index.html

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-us" lang="en-us">
<head>
  
  <script async src="https://www.googletagmanager.com/gtag/js?id=UA-83032453-1"></script>
  <script>
    window.dataLayer = window.dataLayer || [];
    function gtag(){dataLayer.push(arguments);}
    gtag('js', new Date());

    gtag('config', 'UA-83032453-1');
  </script>
  <meta name="generator" content="Hugo 0.78.2" />

  <meta http-equiv="content-type" content="text/html; charset=utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1">

  <title>CamFlow: practical whole-system provenance for Linux</title>
  <meta name="description" content="CamFlow is a practical whole-system provenance capture mechanism for the Linux operating system."/>


  <meta property=og:site_name content="CamFlow">
  <meta property=og:url content="http://camflow.org/">
  <meta property=og:title content="CamFlow: practical whole-system provenance for Linux">
  <meta property=og:description content="CamFlow is a practical whole-system provenance capture mechanism for the Linux operating system.">
  <meta property=og:image content="http://camflow.org/images/ubc.jpg">
  <meta property=og:locale content="en-us">

  <meta property=twitter:site content="@tfjmp">
  <meta property=twitter:creator content="@tfjmp">
  <meta name="twitter:title" content="CamFlow: practical whole-system provenance for Linux">
  <meta name="twitter:description" content="CamFlow is a practical whole-system provenance capture mechanism for the Linux operating system.">
  <meta name="twitter:image" content="http://camflow.org/images/ubc.jpg">
  <meta name="twitter:card" content="summary">

  <link rel="shortcut icon" href="favicon.ico" type="image/x-icon">
  <link href="https://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet">
  <link rel="stylesheet" href="https://camflow.org/css/styles.css">
  
  <link href="https://camflow.org/index.xml" rel="alternate" type="application/rss+xml" title="CamFlow" />

</head>
<body>

<div class="sidebar sidebar-blue">
    <div class="navigation">
        <div>
</div>

        <h1 class="site-title"><a href="https://camflow.org/">CamFlow</a></h1>


        <nav class="internal">
            <ul>
    
        
            
    <li>
        <a href="#about">CamFlow project</a>
        <ul>
            
            
                <li><a href="#support">Support</a></li>
            
                <li><a href="#contributing">Contributing</a></li>
            
        </ul>
    </li>



        
            
    <li>
        <a href="#installation">Installation</a>
        <ul>
            
            
                <li><a href="#package">Package manager</a></li>
            
                <li><a href="#source">From source</a></li>
            
                <li><a href="#vagrant">Vagrant</a></li>
            
                <li><a href="#reboot">Reboot and GRUB</a></li>
            
        </ul>
    </li>



        
            
    <li>
        <a href="#tutorial">Quick start</a>
        <ul>
            
            
                <li><a href="#graph">Provenance graph</a></li>
            
                <li><a href="#overview">Architecture overview</a></li>
            
                <li><a href="#walk">Walk-through</a></li>
            
        </ul>
    </li>



        
            
    <li>
        <a href="#configuration">Configuration</a>
        <ul>
            
            
                <li><a href="#capture">Capture configuration</a></li>
            
                <li><a href="#recording">Recording configuration</a></li>
            
        </ul>
    </li>



        
            
    <li>
        <a href="#output_format">Output format</a>
        <ul>
            
            
                <li><a href="#examples">Examples</a></li>
            
                <li><a href="#attributes">Attributes</a></li>
            
                <li><a href="#formal">Formal modelling</a></li>
            
        </ul>
    </li>



        
            
    <li>
        <a href="#query">CamQuery</a>
    </li>



        
            
    <li>
        <a href="#publications">Publications</a>
        <ul>
            
            
                <li><a href="#publications_capture">Capture</a></li>
            
                <li><a href="#publications_usecases">Applications</a></li>
            
        </ul>
    </li>



        
    
</ul>

        </nav>

        <nav class="external">
            <div class="external-title">Learn more</div>
            
            <ul id="shortcuts">
                
                <li>
                    <a href="https://github.com/CamFlow" target="_blank" rel="noopener">CamFlow on Github</a>
                </li>
                
                <li>
                    <a href="https://github.com/CamFlow/website/issues" target="_blank" rel="noopener">Create issue regarding the documentation</a>
                </li>
                
            </ul>
            
        </nav>
    </div>

    <div class="version">
            generated on Sep 5, 2023
    </div>
</div>

<div class="content">
    
        
            
    <section class="page" id="about">
    <h1>
        <a href="#about">CamFlow project</a>
    </h1>
    <div class="content">
        <p>CamFlow stands for <strong>Cam</strong>bridge information <strong>Flow</strong> architecture, the Cam is also the river that flows through Cambridge, UK.
CamFlow is a <a href="https://www.kernel.org/doc/Documentation/security/LSM.txt">Linux Security Module</a> (LSM) designed to capture data provenance for the purpose of system audit.
The whole-system provenance capture mechanism is highly configurable, and can fit the needs of many different type of applications.
CamFlow can stack with existing security modules such as <a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/5/html/deployment_guide/ch-selinux">SELinux</a>.</p>
<!-- raw HTML omitted -->
<p>To get in touch about the project, please contact <a href="https://tfjmp.org">Thomas Pasquier</a>.</p>
<!-- raw HTML omitted -->

