Run-time label propagation for forensic audit data

It is desirable to be able to gather more forensically valuable audit data from computing systems than is currently done or possible. This is useful for the analysis of events that took place on the system for the purpose of digital forensic investigations. In this paper we propose a mechanism that allows arbitrary meta-information bound to principals on a system to be propagated based on causality and influenced by information flow. We further discuss how to implement such a mechanism for the FreeBSD operating system and present a proof-of-concept implementation that has little overhead compared to the system without label propagation.

[1]  Nobuko Yoshida,et al.  Secure Information Flow as Typed Process Behaviour , 2000, ESOP.

[2]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.

[3]  W. Richard Stevens,et al.  Unix network programming , 1990, CCRV.

[4]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[5]  Xuxian Jiang,et al.  Provenance-Aware Tracing ofWorm Break-in and Contaminations: A Process Coloring Approach , 2006, 26th IEEE International Conference on Distributed Computing Systems (ICDCS'06).

[6]  Dorothy E. Denning,et al.  Location-based authentication: Grounding cyberspace for better security , 1996 .

[7]  Jeffrey S. Fenton Memoryless Subsystems , 1974, Comput. J..

[8]  Eugene H. Spafford,et al.  Using internal sensors for computer intrusion detection , 2001 .

[9]  Benjamin A. Kuperman,et al.  A categorization of computer security monitoring systems and the impact on the design of audit sources , 2004 .

[10]  Eugene H. Spafford,et al.  The design and implementation of tripwire: a file system integrity checker , 1994, CCS '94.

[11]  Carl Staelin,et al.  lmbench: Portable Tools for Performance Analysis , 1996, USENIX Annual Technical Conference.

[12]  Geoffrey Smith,et al.  Probabilistic noninterference in a concurrent language , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[13]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[14]  Keith Bostic,et al.  The design and implementa-tion of the 4.4BSD operating system , 1996 .

[15]  Samuel T. King,et al.  Debugging Operating Systems with Time-Traveling Virtual Machines (Awarded General Track Best Paper Award!) , 2005, USENIX Annual Technical Conference, General Track.

[16]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[17]  Samuel J. Leffler,et al.  The design and implementation of the 4.3 BSD Unix operating system , 1991, Addison-Wesley series in computer science.

[18]  Christian Wettergren Licentiate thesis proposal Runtime information flow analysis and security , 2007 .

[19]  Eugene H. Spafford,et al.  On the role of file system metadata in digital forensics , 2004, Digit. Investig..

[20]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[21]  K. Rustan M. Leino,et al.  A semantic approach to secure information flow , 2000, Sci. Comput. Program..

[22]  Clay Shields,et al.  Providing process origin information to aid in computer forensic investigations , 2004, J. Comput. Secur..

[23]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[24]  Jens Palsberg,et al.  Trust in the λ-calculus , 1995, Journal of Functional Programming.

[25]  J DenningPeter,et al.  Certification of programs for secure information flow , 1977 .

[26]  W. Richard Stevens,et al.  UNIX network programming, volume 2 (2nd ed.): interprocess communications , 1998 .

[27]  Benedict G. E. Wiedemann Protection? , 1998, Science.

[28]  Dorothy E. Denning Secure personal computing in an insecure network , 1979, CACM.

[29]  Samuel T. King,et al.  Backtracking intrusions , 2003, SOSP '03.

[30]  Samuel T. King,et al.  ReVirt: enabling intrusion analysis through virtual-machine logging and replay , 2002, OPSR.

[31]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[32]  Jens Palsberg,et al.  Trust in the lambda-Calculus , 1997, J. Funct. Program..

[33]  John McLean,et al.  Proving Noninterference and Functional Correctness Using Traces , 1992, J. Comput. Secur..

[34]  Steven D. Gribble,et al.  Configuration Debugging as Search: Finding the Needle in the Haystack , 2004, OSDI.

[35]  Eugene H. Spafford,et al.  Pervasive binding of labels to system processes , 2005 .

[36]  Steven D. Gribble,et al.  Using time travel to diagnose computer problems , 2004, EW 11.

[37]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[38]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[39]  Peter J. Denning,et al.  Internet Besieged: Countering Cyberspace Scofflaws , 1997 .

[40]  Corporate Ieee,et al.  Information Technology-Portable Operating System Interface , 1990 .

[41]  C. Ieee IEEE Standard for Information Technology - Portable Operating System Interface (POSIX): System Application Program Interface (API), Amendment 1: Realtime Extension (C Language), IEEE Std 1003.1b-1993 , 1994 .

[42]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[43]  Clay Shields,et al.  Providing Process Origin Information to Aid in Network Traceback , 2002, USENIX Annual Technical Conference, General Track.

[44]  Steve R. Kleiman,et al.  Extent-like Performance from a UNIX File System , 1991, USENIX Winter.

[45]  R. Card,et al.  Design and Implementation of the Second Extended Filesystem , 2001 .

[46]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[47]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.