Security and Privacy in Communication Networks. 13th International Conference, SecureComm 2017, Niagara Falls, ON, Canada, October 22–25, 2017, Proceedings

Research Article

A Hypervisor Level Provenance System to Reconstruct Attack Story Caused by Kernel Malware

Download
253 downloads
  • @INPROCEEDINGS{10.1007/978-3-319-78813-5_42,
        author={Chonghua Wang and Shiqing Ma and Xiangyu Zhang and Junghwan Rhee and Xiaochun Yun and Zhiyu Hao},
        title={A Hypervisor Level Provenance System to Reconstruct Attack Story Caused by Kernel Malware},
        proceedings={Security and Privacy in Communication Networks. 13th International Conference, SecureComm 2017, Niagara Falls, ON, Canada, October 22--25, 2017, Proceedings},
        proceedings_a={SECURECOMM},
        year={2018},
        month={4},
        keywords={Provenance tracing Kernel malware Forensic investigation},
        doi={10.1007/978-3-319-78813-5_42}
    }
    
  • Chonghua Wang
    Shiqing Ma
    Xiangyu Zhang
    Junghwan Rhee
    Xiaochun Yun
    Zhiyu Hao
    Year: 2018
    A Hypervisor Level Provenance System to Reconstruct Attack Story Caused by Kernel Malware
    SECURECOMM
    Springer
    DOI: 10.1007/978-3-319-78813-5_42
Chonghua Wang, Shiqing Ma1, Xiangyu Zhang1, Junghwan Rhee2, Xiaochun Yun3, Zhiyu Hao3,*
  • 1: Purdue University
  • 2: NEC Laboratories America
  • 3: Chinese Academy of Sciences
*Contact email: haozhiyu@iie.ac.cn

Abstract

Provenance of system subjects (e.g., processes) and objects (e.g., files) are very useful for many forensics tasks. In our analysis and comparison of existing Linux provenance tracing systems, we found that most systems assume the Linux kernel to be in the trust base, making these systems vulnerable to kernel level malware. To address this problem, we present HProve, a hypervisor level provenance tracing system to reconstruct kernel malware attack story. It monitors the execution of kernel functions and sensitive objects, and correlates the system subjects and objects to form the causality dependencies for the attacks. We evaluated our prototype on 12 real world kernel malware samples, and the results show that it can correctly identify the provenance behaviors of the kernel malware.