PalanTír: Optimizing Attack Provenance with Hardware-enhanced System Observability

ABSTRACTSystem auditing is the foundation of attack provenance to investigate root causes and ramifications of cyber-attacks. However, provenance tracking on coarse-grained audit logs suffers from false causalities caused by dependency explosion. Recent approaches address this problem by increasing provenance granularity using execution partitioning or record-and-replay techniques. Unfortunately, they require program instrumentation and/or impose an unaffordable overhead, which is not practical in deployment. In this paper, we present PalanTír, a provenance-based system that enhances system observability to enable precise and scalable attack investigation. Leveraging hardware-assisted processor tracing (PT), PalanTír optimizes attack provenance in system-call-level audit logs by recovering instruction-level causalities via taint analysis based on PT traces. To reduce the scope of taint analysis and simplify the complexity of taint propagation, PalanTír statically profiles program binaries to identify instructions causally relevant to audit logs and pre-summarize their taint propagation logic at the coarse granularity of basic blocks. Our evaluation against real-life cyber-attacks shows PalanTír's efficiency and effectiveness in attack scenario reconstruction. We also demonstrate that PalanTír can scale to large applications (e.g., Nginx and Sendmail) compiled from upwards of 463,510 lines of C/C++ code.