Run-Time Label Propagation for Forensic Audit Data

Get BibTex-formatted data

Download

PDF

Author

Florian Buchholz and Eugene H. Spafford

Tech report number

CERIAS TR 2007-68

Entry type

inbook

Abstract

It is desirable to be able to gather more forensically valuable audit data from computing systems than is currently done or possible. This is useful for the reconstruction of events that took place on the system for the purpose of digital forensic investigations. In this paper, we propose a mechanism that allows arbitrary meta-information bound to principals on a system to be propagated based on causality influenced by information flow. We further discuss how to implement such a mechanism for the FreeBSD operating system and present a proof-of-concept implementation that has little overhead compared to the system without label propagation.

Download

PDF

Date

2007

URL

http://www.infosec.jmu.edu/rep ... u-infosec-tr-2006-001.pdf

Booktitle

Computers & Security

Key alpha

Buchholz

Publisher

Elsevier

Affiliation

James Madison University, CERIAS

Publication Date

2007-01-01

1. Introduction 2. Related Work 2.1 Static Information Flow Analysis 2.2 Dynamic Analysis 3. Propagation Model 3.1 Causality and Labels 3.2 Description of the Model 3.3 Properties of the Propagation Model 4. Implementation 4.1 Subsystems Affected by Label Propagation 4.2 Data Structures and Operations 4.3 IPC: Sockets 4.4 Shared Resources: Files 5. Results 5.1 User Influence 5.2 Location Information 5.3 Remote System Compromise 5.4 Performance Overhead 6. Conclusion

Keywords

Forensic Audit Data, Run-time Label Propagation

Language

English

Subject

Run-Time Label Propagation for Forensic Audit Data

BibTex-formatted data

To refer to this entry, you may select and copy the text below and paste it into your BibTex document. Note that the text may not contain all macros that BibTex supports.

@Inbook{ Buchholz,
	title = "Run-Time Label Propagation for Forensic Audit Data",
	author = "Florian Buchholz and Eugene H. Spafford",
	year = "2007",
	booktitle = "Computers & Security",
	publisher = "Elsevier",
	abstract = "It is desirable to be able to gather more forensically valuable audit data from computing systems than is currently done or possible. This is useful for the reconstruction of events that took place on the system for the purpose of digital forensic investigations. In this paper, we propose a mechanism that allows 
arbitrary meta-information bound to principals on a system to be propagated based on causality influenced by information flow. We further discuss how to implement such a mechanism for the FreeBSD operating system and present a proof-of-concept implementation that has little overhead compared to the system without label propagation. 
",
	affiliation = "James Madison University, CERIAS",
	contents = "1. Introduction
2. Related Work
2.1 Static Information Flow Analysis
2.2 Dynamic Analysis
3. Propagation Model
3.1 Causality and Labels
3.2 Description of the Model
3.3 Properties of the Propagation Model
4. Implementation
4.1 Subsystems Affected by Label Propagation
4.2 Data Structures and Operations
4.3 IPC: Sockets
4.4 Shared Resources: Files
5. Results
5.1 User Influence
5.2 Location Information
5.3 Remote System Compromise
5.4 Performance Overhead
6. Conclusion",
	keywords = "Forensic Audit Data, Run-time Label Propagation",
	language = "English",
	subject = "Run-Time Label Propagation for Forensic Audit Data",
	url = "http://www.infosec.jmu.edu/reports/jmu-infosec-tr-2006-001.pdf",
}

Run-Time Label Propagation for Forensic Audit Data

Download

Author

Tech report number

Entry type

Abstract

Download

Date

URL

Booktitle

Key alpha

Publisher

Affiliation

Publication Date

Contents

Keywords

Language

Subject

BibTex-formatted data