Progger 3: A low-overhead, tamper-proof provenance system

Abstract

Data provenance, which describes how data is accessed and used since the time it is created, is a valuable resource with a wide range of uses. It can be used simply to know who has accessed one's data, or be used in more complex scenarios such as detecting malware. One method for collecting data provenance is to observe system calls. This thesis presents Progger 3, a system that observes system calls on Linux in order to collect data provenance. There are several existing provenance systems that observe system calls, but they have limitations regarding security, efficiency, and usability. Progger 3 remedies many of these limitations. As a result, Progger 3 is a working implementation of a provenance system that can observe any system call, guarantee tamper-proof provenance collection as long as the kernel on the client is not compromised, and transfer the provenance to other systems with confidentiality and integrity, all with a relatively low performance overhead.