    </div>
</section>

    
            
                <section class="page" id="support">
    <h1>
        <a href="#support">Support</a>
    </h1>
    <div class="content">
        <p>CamFlow development started in 2014 at the University of Cambridge&rsquo;s <a href="https://www.cl.cam.ac.uk/research/srg/opera/">Opera Research Group</a> (grant <a href="http://gow.epsrc.ac.uk/NGBOViewGrant.aspx?GrantRef=EP/K011510/1">EPSRC EP/K011510/1</a>).
Further development has been supported by Harvard University&rsquo;s <a href="https://crcs.seas.harvard.edu/">Center for Research on Computation and Society</a> as part of the <a href="https://projects.iq.harvard.edu/provenance-at-harvard">Provenance@Harvard</a> project (NSF grant <a href="https://nsf.gov/awardsearch/showAward?AWD_ID=1450277">SSI-1450277</a>) and the University of Cambridge&rsquo;s <a href="https://www.cl.cam.ac.uk/research/dtg/www/">Digital Technology Group</a>.
Development is currently being supported by the <a href="https://systopia.cs.ubc.ca/">University of British Columbia</a>.</p>
<!-- raw HTML omitted -->
<!-- raw HTML omitted -->
<!-- raw HTML omitted -->
<p>Thanks to <a href="https://cloudsmith.com/">Cloudsmith</a> for hosting our packages.</p>

    </div>
</section>

            
                <section class="page" id="contributing">
    <h1>
        <a href="#contributing">Contributing</a>
    </h1>
    <div class="content">
        <p>The easiest way to contribute to CamFlow is by submitting issues to suggest improvements or report bugs. When reporting a bug, please specify the version of CamFlow you are running and your Linux distribution. To contribute a new feature, please fork the repository of the component you wish to improve, and submit a pull request against the dev branch. The pull request must pass the continuous integration test before it can be merged.</p>

    </div>
</section>

            



        
            
    <section class="page" id="installation">
    <h1>
        <a href="#installation">Installation</a>
    </h1>
    <div class="content">
        <p>There are three main options covered below for how to install CamFlow:</p>
<ol>
<li>using the package manager on Fedora <strong>this is the recommended route</strong>;</li>
<li>building the kernel on the local machine; or</li>
<li>using <a href="https://www.vagrantup.com/">vagrant</a> to set up a virtual machine.
The installation process can take a significant amount of time depending on your
machine/network configuration.
If you plan to use VM we suggest to use a recent machine with at least 16GB of RAM
and 20GB of disk space.</li>
</ol>
<!-- raw HTML omitted -->
<p>CamFlow is an academic project. While CamFlow is actively maintained, an operating system
is a complex environment with a multitude of moving parts and our resources are limited.
CamFlow is mostly tested in virtualized environment and we do not have the resources
for extensive test.
Please, get in touch with
<a href="https://tfjmp.org/">Thomas Pasquier</a>
if you encounter any issue.</p>
<!-- raw HTML omitted -->

    </div>
</section>

    
            
                <section class="page" id="package">
    <h1>
        <a href="#package">Package manager</a>
    </h1>
    <div class="content">
        <p>The quickest way to install CamFlow is through the packages hosted on <strong><a href="https://cloudsmith.io/~camflow/repos/camflow/packages/">cloudsmith</a></strong>. For now, only Fedora is supported (please, click on this <a href="https://cloudsmith.io/~camflow/repos/camflow/packages/">link</a> and check which release(s) is/are currently supported).</p>
<h3 id="fedora">Fedora</h3>
<div class="highlight"><pre style="color:#272822;background-color:#fafafa;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-BASH" data-lang="BASH">curl -1sLf <span style="color:#d88200">&#39;https://dl.cloudsmith.io/public/camflow/camflow/cfg/setup/bash.rpm.sh&#39;</span> <span style="color:#111">|</span> sudo -E bash
sudo dnf -y install camflow
</code></pre></div><h3 id="after-installing-packages">After installing packages</h3>
<p>Next we need to activate the two CamFlow services:</p>
<div class="highlight"><pre style="color:#272822;background-color:#fafafa;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-BASH" data-lang="BASH">sudo systemctl <span style="color:#111">enable</span> camconfd.service
sudo systemctl <span style="color:#111">enable</span> camflowd.service
</code></pre></div><p>After reboot we should be ready to use CamFlow.</p>
<div class="highlight"><pre style="color:#272822;background-color:#fafafa;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-BASH" data-lang="BASH">sudo reboot now
</code></pre></div><!-- raw HTML omitted -->
<p>Packages are tested in virtual environment with a limited set of configurations.
In most cases things work fine.
However, if you encounter any issue, please do look at how to build the project from source.</p>
<!-- raw HTML omitted -->

