Research Article
A Hypervisor Level Provenance System to Reconstruct Attack Story Caused by Kernel Malware
@INPROCEEDINGS{10.1007/978-3-319-78813-5_42, author={Chonghua Wang and Shiqing Ma and Xiangyu Zhang and Junghwan Rhee and Xiaochun Yun and Zhiyu Hao}, title={A Hypervisor Level Provenance System to Reconstruct Attack Story Caused by Kernel Malware}, proceedings={Security and Privacy in Communication Networks. 13th International Conference, SecureComm 2017, Niagara Falls, ON, Canada, October 22--25, 2017, Proceedings}, proceedings_a={SECURECOMM}, year={2018}, month={4}, keywords={Provenance tracing Kernel malware Forensic investigation}, doi={10.1007/978-3-319-78813-5_42} }- Chonghua Wang
Shiqing Ma
Xiangyu Zhang
Junghwan Rhee
Xiaochun Yun
Zhiyu Hao
Year: 2018
A Hypervisor Level Provenance System to Reconstruct Attack Story Caused by Kernel Malware
SECURECOMM
Springer
DOI: 10.1007/978-3-319-78813-5_42
Abstract
Provenance of system subjects (e.g., processes) and objects (e.g., files) are very useful for many forensics tasks. In our analysis and comparison of existing Linux provenance tracing systems, we found that most systems assume the Linux kernel to be in the trust base, making these systems vulnerable to kernel level malware. To address this problem, we present HProve, a hypervisor level provenance tracing system to reconstruct kernel malware attack story. It monitors the execution of kernel functions and sensitive objects, and correlates the system subjects and objects to form the causality dependencies for the attacks. We evaluated our prototype on 12 real world kernel malware samples, and the results show that it can correctly identify the provenance behaviors of the kernel malware.
