Towards practical whole-system provenance


There is a consensus that understanding data provenance, the origin and history of digital artifacts, is important. Whole-system provenance systems are capture mechanisms aimed at recording all information flows in an operating system. Such systems have been the subject of recent attention from the research security community. However, whole-system provenance as yet to make a significant impact outside of academic circles. In this talk, I will present our work on CamFlow an open-source whole-system provenance implementation for Linux, and briefly introduce ongoing work on provenance-based intrusion detection as an application example. I will discuss the technical barriers to practical whole-system provenance we aimed to overcome, and those left to address.

Edinburgh, United Kingdom