Logo image
LPROV: practical library-aware provenance tracing
Conference paper   Open access

LPROV: practical library-aware provenance tracing

Fei Wang, Yonghwi Kwon, Shiqing Ma, Xiangyu Zhang and Dongyan Xu
34th Annual Computer Security Applications Conference (ACSAC 2018), pp.605-617
Assoc Computing Machinery
ACSAC '18: Annual Computer Security Applications Conference, 34 (San Juan, Puerto Rico, 12/03/2018–12/07/2018)
01/01/2018

Abstract

Computer Science, Information Systems Computer Science, Theory & Methods Science & Technology Computer Science Technology
With the continuing evolution of sophisticated APT attacks, provenance tracking is becoming an important technique for efficient attack investigation in enterprise networks. Most of existing provenance techniques are operating on system event auditing that discloses dependence relationships by scrutinizing syscall traces. Unfortunately, such auditing-based provenance is not able to track the causality of another important dimension in provenance, the shared libraries. Different from other data-only system entities like files and sockets, dynamic libraries are linked at runtime and may get executed, which poses new challenges in provenance tracking. For example, library provenance cannot be tracked by syscalls and mapping; whether a library function is called and how it is called within an execution context is invisible at syscall level; linking a library does not promise their execution at runtime. Addressing these challenges is critical to tracking sophisticated attacks lever-aging libraries. In this paper, to facilitate. ne-grained investigation inside the execution of library binaries, we develop LPROV, a novel provenance tracking system which combines library tracing and syscall tracing. Upon a syscall, LPROV identifies the library calls together with the stack which induces it so that the library execution provenance can be accurately revealed. Our evaluation shows that LPROV can precisely identify attack provenance involving libraries, including malicious library attack and library vulnerability exploitation, while syscall-based provenance tools fail to identify. It only incurs 7.0% (in geometric mean) runtime overhead and consumes 3 times less storage space of a state-of-the-art provenance tool.
pdf
ACSAC18 LPROV 20181.36 MBDownloadView
Version of Record (VoR) Open Access
url
https://doi.org/10.1145/3274694.3274751View
Version of Record (VoR)
url
Report an accessibility issueView
Please complete a content remediation request to report an accessibility issue with a library electronic resource, website, or service.

Metrics

35 File downloads
45 Record Views

Details

Logo image