    </div>
</section>

            
                <section class="page" id="source">
    <h1>
        <a href="#source">From source</a>
    </h1>
    <div class="content">
        <h3 id="dependencies">Dependencies</h3>
<p>First we need to install the dependencies required to build our kernel.</p>
<p>Depending on how recent your OS version is, you should install <code>libelf-dev</code>, <code>libelf-devel</code>, or <code>elfutils-libelf-devel</code>.
See this <a href="https://github.com/CamFlow/documentation/issues/3">issue</a> for details.</p>
<h4 id="fedora">Fedora</h4>
<div class="highlight"><pre style="color:#272822;background-color:#fafafa;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-BASH" data-lang="BASH">sudo dnf groupinstall <span style="color:#d88200">&#39;Development Tools&#39;</span>
sudo dnf install ncurses-devel cmake clang gcc-c++ wget git openssl-devel zlib
sudo dnf install patch mosquitto bison flex ruby dwarves elfutils-libelf-devel
sudo dnf install uthash-devel inih-devel paho-c-devel
</code></pre></div><h3 id="building-and-installing-the-kernel">Building and Installing the kernel</h3>
<p>We first need to clone the <code>camflow-install</code> repository:</p>
<div class="highlight"><pre style="color:#272822;background-color:#fafafa;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-BASH" data-lang="BASH">git clone https://github.com/CamFlow/camflow-install
</code></pre></div><p>We then get the installation started:</p>
<div class="highlight"><pre style="color:#272822;background-color:#fafafa;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-BASH" data-lang="BASH"><span style="color:#111">cd</span> camflow-install
make all
</code></pre></div><p>This will build and install the CamFlow Linux Security Module as well as the userspace tools. The whole installation procedure may take a significant amount of time. The installation process may ask for the root password, so may not complete in an unattended manner.</p>
<p>Early in the build process you will be presented with a GUI to customise the kernel configuration. If you are not sure what to do, do not modify the configuration.
Through this GUI, in addition to enabling provenance capture, you can: 1) set persistence of provenance state on/off (off by default)
and 2) whole-system capture from boot on/off (off by default).
The kernel configuration derives from the configuration currently presents on the system where you run the build, consequently in most cases you should not need to modify anything not relating to provenance capture.</p>
<!-- raw HTML omitted -->
<p>Configuration options need to be carefully considered in resource-constrained environment.</p>
<!-- raw HTML omitted -->
<!-- raw HTML omitted -->
<p>Kernel version 5.1.x saw the modification of Linux Security Module stacking.
It is important to ensure that CamFlow is properly loaded and is processed last.</p>
<p>During the configuration stage, select the <code>Security options</code>:</p>
<p><img src="./images/security_options.png" alt="Select &ldquo;Security options&rdquo;."></p>
<p>Then select the list at the bottom of the menu:</p>
<p><img src="./images/list.png" alt="Select the list at the bottom of the menu."></p>
<p><code>provenance</code> <strong>must</strong> be listed and <strong>should</strong> appear last (i.e. you should add it to the list):</p>
<p><img src="./images/last.png" alt="provenance should be listed and appear last."></p>
<p>If <code>provenance</code> is not listed, CamFlow module will simply not be loaded.</p>
<!-- raw HTML omitted -->
<p>For the installation process to take effect you need to reboot the machine.</p>
<div class="highlight"><pre style="color:#272822;background-color:#fafafa;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-BASH" data-lang="BASH">sudo reboot now
</code></pre></div>
    </div>
</section>

            
                <section class="page" id="vagrant">
    <h1>
        <a href="#vagrant">Vagrant</a>
    </h1>
    <div class="content">
        <p>Using a vagrant virtual machine is much simpler. First you need to install <a href="https://www.vagrantup.com/docs/installation/">vagrant</a> and <a href="https://www.virtualbox.org/manual/ch02.html">virtualbox</a>.</p>
<p>On Ubuntu, for example, that can be done as follows:</p>
<div class="highlight"><pre style="color:#272822;background-color:#fafafa;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-BASH" data-lang="BASH">sudo apt-get install virtualbox
sudo apt-get install vagrant
</code></pre></div><!-- raw HTML omitted -->
<p>Some Linux distributions ship very outdated version of VirtualBox or Vagrant.
Outdated versions, and host/guest version mismatch are known to cause all sorts of troubles during provisioning.</p>
<p>Please check <a href="https://www.vagrantup.com/downloads.html">Vagrant</a> and <a href="https://www.virtualbox.org/wiki/Downloads">VirtualBox</a> for details on how to install the latest version.</p>
<!-- raw HTML omitted -->
<p>Once vagrant and virtualbox are installed, you need to obtain CamFlow vagrant provision script:</p>
<div class="highlight"><pre style="color:#272822;background-color:#fafafa;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-BASH" data-lang="BASH">git clone https://github.com/CamFlow/vagrant.git
<span style="color:#111">cd</span> ./vagrant
</code></pre></div><p>There are different provisioning scripts available within the <code>CamFlow/vagrant.git</code> repository: please see in the <a href="https://github.com/CamFlow/vagrant">camflow/vagrant</a> for details on what they do. We will use the <code>rpm</code> provisioning script as an example:</p>
<div class="highlight"><pre style="color:#272822;background-color:#fafafa;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-BASH" data-lang="BASH"><span style="color:#111">cd</span> ./rpm
vagrant plugin install vagrant-vbguest
vagrant up
<span style="color:#75715e"># we reboot after the provisioning</span>
vagrant reload
</code></pre></div><p>You can customize the <code>Vagrantfile</code> to personalize your experience.</p>
<!-- raw HTML omitted -->
<p>Running virtual machines is resource consuming. Please, make sure the host has sufficient resource to do so (disk space, RAM, CPU etc.).</p>
<!-- raw HTML omitted -->

