Hi-Fi: Collecting High-Fidelity Whole-System Provenance

Data provenance—a record of the origin and evolution of data in a system—is a useful tool for forensic analysis. However, existing provenance collection mechanisms fail to achieve sufficient breadth or fidelity to provide a holistic view of a system's operation over time. We present Hi-Fi, a kernel-level provenance system which leverages the Linux Security Modules framework to collect high-fidelity whole-system provenance. We demonstrate that Hi-Fi is able to record a variety of malicious behavior within a compromised system. In addition, our benchmarks show the collection overhead from Hi-Fi to be less than 1% for most system calls and 3% in a representative workload, while simultaneously generating a system measurement that fully reflects system evolution. In this way, we show that we can collect broad, high-fidelity provenance data which is capable of supporting detailed forensic analysis.

Author(s):

Devin Pohly    
Pennsylvania State University
United States

Stephen McLaughlin    
Pennsylvania State University
United States

Patrick McDaniel    
Pennsylvania State University
United States

Kevin Butler    
University of Oregon
United States