Abstract
Investigating attacks across multiple hosts is challenging. The true dependencies between security-sensitive files, network endpoints, or memory objects from different hosts can be easily concealed by dependency explosion or undefined program behavior (e.g., memory corruption). Dynamic information flow tracking (DIFT) is a potential solution to this problem, but, existing DIFT techniques only track information flow within a single host and lack an efficient mechanism to maintain and synchronize the data flow tags globally across multiple hosts. In this paper, we propose RTAG, an efficient data flow tagging and tracking mechanism that enables practical cross-host attack investigations. RTAG is based on three novel techniques. First, by using a record-and-replay technique, it decouples the dependencies between different data flow tags from the analysis, enabling lazy synchronization between independent and parallel DIFT instances of different hosts. Second, it takes advantage of systemcall-level provenance information to calculate and allocate the optimal tag map in terms of memory consumption. Third, it embeds tag information into network packets to track cross-host data flows with less than 0.05% network bandwidth overhead. Evaluation results show that RTAG is able to recover the true data flows of realistic cross-host attack scenarios. Performance wise, RTAG reduces the memory consumption of DIFT-based analysis by up to 90% and decreases the overall analysis time by 60%-90% compared with previous investigation systems.
Original language | English (US) |
---|---|
Title of host publication | Proceedings of the 27th USENIX Security Symposium |
Publisher | USENIX Association |
Pages | 1705-1722 |
Number of pages | 18 |
ISBN (Electronic) | 9781939133045 |
State | Published - 2018 |
Externally published | Yes |
Event | 27th USENIX Security Symposium - Baltimore, United States Duration: Aug 15 2018 → Aug 17 2018 |
Publication series
Name | Proceedings of the 27th USENIX Security Symposium |
---|
Conference
Conference | 27th USENIX Security Symposium |
---|---|
Country/Territory | United States |
City | Baltimore |
Period | 8/15/18 → 8/17/18 |
Bibliographical note
Publisher Copyright:© 2018 Proceedings of the 27th USENIX Security Symposium. All rights reserved.