    </div>
</section>

            
                <section class="page" id="reboot">
    <h1>
        <a href="#reboot">Reboot and GRUB</a>
    </h1>
    <div class="content">
        <p>When booting a VM after successful provisioning, ensure that the CamFlow kernel
is chosen in the <a href="https://www.gnu.org/software/grub/">GRUB</a> menu, as illustrated
bellow:</p>
<p><img src="./images/grub.png" alt="Select CamFlow kernel in the GRUB menu."></p>

    </div>
</section>

            



        
            
    <section class="page" id="tutorial">
    <h1>
        <a href="#tutorial">Quick start</a>
    </h1>
    <div class="content">
        
    </div>
</section>

    
            
                <section class="page" id="graph">
    <h1>
        <a href="#graph">Provenance graph</a>
    </h1>
    <div class="content">
        <p>CamFlow represents the execution of a system as a directed acyclic graph.
Vertices in the graph represent states of kernel objects (e.g. threads, files, sockets etc&hellip;) and relations represent flow of information between those states.</p>
<p><a href="./images/graph.pdf"><img src="./images/graph.png" alt="CamFlow graph overview" title="CamFlow graph overview"></a></p>
<p>In the above example <code>process 1</code> clone <code>process 2</code>.
<code>process 2</code> write to a <code>pipe</code>.
<code>process 1</code> read from the same <code>pipe</code>.
Version are created to guarantees acyclicity and to represent proper odering of information (see our <a href="http://camflow.org/publications/ccs-2018.pdf">CCS'18 paper</a> for details).</p>
<!-- raw HTML omitted -->
<p>Further description of the provenance are discussed in the <a href="#output_format">output section</a>.</p>
<!-- raw HTML omitted -->

    </div>
</section>

            
                <section class="page" id="overview">
    <h1>
        <a href="#overview">Architecture overview</a>
    </h1>
    <div class="content">
        <p><a href="./images/arch.pdf"><img src="./images/arch.png" alt="CamFlow architecture overview" title="CamFlow architecture overview"></a></p>
<p><strong>CamFlow capture mechanism:</strong> CamFlow is an implementation of the <a href="http://patrickmcdaniel.org/pubs/acsac12.pdf">whole-system provenance concept</a>.
The idea is to perform provenance capture from the OS perspective, while providing guarantees about its completeness.
This is achieved by relying on the OS <a href="https://en.wikipedia.org/wiki/Reference_monitor">reference monitor</a> that capture interactions between user level applications and kernel objects.
CamFlow is implemented in the Linux kernel and relies on the <a href="https://www.kernel.org/doc/Documentation/security/LSM.txt">Linux Security Module framework</a> and the <a href="https://en.wikipedia.org/wiki/Netfilter">NetFilter framework</a> to effect the capture.
<a href="https://github.com/CamFlow/camflow-dev">source code</a></p>
<p><strong>camflowd:</strong> <code>camflowd</code> is a daemon charged of recording the provenance captured  in the kernel by CamFlow.
The provenance records are published by CamFlow to <a href="https://lwn.net/Articles/174669/">relayfs</a> pseudo files.
The daemons retrieve those records, serialise them to a configuration-specified format and write them to a configuration-specified output.
<a href="https://github.com/CamFlow/camflowd">source code</a></p>
<!-- raw HTML omitted -->
<p>Configuration details are discussed in the <a href="#recording">recording configuration section</a>.</p>
<!-- raw HTML omitted -->
<p><strong>camconfd:</strong> <code>camconfd</code> is a daemon charged with configuring the in-kernel capture mechanism.
The configuration daemon reads from <code>/etc/camflow.ini</code> and load the specified configuration into the kernel via a <a href="https://lwn.net/Articles/153366/">securityfs</a> interface.
<a href="https://github.com/CamFlow/camconfd">source code</a></p>
<!-- raw HTML omitted -->
<p>Configuration details are discussed in the <a href="#capture">capture configuration section</a>.</p>
<!-- raw HTML omitted -->
<p><strong>camflow-cli:</strong> CamFlow CLI (<code>camflow</code>) allows to dynamically modify the capture configuration through the command line. Further details are given in <a href="#walk">our walk through tutorial</a>.
<a href="https://github.com/CamFlow/camflow-cli">source code</a></p>
<p><strong>libprovenance:</strong> is a C library implementing userspace utility functions to interact with CamFlow <a href="https://lwn.net/Articles/174669/">relayfs</a> and <a href="https://lwn.net/Articles/153366/">securityfs</a> interfaces.
<a href="https://github.com/CamFlow/libprovenance">source code</a></p>

