EAGER: Collaborative: Secure and Efficient Data Provenance

EAGER：协作：安全高效的数据来源

• 批准号: 1445967
• 负责人: Micah Sherr
• 金额: $ 9.67万
• 依托单位: Georgetown University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2014
• 资助国家: 美国
• 起止时间: 2014-10-01 至 2016-03-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1445967&HistoricalAwards=false
• 关键词: EAGER; Collaborative; Secure; Efficient; Data

Data provenance involves determining the conditions under which information was originally generated, as well as all subsequent modifications to that information and the conditions under which those modifications were performed. As systems become increasingly distributed and organizations become reliant on cloud computing for processing their data, the need to securely manage and validate the provenance of that data becomes critical.This project develops new frameworks for evaluating secure fine-grained provenance collection and management in hosts. The research activities examine the architectures and algorithms required to make the collection and management of trustworthy provenance feasible at scale. We provide a general architecture for collecting provenance at the kernel level and consider methods of reducing the amount of provenance generated and managed while maintaining high-fidelity provenance records. The project introduces a number of optimizations to enable scalable and performant provenance collection, including policy-based log reduction and provenance deduplication. The project's main scientific contributions include (1) the development of Linux Provenance Modules that provide complete provenance mediation within the Linux kernel; (2) the design of policy-reduced provenance through the use of mandatory access control policies to reduce the number of subjects and actions that are provenance-generating events to those of interest in a system; and (3) techniques for deduplication of provenance such that minimal records for commonly occurring events can be stored and later fully reconstructed. We will demonstrate that our approach makes provenance collection practical at scale, enabling more secure and trustworthy computing environments.

数据来源涉及确定信息最初生成的条件，以及对该信息的所有后续修改以及进行这些修改的条件。随着系统变得越来越分布式，组织越来越依赖云计算来处理数据，安全管理和验证数据来源的需求变得至关重要。该项目开发了新的框架，用于评估主机中安全的细粒度来源收集和管理。 研究活动检查所需的架构和算法，使收集和管理可信的出处可行的规模。我们提供了一个通用的体系结构，在内核级收集出处，并考虑减少产生和管理的出处，同时保持高保真的出处记录的数量的方法。 该项目引入了许多优化，以实现可扩展和高性能的出处收集，包括基于策略的日志减少和出处重复数据删除。 该项目的主要科学贡献包括：（1）开发Linux起源模块，在Linux内核中提供完整的起源中介;（2）通过使用强制访问控制策略来减少作为系统中感兴趣的起源生成事件的主体和动作的数量，从而设计减少策略的起源;以及（3）用于起源的重复数据删除的技术，使得可以存储通常发生的事件的最少记录并且稍后完全重构。 我们将证明，我们的方法使出处收集在规模上实用，从而实现更安全和值得信赖的计算环境。