Pasquier, T., Han, X., Moyer, T., Bates, A., Hermant, O., Eyers, D., Bacon, J., & Seltzer, M. (2018). Runtime Analysis of Whole-System Provenance. In CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security: Toronto, Canada (2018) (pp. 1601-1616). Association for Computing Machinery (ACM). https://doi.org/10.1145/3243734.3243776 Peer reviewed version Link to published version (if available): 10.1145/3243734.3243776 Link to publication record in Explore Bristol Research PDF-document This is the author accepted manuscript (AAM). The final published version (version of record) is available online via ACM at https://dl.acm.org/citation.cfm?doid=3243734.3243776 . Please refer to any applicable terms of use of the publisher. University of Bristol - Explore Bristol Research General rights This document is made available in accordance with publisher policies. Please cite only the published version using the reference above. Full terms of use are available: http://www.bristol.ac.uk/red/research-policy/pure/user-guides/ebr-terms/ Runtime Analysis of Whole-System Provenance Thomas Pasquier∗ Xueyuan Han Thomas Moyer Adam Bates University of Bristol Harvard University University of North University of Illinois at Carolina at Charlotte Urbana-Champaign Olivier Hermant David Eyers Jean Bacon Margo Seltzer MINES ParisTech University of Otago University of Cambridge University of PSL Research University British Columbia ABSTRACT of Whole-System Provenance. In 2018 ACM SIGSAC Conference on Com- Identifying the root cause and impact of a system intrusion remains puter and Communications Security (CCS ’18), October 15–19, 2018, Toronto, ON, Canada. ACM, New York, NY, USA, 16 pages. https://doi.org/10.1145/ a foundational challenge in computer security. Digital provenance 3243734.3243776 provides a detailed history of the flow of information within a com- puting system, connecting suspicious events to their root causes. Although existing provenance-based auditing techniques provide 1 INTRODUCTION value in forensic analysis, they assume that such analysis takes Timely investigation of system intrusions remains a notoriously place only retrospectively. Such post-hoc analysis is insufficient for difficult challenge [66, 94, 96]. While security monitoring tools pro- realtime security applications; moreover, even for forensic tasks, vide an initial notification of foul play13 [ , 41, 86, 91, 95, 97], these prior provenance collection systems exhibited poor performance indicators are rarely sufficient in and of themselves. Instead, craft- and scalability, jeopardizing the timeliness of query responses. ing an appropriate response to a security incident often requires We present CamQuery, which provides inline, realtime prove- scouring terabytes of audit logs to determine an adversary’s method nance analysis, making it suitable for implementing security appli- of entry, how their reach spread through the system, and their ul- cations. CamQuery is a Linux Security Module that offers support for timate mission objective. Such investigations not only require a both userspace and in-kernel execution of analysis applications. We human-in-the-loop, but are excruciatingly slow, at times requiring demonstrate the applicability of CamQuery to a variety of runtime months of investigation and thousands of employee hours [56]. security applications including data loss prevention, intrusion detec- This delay between an event’s occurrence and its diagnosis repre- tion, and regulatory compliance. In evaluation, we demonstrate that sents a tremendous window of opportunity for attackers – as they CamQuery reduces the latency of realtime query mechanisms, while continue to exploit the system, defenders are still just getting their imposing minimal overheads on system execution. CamQuery thus bearings. enables the further deployment of provenance-based technologies Digital provenance (or provenance for short) refers to the data to address central challenges in computer security. being used in a variety of ways to address the challenges of forensic audits. By parsing individual records into causal relationship graphs CCS CONCEPTS that describe a system’s execution, provenance enables defenders to leverage the full historical context of a system and to reason • Security and privacy ! Operating systems security; Infor- about the interrelationships between different events and objects. mation flow control; Intrusion detection systems; With provenance, forensic investigations can trace back a given KEYWORDS security indicator (e.g., a port scan) to the attacker’s point of entry (e.g., a malicious email attachment) [53] and then trace forward Whole-system Provenance; Information Flow Tracking; Graph Pro- from the entry point to determine what other actions the attacker cessing; Linux Kernel has taken on the system. ACM Reference Format: Unfortunately, provenance-based auditing’s growing popularity Thomas Pasquier, Xueyuan Han, Thomas Moyer, Adam Bates, Olivier Her- has uncovered significant limitations in its performance and scala- mant, David Eyers, Jean Bacon, and Margo Seltzer. 