    </div>
</section>

            
                <section class="page" id="walk">
    <h1>
        <a href="#walk">Walk-through</a>
    </h1>
    <div class="content">
        <p>In this walk-through we explore how to capture and look at the provenance generated by <code>wget</code>. The tutorial assumes that CamFlow has been installed and is running on a Fedora machine, and that the reader has some familiarity with <a href="./publications/socc-2017.pdf">our paper describing linux provenance capture (ACM SoCC'17)</a>.</p>
<!-- raw HTML omitted -->
<p>You can install <code>nano</code> to easily edit files from the command line:</p>
<pre><code>$ sudo dnf install nano
</code></pre><!-- raw HTML omitted -->
<p>First we should verify that our kernel indeed contains CamFlow:</p>
<pre><code>$ uname -r
X.X.Xcamflow_Y.Y.Y
</code></pre><p>X.X.X corresponds to the kernel version, and Y.Y.Y to CamFlow version.</p>
<p>You can check system events relating to CamFlow as follows:</p>
<pre><code>$ journalctl -b -0 | grep camflow
</code></pre><p>We next check the configuration options that are available to us:</p>
<pre><code>$ camflow -h
-h
 usage.

-v
 version.

-s
 print provenance capture state.

-c
 print out current configuration (can copy content in /etc/camflow.ini).

-e &lt;bool&gt;
 enable/disable provenance capture.

-a &lt;bool&gt;
 activate/deactivate whole-system provenance capture.

--compress-node &lt;bool&gt;
 activate/deactivate node compression.

--compress-edge &lt;bool&gt;
 activate/deactivate edge compression.

--duplicate &lt;bool&gt;
 activate/deactivate duplication.

--file &lt;filename&gt;
 display provenance info of a file.

--track-file &lt;filename&gt; &lt;false/true/propagate&gt;
 set tracking.

--label-file &lt;filename&gt; &lt;string&gt;
 applies label to the file.

--opaque-file &lt;filename&gt; &lt;bool&gt;
 mark/unmark the file as opaque.

--process &lt;pid&gt;
 display provenance info of a process.

--track-process &lt;pid&gt; &lt;false/true/propagate&gt;
 set tracking.

--label-process &lt;pid&gt; &lt;string&gt;
 applies label to the process.

--opaque-process &lt;pid&gt; &lt;bool&gt;
 mark/unmark the process as opaque.

--track-ipv4-ingress &lt;ip/mask:port&gt; &lt;track/propagate/record/delete&gt;
 track/propagate on bind.

--track-ipv4-egress &lt;ip/mask:port&gt; &lt;track/propagate/record/delete&gt;
 track/propagate on connect.

--track-secctx &lt;security context&gt; &lt;track/propagate/opaque/delete&gt;
 track/propagate based on security context.

--track-cgroup &lt;cgroup ino&gt; &lt;track/propagate/delete&gt;
 track/propagate based on cgroup.

--track-user &lt;user name&gt; &lt;track/propagate/opaque/delete&gt;
 track/propagate based on user.

--track-group &lt;group name&gt; &lt;track/propagate/opaque/delete&gt;
 track/propagate based on group.

--node-filter &lt;type&gt; &lt;bool&gt;
 set node filter.

--edge-filter &lt;type&gt; &lt;bool&gt;
 set edge filter.

--node-propagate-filter &lt;type&gt; &lt;bool&gt;
 set propagate node filter.

--edge-propagate-filter &lt;type&gt; &lt;bool&gt;
 set propagate edge filter.

--reset-filter
 reset filters.

--channel &lt;string&gt;
 create a new relay channel (in /sys/kernel/debug/&lt;string&gt;).

--change-epoch
 change epoch.
</code></pre><p>We should check the current configuration state:</p>
<pre><code>$ camflow -s
Machine id: 1491436164
Policy hash: A49BD19BB2C51FF5C19CF4C3878531C59DFCA6956334620E537B978498625
Provenance capture:
- capture enabled;
- all disabled;
- provenance was captured;
- node compression enabled;
- edge compression enabled;
- duplication disabled;

Node filter (4000c80):
inode_unknown
directory
char
envp
Derived filter (0):
Generated filter (0):
Used filter (0):
Informed filter (0):

Propagate node filter (0):
Propagate derived filter (0):
Propagate generated filter (0):
Propagate used filter (0):
Propagate informed filter (0):

