Catégorie: Conférence
Auteurs: Paul R. B. Houssel, Sylvie Laniepce et Olivier Levillain
Date: juin 2025

System provenance models the interactions between system subjects and objects, enabling post-mortem and rootcause analyses of cyberattacks. Despite numerous contributions to provenance systems, there remains little consensus on the reliability of existing telemetry collection methods. Linux Security Module (LSM) interfaces present a promising alternative thanks to their inherent stability and safety for production environments. However, since LSM do not capture the full granularity of system calls, it is unclear whether they can support the creation of sound provenance graphs. In this work, we study the evolution of these kernel interfaces and their coverage.

Présenté lors de la conférence IEEE/IFIP DSN-S à Naples, Italy en juin 2025

BibTeX