sesa 19(18): e5

Research Article

HProve: A Hypervisor Level Provenance System to Reconstruct Attack Story Caused by Kernel Malware

Download37 downloads
  • @ARTICLE{10.4108/eai.8-4-2019.157417,
        author={Chonghua Wang and Libo Yin and Jun Li and Xuehong Chen and Rongchao Yin and Xiaochun Yun and Yang Jiao and Zhiyu Hao},
        title={HProve: A Hypervisor Level Provenance System to Reconstruct Attack Story Caused by Kernel Malware},
        journal={EAI Endorsed Transactions on Security and Safety},
        volume={5},
        number={18},
        publisher={EAI},
        journal_a={SESA},
        year={2019},
        month={1},
        keywords={Provenance Tracing; System Logging; Kernel Malware; Forensic Investigation},
        doi={10.4108/eai.8-4-2019.157417}
    }
    
  • Chonghua Wang
    Libo Yin
    Jun Li
    Xuehong Chen
    Rongchao Yin
    Xiaochun Yun
    Yang Jiao
    Zhiyu Hao
    Year: 2019
    HProve: A Hypervisor Level Provenance System to Reconstruct Attack Story Caused by Kernel Malware
    SESA
    EAI
    DOI: 10.4108/eai.8-4-2019.157417
Chonghua Wang1, Libo Yin1,*, Jun Li1, Xuehong Chen1, Rongchao Yin1, Xiaochun Yun2, Yang Jiao3, Zhiyu Hao3
  • 1: China Industrial Control System Cyber Emergency Response Team, Beijing, China, 100040
  • 2: National Computer Network Emergency Response Technical Team/Coordination Center of China, Beijing, China, 100029
  • 3: Institute for Information Engineering, Chinese Academy of Sciences, Beijing, China, 100093
*Contact email: yinlibo@cics-cert.org.cn

Abstract

Provenance of system subjects (e.g., processes) and objects (e.g., files) are very useful for many forensics tasks. In our analysis and comparison of existing Linux provenance tracing systems, we found that most systems assume the Linux kernel to be in the trust base, making these systems vulnerable to kernel level malware. To address this problem, we present HProve, a hypervisor level provenance tracing system to reconstruct kernel malware attack story. It monitors the execution of kernel functions and sensitive objects, and correlates the system subjects and objects to form the causality dependencies for the attacks. We evaluated our prototype on 12 real world kernel malware samples, and the results show that it can correctly identify the provenance behaviors of the kernel malware with a minor performance overhead.