IPv4 ingress filter (0).
IPv4 egress filter (0).
Security context filter (0).
Namespace filter (0).
User filter (0).
Group filter (0).
</code></pre><p>The policy hash is based on the CamFlow version and the currently loaded capture policy. It can be used to quickly verify that two machines are running the same capture policy. It can also be obtained with <code>camflow -p</code>.</p>
<p>Let&rsquo;s try to capture the provenance generated by the well known tool <code>wget</code>. We want to track and propagate provenance from its executable. We can do so as follows:</p>
<pre><code>$ sudo camflow --track-file /bin/wget true
</code></pre><p>If we run <code>wget</code>, we should be able to obtain some provenance data:</p>
<pre><code>$ wget www.google.com
$ tail /tmp/audit.log
{&quot;prefix&quot;:{&quot;prov&quot; : &quot;http://www.w3.org/ns/prov&quot;, &quot;cf&quot;:&quot;http://www.camflow.org&quot;}, &quot;activity&quot;:{&quot;cf:AQAAAAAAAEBW5AEAAAAAABwAAAAHfl4eEAAAAAAAAAA=&quot;:{&quot;cf:id&quot;:&quot;123990&quot;,&quot;prov:type&quot;:&quot;task&quot;,&quot;cf:boot_id&quot;:28,&quot;cf:machine_id&quot;:&quot;cf:509509127&quot;,&quot;cf:version&quot;:16,&quot;cf:date&quot;:&quot;2017:09:25T21:11:46&quot;,&quot;cf:jiffies&quot;:&quot;4296340808&quot;,&quot;cf:uid&quot;:1000,&quot;cf:gid&quot;:1000,&quot;cf:pid&quot;:2578,&quot;cf:vpid&quot;:2578,&quot;cf:utsns&quot;:4026531838,&quot;cf:ipcns&quot;:4026531839,&quot;cf:mntns&quot;:4026531840,&quot;cf:pidns&quot;:4026531836,&quot;cf:netns&quot;:4026531993,&quot;cf:cgroupns&quot;:4026531835,&quot;cf:secctx&quot;:&quot;unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023&quot;,&quot;cf:utime&quot;:&quot;2329176&quot;,&quot;cf:stime&quot;:&quot;5129935&quot;,&quot;cf:vm&quot;:&quot;1839908&quot;,&quot;cf:rss&quot;:&quot;150492&quot;,&quot;cf:hw_vm&quot;:&quot;1841252&quot;,&quot;cf:hw_rss&quot;:&quot;222676&quot;,&quot;cf:rbytes&quot;:&quot;6860800&quot;,&quot;cf:wbytes&quot;:&quot;0&quot;,&quot;cf:cancel_wbytes&quot;:&quot;0&quot;,&quot;prov:label&quot;:&quot;[task] 16&quot;}}, &quot;entity&quot;:{&quot;cf:AAAIAAAAACCrXAMAAAAAABwAAAAHfl4eAAAAAAAAAAA=&quot;:{&quot;cf:id&quot;:&quot;220331&quot;,&quot;prov:type&quot;:&quot;file_name&quot;,&quot;cf:boot_id&quot;:28,&quot;cf:machine_id&quot;:&quot;cf:509509127&quot;,&quot;cf:version&quot;:0,&quot;cf:date&quot;:&quot;2017:09:25T21:11:46&quot;,&quot;cf:jiffies&quot;:&quot;4296339739&quot;,&quot;cf:pathname&quot;:&quot;/usr/share/atom/atom&quot;,&quot;prov:label&quot;:&quot;[path] /usr/share/atom/atom&quot;},&quot;cf:AAAIAAAAACCkXAMAAAAAABwAAAAHfl4eAAAAAAAAAAA=&quot;:{&quot;cf:id&quot;:&quot;220324&quot;,&quot;prov:type&quot;:&quot;file_name&quot;,&quot;cf:boot_id&quot;:28,&quot;cf:machine_id&quot;:&quot;cf:509509127&quot;,&quot;cf:version&quot;:0,&quot;cf:date&quot;:&quot;2017:09:25T21:11:46&quot;,&quot;cf:jiffies&quot;:&quot;4296339724&quot;,&quot;cf:pathname&quot;:&quot;/usr/share/publicsuffix/public_suffix_list.dafsa&quot;,&quot;prov:label&quot;:&quot;[path] /usr/share/publicsuffix/public_suffix_list.dafsa&quot;},&quot;cf:AACAAAAAACCmXAMAAAAAABwAAAAHfl4eAAAAAAAAAAA=&quot;:{&quot;cf:id&quot;:&quot;220326&quot;,&quot;prov:type&quot;:&quot;xattr&quot;,&quot;cf:boot_id&quot;:28,&quot;cf:machine_id&quot;:&quot;cf:509509127&quot;,&quot;cf:version&quot;:0,&quot;cf:date&quot;:&quot;2017:09:25T21:11:46&quot;,&quot;cf:jiffies&quot;:&quot;4296339736&quot;,&quot;cf:name&quot;:&quot;user.xdg.origin.url&quot;,&quot;cf:size&quot;:22,&quot;cf:flags&quot;:&quot;0x0&quot;,&quot;prov:label&quot;:&quot;[xattr] user.xdg.origin.url&quot;},&quot;cf:AAAIAAAAACCnXAMAAAAAABwAAAAHfl4eAAAAAAAAAAA=&quot;:{&quot;cf:id&quot;:&quot;220327&quot;,&quot;prov:type&quot;:&quot;file_name&quot;,&quot;cf:boot_id&quot;:28,&quot;cf:machine_id&quot;:&quot;cf:509509127&quot;,&quot;