HProve: A Hypervisor Level Provenance System to Reconstruct Attack Story Caused by Kernel Malware

Chonghua Wang; Libo Yin; Jun Li; Xuehong Chen; Rongchao Yin; Xiaochun Yun; Yang Jiao; Zhiyu Hao

Research Article

HProve: A Hypervisor Level Provenance System to Reconstruct Attack Story Caused by Kernel Malware

Download1279 downloads

Cite: BibTeX Plain Text

@ARTICLE{10.4108/eai.8-4-2019.157417,
    author={Chonghua Wang and Libo Yin and Jun Li and Xuehong Chen and Rongchao Yin and Xiaochun Yun and Yang Jiao and Zhiyu Hao},
    title={HProve: A Hypervisor Level Provenance System to Reconstruct Attack Story Caused by Kernel Malware},
    journal={EAI Endorsed Transactions on Security and Safety},
    volume={5},
    number={18},
    publisher={EAI},
    journal_a={SESA},
    year={2019},
    month={1},
    keywords={Provenance Tracing; System Logging; Kernel Malware; Forensic Investigation},
    doi={10.4108/eai.8-4-2019.157417}
}

Chonghua Wang
Libo Yin
Jun Li
Xuehong Chen
Rongchao Yin
Xiaochun Yun
Yang Jiao
Zhiyu Hao
Year: 2019
HProve: A Hypervisor Level Provenance System to Reconstruct Attack Story Caused by Kernel Malware
SESA
EAI
DOI: 10.4108/eai.8-4-2019.157417

Chonghua Wang¹, Libo Yin¹^,*, Jun Li¹, Xuehong Chen¹, Rongchao Yin¹, Xiaochun Yun², Yang Jiao³, Zhiyu Hao³

1: China Industrial Control System Cyber Emergency Response Team, Beijing, China, 100040
2: National Computer Network Emergency Response Technical Team/Coordination Center of China, Beijing, China, 100029
3: Institute for Information Engineering, Chinese Academy of Sciences, Beijing, China, 100093

*Contact email: yinlibo@cics-cert.org.cn

Abstract

Provenance of system subjects (e.g., processes) and objects (e.g., ﬁles) are very useful for many forensics tasks. In our analysis and comparison of existing Linux provenance tracing systems, we found that most systems assume the Linux kernel to be in the trust base, making these systems vulnerable to kernel level malware. To address this problem, we present HProve, a hypervisor level provenance tracing system to reconstruct kernel malware attack story. It monitors the execution of kernel functions and sensitive objects, and correlates the system subjects and objects to form the causality dependencies for the attacks. We evaluated our prototype on 12 real world kernel malware samples, and the results show that it can correctly identify the provenance behaviors of the kernel malware with a minor performance overhead.

Keywords: Provenance Tracing; System Logging; Kernel Malware; Forensic Investigation

Received: 2018-11-12
Accepted: 2018-12-17
Published: 2019-01-25
Publisher: EAI

: http://dx.doi.org/10.4108/eai.8-4-2019.157417

Copyright © 2019 Chonghua Wang et al., licensed to EAI. This is an open access article distributed under the terms of the Creative Commons Attribution license (http://creativecommons.org/licenses/by/3.0/), which permits unlimited use, distribution and reproduction in any medium so long as the original work is properly cited.