Time, clocks, and the ordering of events in a distributed system
Communications of the ACM
Runtime verification of authorization hook placement for the linux security modules framework
Proceedings of the 9th ACM conference on Computer and communications security
Using CQUAL for Static Analysis of Authorization Hook Placement
Proceedings of the 11th USENIX Security Symposium
Linux Security Modules: General Security Support for the Linux Kernel
Proceedings of the 11th USENIX Security Symposium
Forensix: A Robust, High-Performance Reconstruction System
ICDCSW '05 Proceedings of the Second International Workshop on Security in Distributed Computing Systems (SDCS) (ICDCSW'05) - Volume 02
Automatic placement of authorization hooks in the linux security modules framework
Proceedings of the 12th ACM conference on Computer and communications security
Reconstructing system state for intrusion analysis
ACM SIGOPS Operating Systems Review
ICDCS '08 Proceedings of the 2008 The 28th International Conference on Distributed Computing Systems
Selective versioning in a secure disk system
SS'08 Proceedings of the 17th conference on Security symposium
AutoISES: automatically inferring security specifications and detecting violations
SS'08 Proceedings of the 17th conference on Security symposium
Story book: an efficient extensible provenance framework
TAPP'09 First workshop on on Theory and practice of provenance
Transparently gathering provenance with provenance aware condor
TAPP'09 First workshop on on Theory and practice of provenance
ACM Transactions on Storage (TOS)
The Open Provenance Model core specification (v1.1)
Future Generation Computer Systems
Policy auditing over incomplete logs: theory, implementation and applications
Proceedings of the 18th ACM conference on Computer and communications security
Issues in automatic provenance collection
IPAW'06 Proceedings of the 2006 international conference on Provenance and Annotation of Data
Towards secure provenance-based access control in cloud environments
Proceedings of the third ACM conference on Data and application security and privacy
Securing data provenance in body area networks using lightweight wireless link fingerprints
Proceedings of the 3rd international workshop on Trustworthy embedded devices
Hi-index | 0.00 |
Data provenance---a record of the origin and evolution of data in a system---is a useful tool for forensic analysis. However, existing provenance collection mechanisms fail to achieve sufficient breadth or fidelity to provide a holistic view of a system's operation over time. We present Hi-Fi, a kernel-level provenance system which leverages the Linux Security Modules framework to collect high-fidelity whole-system provenance. We demonstrate that Hi-Fi is able to record a variety of malicious behavior within a compromised system. In addition, our benchmarks show the collection overhead from Hi-Fi to be less than 1% for most system calls and 3% in a representative workload, while simultaneously generating a system measurement that fully reflects system evolution. In this way, we show that we can collect broad, high-fidelity provenance data which is capable of supporting detailed forensic analysis.