Run-Time Label Propagation for Forensic Audit Data
Author
Florian Buchholz and Eugene H. Spafford
Tech report number
CERIAS TR 2007-68
Abstract
It is desirable to be able to gather more forensically valuable audit data from computing systems than is currently done or possible. This is useful for the reconstruction of events that took place on the system for the purpose of digital forensic investigations. In this paper, we propose a mechanism that allows
arbitrary meta-information bound to principals on a system to be propagated based on causality influenced by information flow. We further discuss how to implement such a mechanism for the FreeBSD operating system and present a proof-of-concept implementation that has little overhead compared to the system without label propagation.
Booktitle
Computers & Security
Affiliation
James Madison University, CERIAS
Publication Date
2007-01-01
Contents
1. Introduction
2. Related Work
2.1 Static Information Flow Analysis
2.2 Dynamic Analysis
3. Propagation Model
3.1 Causality and Labels
3.2 Description of the Model
3.3 Properties of the Propagation Model
4. Implementation
4.1 Subsystems Affected by Label Propagation
4.2 Data Structures and Operations
4.3 IPC: Sockets
4.4 Shared Resources: Files
5. Results
5.1 User Influence
5.2 Location Information
5.3 Remote System Compromise
5.4 Performance Overhead
6. Conclusion
Keywords
Forensic Audit Data, Run-time Label Propagation
Subject
Run-Time Label Propagation for Forensic Audit Data