2018. Runtime Analysis bility. Early efforts to integrate provenance querying into produc- tion systems indicated that, even for modestly small organisations ∗Part of this work was completed at Harvard University and at the University of (e.g., 150 workstations), forensic queries can take on the order of Cambridge. hours or days to complete [61]. In an actual attack scenario, where a timely incident response could make the difference between vic- Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed tory and defeat, such delays are unacceptable. Moreover, to date, for profit or commercial advantage and that copies bear this notice and the full citation provenance-aware systems have supported causal reasoning only on the first page. Copyrights for components of this work owned by others than ACM as an after-the-fact forensic activity [54]; this is unfortunate, be- must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a cause provenance is also invaluable to a variety of runtime security fee. Request permissions from [email protected]. tasks such as access control [76, 77], integrity measurement [92], CCS ’18, October 15–19, 2018, Toronto, ON, Canada and regulatory compliance [8, 15, 68, 81]. To date, the design of low © 2018 Association for Computing Machinery. ACM ISBN 978-1-4503-5693-0/18/10...$15.00 latency mechanisms for realtime provenance analysis has not been https://doi.org/10.1145/3243734.3243776 given adequate consideration in the literature. The goal of this work is to bridge the gap between runtime secu- rity monitoring and post-hoc forensic analysis. In support of this P S Pckt T Q goal, we consider methods for the deep integration of provenance 1 1 A 1 1 capture and analysis within the operating system. We introduce CamQuery, a framework that supports runtime analysis of prove- nance and thus enables its practical use for a variety of security Flows P S Pckt T info. applications. CamQuery pairs a runtime kernel-layer reference mon- 2 2 B 2 itor – expanding and modifying CamFlow [79] – with a novel query version module mechanism that enables runtime provenance analysis and even mediation of system events. CamQuery modules present a Figure 1: A simple provenance DAG: two processes (P and Q) familiar vertex-centric API, as popularised by modern graph pro- exchange packets (PcktA and PcktB ) through their respective cessing systems such as GraphChi [57] and GraphX [40]. In these sockets (S and T ). vertex-centric platforms, full-graph analysis routines are expressed in terms of a small program that runs in parallel on every vertex (node) in the system. The graph-structured nature of provenance messages, and network packets; activities are tasks; and agents are data makes this model a good fit and permits use of a familiar users and groups. API. While these applications run directly over the live provenance In practice, it is impossible to represent a mutable process or file stream, provenance can be simultaneously persisted to facilitate as a single vertex while simultaneously ensuring that the graph additional post-mortem and/or forensic analysis. remains acyclic [21]. For example, in a naive representation, a pro- CamQuery To demonstrate the generality of , we consider sev- cess that both reads and writes a file immediately creates a cycle, eral exemplar query applications in § 5. 1) a data loss prevention because the process depends on the file (due to the read), and the file scheme [18] popular in provenance-security based community; 2) depends on the process (due to the write). Cycles are problematic. a provenance based intrusion detection scheme; 3) a mechanism to Edges in the provenance graph represent dependencies between the apply constraints on information flow; and 4) a provenance signa- states of different objects and express causal relationships. There- ture scheme. These case studies illustrate the rich space of design fore, an object must depend only on the past (i.e., the state of an possibilities that are enabled through runtime provenance analysis. object cannot depend on a future state). The most commonly used CamQuery The source code for , along with associated applications cycle avoidance