Trusted Tamper-Evident Data Provenance

Data provenance, the origin and derivation history of data, is commonly used for security auditing, forensics and data analysis. While provenance loggers provide evidence of data changes, the integrity of the provenance logs is also critical for the integrity of the forensics process. However, to our best knowledge, few solutions are able to fully satisfy this trust requirement. In this paper, we propose a framework to enable tamper-evidence and preserve the confidentiality and integrity of data provenance using the Trusted Platform Module (TPM). Our framework also stores provenance logs in trusted and backup servers to guarantee the availability of data provenance. Tampered provenance logs can be discovered and consequently recovered by retrieving the original logs from the servers. Leveraging on TPM's technical capability, our framework guarantees data provenance collected to be admissible, complete, and confidential. More importantly, this framework can be applied to capture tampering evidence in large-scale cloud environments at system, network, and application granularities. We applied our framework to provide tamper-evidence for Progger, a cloud-based, kernel-space logger. Our results demonstrate the ability to conduct remote attestation of Progger logs' integrity, and uphold the completeness, confidential and admissible requirements.

[1]  Bu-Sung Lee,et al.  How to Track Your Data: The Case for Cloud Computing Provenance , 2011, 2011 IEEE Third International Conference on Cloud Computing Technology and Science.

[2]  William Futral,et al.  Intel Trusted Execution Technology for Server Platforms: A Guide to More Secure Datacenters , 2013 .

[3]  Marc Chiarini,et al.  Collecting Provenance via the Xen Hypervisor , 2011, TaPP.

[4]  Bu-Sung Lee,et al.  S2Logger: End-to-End Data Tracking Mechanism for Cloud Data Provenance , 2013, 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.

[5]  A Min Tjoa,et al.  Towards More Trustable Log Files for Digital Forensics by Means of “Trusted Computing” , 2010, 2010 24th IEEE International Conference on Advanced Information Networking and Applications.

[6]  Bu-Sung Lee,et al.  Flogger: A File-Centric Logger for Monitoring File Access and Transfers within Cloud Computing Environments , 2011, 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications.

[7]  Geoff Holmes,et al.  Security and Data Accountability in Distributed Systems: A Provenance Survey , 2013, 2013 IEEE 10th International Conference on High Performance Computing and Communications & 2013 IEEE International Conference on Embedded and Ubiquitous Computing.

[8]  Margo I. Seltzer,et al.  Provenance-Aware Storage Systems , 2006, USENIX ATC, General Track.

[9]  Sanjeev Khanna,et al.  Data Provenance: Some Basic Issues , 2000, FSTTCS.

[10]  Ryan K. L. Ko,et al.  Data Accountability in Cloud Systems , 2014 .

[11]  Tang Ling The Study of Computer Forensics on Linux , 2013, 2013 International Conference on Computational and Information Sciences.

[12]  Bu-Sung Lee,et al.  Towards Achieving Accountability, Auditability and Trust in Cloud Computing , 2011, ACC.

[13]  Ryan K. L. Ko,et al.  Progger: An Efficient, Tamper-Evident Kernel-Space Logger for Cloud Data Provenance Tracking , 2014, 2014 IEEE 7th International Conference on Cloud Computing.

[14]  Ryan K. L. Ko Cloud computing in plain English , 2010, ACM Crossroads.

[15]  Suvrojit Das,et al.  A Kernel Level VFS Logger for Building Efficient File System Intrusion Detection System , 2010, 2010 Second International Conference on Computer and Network Technology.

[16]  Jing Zhang,et al.  Do You Know Where Your Data's Been? - Tamper-Evident Database Provenance , 2009, Secure Data Management.

[17]  Bu-Sung Lee,et al.  TrustCloud: A Framework for Accountability and Trust in Cloud Computing , 2011, 2011 IEEE World Congress on Services.

[18]  Wu-chi Feng,et al.  Forensix: a robust, high-performance reconstruction system , 2005, 25th IEEE International Conference on Distributed Computing Systems Workshops.

[19]  Marianne Winslett,et al.  The Case of the Fake Picasso: Preventing History Forgery with Secure Provenance , 2009, FAST.