HProve: A Hypervisor Level Provenance System to Reconstruct Attack Story Caused by Kernel Malware

Authors

  • Chonghua Wang China Industrial Control System Cyber Emergency Response Team image/svg+xml
  • Libo Yin China Industrial Control System Cyber Emergency Response Team image/svg+xml
  • Jun Li China Industrial Control System Cyber Emergency Response Team image/svg+xml
  • Xuehong Chen China Industrial Control System Cyber Emergency Response Team image/svg+xml
  • Rongchao Yin China Industrial Control System Cyber Emergency Response Team image/svg+xml
  • Xiaochun Yun National Computer Network Emergency Response Technical Team/Coordination Center of Chinar image/svg+xml
  • Yang Jiao Chinese Academy of Sciences image/svg+xml
  • Zhiyu Hao Chinese Academy of Sciences image/svg+xml

DOI:

https://doi.org/10.4108/eai.8-4-2019.157417

Keywords:

Provenance Tracing, System Logging, Kernel Malware, Forensic Investigation

Abstract

Provenance of system subjects (e.g., processes) and objects (e.g., files) are very useful for many forensics tasks. In our analysis and comparison of existing Linux provenance tracing systems, we found that most systems assume the Linux kernel to be in the trust base, making these systems vulnerable to kernel level malware. To address this problem, we present HProve, a hypervisor level provenance tracing system to reconstruct kernel malware attack story. It monitors the execution of kernel functions and sensitive objects, and correlates the system subjects and objects to form the causality dependencies for the attacks. We evaluated our prototype on 12 real world kernel malware samples, and the results show that it can correctly identify the provenance behaviors of the kernel malware with a minor performance overhead.

Downloads

Published

25-01-2019

How to Cite

Wang, C. ., Yin, L. ., Li, J. ., Chen, X. ., Yin, R. ., Yun, X. ., Jiao, Y. ., & Hao, Z. . (2019). HProve: A Hypervisor Level Provenance System to Reconstruct Attack Story Caused by Kernel Malware. EAI Endorsed Transactions on Security and Safety, 5(18), e5. https://doi.org/10.4108/eai.8-4-2019.157417