cf:version&quot;:0,&quot;cf:date&quot;:&quot;2017:09:25T21:11:46&quot;,&quot;cf:jiffies&quot;:&quot;4296339736&quot;,&quot;cf:pathname&quot;:&quot;/home/vagrant/workspace/camflow-dev/build/camflow-cli/index.html&quot;,&quot;prov:label&quot;:&quot;[path] /home/vagrant/workspace/camflow-dev/build/camflow-cli/index.html&quot;},&quot;cf:ABAAAAAAACBq5AEAAAAAABwAAAAHfl4eCwAAAAAAAAA=&quot;:{&quot;cf:id&quot;:&quot;124010&quot;,&quot;prov:type&quot;:&quot;fifo&quot;,&quot;cf:boot_id&quot;:28,&quot;cf:machine_id&quot;:&quot;cf:509509127&quot;,&quot;cf:version&quot;:11,&quot;cf:date&quot;:&quot;2017:09:25T21:11:46&quot;,&quot;cf:jiffies&quot;:&quot;4296340808&quot;,&quot;cf:uid&quot;:1000,&quot;cf:gid&quot;:1000,&quot;cf:mode&quot;:&quot;0x1180&quot;,&quot;cf:secctx&quot;:&quot;unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023&quot;,&quot;cf:ino&quot;:39081,&quot;cf:uuid&quot;:&quot;e2392e0f-dab3-94bc-feb1-d1975fb2ea3e&quot;,&quot;prov:label&quot;:&quot;[fifo] 11&quot;}}, &quot;used&quot;:{&quot;cf:AAAAAgAAIID+AgAAAAAAABwAAAAHfl4eAAAAAAAAAAA=&quot;:{&quot;cf:id&quot;:&quot;766&quot;,&quot;prov:type&quot;:&quot;read&quot;,&quot;cf:boot_id&quot;:28,&quot;cf:machine_id&quot;:&quot;cf:509509127&quot;,&quot;cf:date&quot;:&quot;2017:09:25T21:11:46&quot;,&quot;cf:jiffies&quot;:&quot;4296340808&quot;,&quot;prov:label&quot;:&quot;read&quot;,&quot;cf:allowed&quot;:&quot;true&quot;,&quot;prov:entity&quot;:&quot;cf:ABAAAAAAACBq5AEAAAAAABwAAAAHfl4eCwAAAAAAAAA=&quot;,&quot;prov:activity&quot;:&quot;cf:AQAAAAAAAEBW5AEAAAAAABwAAAAHfl4eEAAAAAAAAAA=&quot;}}, &quot;wasGeneratedBy&quot;:{&quot;cf:ACAAAAAAQID8AgAAAAAAABwAAAAHfl4eAAAAAAAAAAA=&quot;:{&quot;cf:id&quot;:&quot;764&quot;,&quot;prov:type&quot;:&quot;write&quot;,&quot;cf:boot_id&quot;:28,&quot;cf:machine_id&quot;:&quot;cf:509509127&quot;,&quot;cf:date&quot;:&quot;2017:09:25T21:11:46&quot;,&quot;cf:jiffies&quot;:&quot;4296340808&quot;,&quot;prov:label&quot;:&quot;write&quot;,&quot;cf:allowed&quot;:&quot;true&quot;,&quot;prov:activity&quot;:&quot;cf:AQAAAAAAAEBW5AEAAAAAABwAAAAHfl4eDwAAAAAAAAA=&quot;,&quot;prov:entity&quot;:&quot;cf:ABAAAAAAACBq5AEAAAAAABwAAAAHfl4eCwAAAAAAAAA=&quot;}}, &quot;wasInformedBy&quot;:{&quot;cf:AAAAAACAEID9AgAAAAAAABwAAAAHfl4eAAAAAAAAAAA=&quot;:{&quot;cf:id&quot;:&quot;765&quot;,&quot;prov:type&quot;:&quot;version_activity&quot;,&quot;cf:boot_id&quot;:28,&quot;cf:machine_id&quot;:&quot;cf:509509127&quot;,&quot;cf:date&quot;:&quot;2017:09:25T21:11:46&quot;,&quot;cf:jiffies&quot;:&quot;4296340808&quot;,&quot;prov:label&quot;:&quot;version_activity&quot;,&quot;cf:allowed&quot;:&quot;true&quot;,&quot;prov:informant&quot;:&quot;cf:AQAAAAAAAEBW5AEAAAAAABwAAAAHfl4eDwAAAAAAAAA=&quot;,&quot;prov:informed&quot;:&quot;cf:AQAAAAAAAEBW5AEAAAAAABwAAAAHfl4eEAAAAAAAAAA=&quot;}}, &quot;wasDerivedFrom&quot;:{&quot;cf:AgAAAAAAgID7AgAAAAAAABwAAAAHfl4eAAAAAAAAAAA=&quot;:{&quot;cf:id&quot;:&quot;763&quot;,&quot;prov:type&quot;:&quot;version_entity&quot;,&quot;cf:boot_id&quot;:28,&quot;cf:machine_id&quot;:&quot;cf:509509127&quot;,&quot;cf:date&quot;:&quot;2017:09:25T21:11:46&quot;,&quot;cf:jiffies&quot;:&quot;4296340808&quot;,&quot;prov:label&quot;:&quot;version_entity&quot;,&quot;cf:allowed&quot;:&quot;true&quot;,&quot;prov:usedEntity&quot;:&quot;cf:ABAAAAAAACBq5AEAAAAAABwAAAAHfl4eCgAAAAAAAAA=&quot;,&quot;prov:generatedEntity&quot;:&quot;cf:ABAAAAAAACBq5AEAAAAAABwAAAAHfl4eCwAAAAAAAAA=&quot;}}}
</code></pre><p>We can see that some provenance JSON has indeed been generated. You can check <a href="#output_format">here</a> to see what this data means. Publishing the provenance is the job of <code>camflowd</code>, let&rsquo;s look at its configuration to understand what it is doing:</p>
<pre><code>$ cat /etc/camflowd.ini
[general]
; output=null
; output=mqtt
; output=unix_socket
; output=fifo
output=log

