    1. Information flow control
    2. Operating systems security

Recommendations

Cross-application data provenance and policy enforcement

We present a new technique that can trace data provenance and enforce data access policies across multiple applications and machines. We have developed Garm, a tool that uses binary rewriting to implement this technique on arbitrary binaries. Users can ...
Read More
The perm provenance management system in action
SIGMOD '09: Proceedings of the 2009 ACM SIGMOD International Conference on Management of data

In this demonstration we present the Perm provenance management system (PMS). Perm is capable of computing, storing and querying provenance information for the relational data model. Provenance is computed by using query rewriting techniques to annotate ...
Read More
A logic for authorization provenance
ASIACCS '10: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security

In distributed environments, statements from a number of principals, besides the central trusted party, may influence the derivations of authorization decisions. However, existing authorization logics put few emphasis on this set of principals - ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Transactions on Internet Technology Volume 17, Issue 4
Special Issue on Provenance of Online Data and Regular Papers
November 2017
165 pages
ISSN:1533-5399
EISSN:1557-6051
DOI:10.1145/3133307
Editor:
Munindar P. Singh
Department of Computer Science, North Carolina State University
Issue’s Table of Contents
Copyright © 2017 ACM
© 2017 Association for Computing Machinery. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of the United States government. As such, the United States Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 9 September 2017
- Accepted: 1 March 2017
- Revised: 1 January 2017
- Received: 1 July 2016
Published in toit Volume 17, Issue 4

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Provenance
TCB
integrity
mandatory policy
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 15
  Total Citations
  View Citations
- 352
  Total Downloads
- Downloads (Last 12 months)63
- Downloads (Last 6 weeks)13
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Taming the Costs of Trustworthy Provenance through Policy Reduction

ACM Transactions on Internet Technology

Abstract

References

Cited By

Index Terms

Recommendations

Cross-application data provenance and policy enforcement

The perm provenance management system in action

A logic for authorization provenance