Lprov: Practical Library-aware Provenance Tracing

Fei Wang, Yonghwi Kwon, Shiqing Ma, Xiangyu Zhang, Dongyan Xu

Research output: Chapter in Book/Report/Conference proceedingConference contribution

6 Scopus citations

Abstract

With the continuing evolution of sophisticated APT attacks, provenance tracking is becoming an important technique for efficient attack investigation in enterprise networks. Most of existing provenance techniques are operating on system event auditing that discloses dependence relationships by scrutinizing syscall traces. Unfortunately, such auditing-based provenance is not able to track the causality of another important dimension in provenance, the shared libraries. Different from other data-only system entities like files and sockets, dynamic libraries are linked at runtime and may get executed, which poses new challenges in provenance tracking. For example, library provenance cannot be tracked by syscalls and mapping; whether a library function is called and how it is called within an execution context is invisible at syscall level; linking a library does not promise their execution at runtime. Addressing these challenges is critical to tracking sophisticated attacks leveraging libraries. In this paper, to facilitate fine-grained investigation inside the execution of library binaries, we develop Lprov, a novel provenance tracking system which combines library tracing and syscall tracing. Upon a syscall, Lprov identifies the library calls together with the stack which induces it so that the library execution provenance can be accurately revealed. Our evaluation shows that Lprov can precisely identify attack provenance involving libraries, including malicious library attack and library vulnerability exploitation, while syscall-based provenance tools fail to identify. It only incurs 7.0% (in geometric mean) runtime overhead and consumes 3 times less storage space of a state-of-the-art provenance tool.

Original languageEnglish (US)
Title of host publicationProceedings of the 3rd International Workshop on Advanced Interconnect Solutions and Technologies for Emerging Computing Systems, AISTECS 2018
PublisherAssociation for Computing Machinery
Pages605-617
Number of pages13
ISBN (Electronic)1595930361, 9781450364430
DOIs
StatePublished - Jan 22 2018
Externally publishedYes
Event34th Annual Computer Security Applications Conference, ACSAC 2018 - San Juan, United States
Duration: Dec 3 2018Dec 7 2018

Publication series

NameACM International Conference Proceeding Series
Volume2018-January

Other

Other34th Annual Computer Security Applications Conference, ACSAC 2018
Country/TerritoryUnited States
CitySan Juan
Period12/3/1812/7/18

All Science Journal Classification (ASJC) codes

  • Human-Computer Interaction
  • Computer Networks and Communications
  • Computer Vision and Pattern Recognition
  • Software

Fingerprint

Dive into the research topics of 'Lprov: Practical Library-aware Provenance Tracing'. Together they form a unique fingerprint.

Cite this