Skip to content

Practical whole-system provenance capture

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Original languageEnglish
Title of host publicationSoCC 2017 - Proceedings of the 2017 Symposium on Cloud Computing
Publisher or commissioning bodyAssociation for Computing Machinery (ACM)
Pages405-418
Number of pages14
ISBN (Electronic)9781450350280
DOIs
DateAccepted/In press - 24 Sep 2017
DatePublished (current) - 24 Sep 2017
Event2017 Symposium on Cloud Computing, SoCC 2017 - Santa Clara, United States
Duration: 24 Sep 201727 Sep 2017

Conference

Conference2017 Symposium on Cloud Computing, SoCC 2017
CountryUnited States
CitySanta Clara
Period24/09/1727/09/17

Abstract

Data provenance describes how data came to be in its present form. It includes data sources and the transformations that have been applied to them. Data provenance has many uses, from forensics and security to aiding the reproducibility of scientific experiments. We present CamFlow, a whole-system provenance capture mechanism that integrates easily into a PaaS offering. While there have been several prior whole-system provenance systems that captured a comprehensive, systemic and ubiquitous record of a system's behavior, none have been widely adopted. They either A) impose too much overhead, B) are designed for long-outdated kernel releases and are hard to port to current systems, C) generate too much data, or D) are designed for a single system. CamFlow addresses these shortcoming by: 1) leveraging the latest kernel design advances to achieve efficiency; 2) using a self-contained, easily maintainable implementation relying on a Linux Security Module, NetFilter, and other existing kernel facilities; 3) providing a mechanism to tailor the captured provenance data to the needs of the application; and 4) making it easy to integrate provenance across distributed systems. The provenance we capture is streamed and consumed by tenant-built auditor applications. We illustrate the usability of our implementation by describing three such applications: demonstrating compliance with data regulations; performing fault/intrusion detection; and implementing data loss prevention. We also show how CamFlow can be leveraged to capture meaningful provenance without modifying existing applications.

    Research areas

  • Data provenance, Linux kernel, Whole-system provenance

Event

2017 Symposium on Cloud Computing, SoCC 2017

Duration24 Sep 201727 Sep 2017
CitySanta Clara
CountryUnited States
SponsorsACM SIGMOD (External organisation), ACM SIGOPS (External organisation)

Event: Conference

Documents

DOI

View research connections

Related faculties, schools or groups