XTRec: Secure Real-Time Execution Trace Recording on Commodity Platforms

Abstract-Provenance tracing is a very important approach to Advanced Persistent Threat (APT) attack detection and investigation. Existing techniques either suffer from the dependence explosion problem or have non-trivial space and runtime overhead, which hinder their application in practice. We propose ProTracer, a lightweight provenance tracing system that alternates between system event logging and unit level taint propagation. The technique is built on an on-the-fly system event processing infrastructure that features a very lightweight kernel module and a sophisticated user space daemon that performs concurrent and out-of-order event processing. The evaluation with different realistic system workloads and a number of attack cases show that ProTracer only produces 13MB log data per day, and 0.84GB(Server)/2.32GB(Client) in 3 months without losing any important information. The space consumption is only < 1.28% of the state-of-the-art, 7 times smaller than an off-line garbage collection technique. The run-time overhead averages <7% for servers and <5% for regular applications. The generated attack causal graphs are a few times smaller than those by existing techniques while they are equally informative.

show abstract

“…In [43], researchers proposed a primitive that provides the integrity of execution trace. It works on instruction-level execution traces.…”

Section: Related Workmentioning

confidence: 99%

ProTracer: Towards Practical Provenance Tracing by Alternating Between Logging and Tainting

Zhang

2016

Proceedings 2016 Network and Distributed System Security Symposium

155

152

View full text Add to dashboard Cite

show abstract

“…By following these change-of-flow instructions, it is quite easy to generate a complete program flow with the help of additional offline binary disassembly at the decoding phase. Dedicated hardware blocks in the Intel architecture, such as Last Branch Record, Branch Trace Store [15], and more recently Intel Processor Trace (PT) follow this approach. A detailed study of hardwareassisted tracing and profiling with Intel PT has been recently presented in [12].…”

Section: Related Workmentioning

confidence: 99%

Low Overhead Hardware-Assisted Virtual Machine Analysis and Profiling

Sharma

Nemati

Bastien

et al. 2016

2016 IEEE Globecom Workshops (GC Wkshps)

View full text Add to dashboard Cite

“…TrustVisor [7] and Lockdown [2] are fully functional, and their code sizes are precise. The development of HyperDbg [8], XTRec [6] and SecVisor [10] is sufficiently advanced to enable estimation of their final sizes via manual inspection of their existing sources and differentiation between the hypervisor core and hypapp-specific logic. Figure 6 shows that the XMHF core forms 48% of a hypapp's TCB, on average.…”

Section: A Xmhf Tcb and Case Studies With Hypappsmentioning

confidence: 99%

“…These systems are designed to provide interesting security and functional properties including secrecy of security sensitive application code and data [7], trusted user and application interfaces [2], [4], [13], application integrity and privacy [3], [5], [10], [11], [17], debugging support [8], malware analysis, detection and runtime monitoring [6], [9], [14]- [16] and trustworthy resource accounting [1]. A majority of these hypervisor-based solutions are designed and written from scratch with the primary goal of achieving a low Trusted Computing Base (TCB) while providing a specific security property and functionality in the context of an operating system or another (more traditional) hypervisor [2]- [10].…”

Section: Introductionmentioning

confidence: 99%

Design, Implementation and Verification of an eXtensible and Modular Hypervisor Framework

Vasudevan

Chaki

Jia

et al. 2013

2013 IEEE Symposium on Security and Privacy

109

View full text Add to dashboard Cite

We present the design, implementation, and verification of XMHF-an eXtensible and Modular Hypervisor Framework. XMHF is designed to achieve three goals -modular extensibility, automated verification, and high performance. XMHF includes a core that provides functionality common to many hypervisor-based security architectures and supports extensions that augment the core with additional security or functional properties while preserving the fundamental hypervisor security property of memory integrity (i.e., ensuring that the hypervisor's memory is not modified by software running at a lower privilege level). We verify the memory integrity of the XMHF core -6018 lines of code -using a combination of automated and manual techniques. The model checker CBMC automatically verifies 5208 lines of C code in about 80 seconds using less than 2GB of RAM. We manually audit the remaining 422 lines of C code and 388 lines of assembly language code that are stable and unlikely to change as development proceeds. Our experiments indicate that XMHF's performance is comparable to popular high-performance general-purpose hypervisors for the single guest that it supports.

show abstract

XTRec: Secure Real-Time Execution Trace Recording on Commodity Platforms

Cited by 24 publications

References 17 publications

ProTracer: Towards Practical Provenance Tracing by Alternating Between Logging and Tainting

ProTracer: Towards Practical Provenance Tracing by Alternating Between Logging and Tainting

Low Overhead Hardware-Assisted Virtual Machine Analysis and Profiling

Design, Implementation and Verification of an eXtensible and Modular Hypervisor Framework

Contact Info

Product

Resources

About