Linux Provenance Modules: Secure Provenance Collection for the Linux Kernel

In spite of a growing interest in provenance-aware systems, mechanisms for automated provenance collection have failed to win acceptance in mainstream operating systems. This is due in part to a lack of consensus within disparate provenance development communities on a single general solution – provenance collection mechanisms have been proposed at a variety of operational layers wthin host systems, collecting metadata at a variety of scopes and granularities. Since provenance-aware systems must meet the needs of a variety of users in academic, enterprise, and government sectors, any provenance mechanisms must be capable of supporting many different provenance models while simultaneously ensuring the security of the provenance they collect. We present the Linux Provenance Modules (LPM), the first general framework for the development of provenance-aware systems that imposes as little as 0.6% performance overhead on system operation. A key feature of LPM is its ability to leverage Linux’s existing security features to provide strong provenance security assurances. We go on to introduce a mechanism for policy-reduced provenance that reduces the costs of provenance collection by up to 74% by identifying a system’s trusted computing base. To our knowledge, this is the first working policybased provenance monitor proposed in the literature.