Catégorie: Conférence
Auteurs: Paul Houssel, Olivier Levillain et Nicolas Dejon
Date: mai 2026

Provenance enables security and forensic analyses by capturing causal relationships between subjects and objects as provenance graphs. Despite widespread use of eBPF capturing kernel activity to record provenance, there’s still no consensus on the capture model, the set of interfaces used to capture provenance. In this work, we analyze existing provenance systems and empirically evaluate the kernel capture interfaces that could form such a capture model. Our findings highlight the capture model as an important design choice of provenance systems, with a holistic impact. We show that capturing provenance directly within the kernel using extended Berkeley Packet Filter (eBPF) programs attached to Linux Security Module (LSM) interfaces provides the best trade-off for provenance systems among completeness, performance, and integrity.

Présenté lors de la conférence RESSI à Clervaux, Luxembourg en mai 2026

BibTeX Site de la conférence