format=w3c
;format=spade_json

[log]
path=/tmp/audit.log

[mqtt]
address=m12.cloudmqtt.com:17065
username=camflow
password=test
; message delivered: 0 at most once, 1 at least once, 2 exactly once
qos=2

[unix]
address=/tmp/camflowd.sock

[fifo]
path=/tmp/camflowd-pipe
</code></pre><p>The system is clearly configured to publish the provenance to a log file, and this file has been specified to be <code>/tmp/audit.log</code>. If we were to publish our provenance to MQTT, we could visualise it in real time on our <a href="http://camflow.org/demo">demo website</a>. Note that changes to <code>camflowd</code> configuration require the system or the service to be restarted.</p>
<p>We have seen that we can edit the capture configuration via the command line. If we want something a bit more permanent and practical, we can edit <code>/etc/camflow.ini</code>. This file is read during the boot process by the <code>camconfd</code> service, and is used to set the capture policy. Let&rsquo;s have a look at this configuration file:</p>
<pre><code>$ cat /etc/camflow.ini
[provenance]
;unique identifier for the machine, use hostid if set to 0
machine_id=0
;enable provenance capture
enabled=true
;record provenance of all kernel object
all=false
node_filter=directory
node_filter=inode_unknown
node_filter=char
node_filter=envp
; propagate_node_filter=directory
; relation_filter=sh_read
; relation_filter=sh_write
; propagate_relation_filter=write

[compression]
; enable node compression
node=true
edge=true
duplicate=false

[file]
;set opaque file
opaque=/usr/bin/bash
;set tracked file
;track=/home/thomas/test.o
;propagate=/home/thomas/test.o

[ipv4−egress]
;propagate=0.0.0.0/0:80
;propagate=0.0.0.0/0:404
;record exchanged with local server
;record=127.0.0.1/32:80

[ipv4−ingress]
;propagate=0.0.0.0/0:80
;propagate=0.0.0.0/0:404
;record exchanged with local server
;record=127.0.0.1/32:80


[user]
;track=vagrant
;propagate=vagrant
;opaque=vagrant

[group]
;track=vagrant
;propagate=vagrant
;opaque=vagrant

[secctx]
;track=system_u:object_r:bin_t:s0
;propagate=system_u:object_r:bin_t:s0
;opaque=system_u:object_r:bin_t:s0
</code></pre>
    </div>
</section>

            



        
            
    <section class="page" id="configuration">
    <h1>
        <a href="#configuration">Configuration</a>
    </h1>
    <div class="content">
        
    </div>
</section>

    
            
                <section class="page" id="capture">
    <h1>
        <a href="#capture">Capture configuration</a>
    </h1>
    <div class="content">
        <h2 id="sample-configuration">Sample configuration</h2>
<p>One of the strengths of CamFlow is the ability to fine-tune the provenance information it captures.
Edit <code>/etc/camflow.ini</code> to modify the capture configuration.
To apply a new configuration, reboot the machine.</p>
<!-- raw HTML omitted -->
<p>Alternatively when developing policy you can experiment using <code>camflow</code> CLI (see <code>camflow -h</code>).
Policies defined through the CLI are not persisted in current release.</p>
<!-- raw HTML omitted -->
<p>Follows a sample <code>/etc/camflow.ini</code> configuration:</p>
<div class="highlight"><pre style="color:#272822;background-color:#fafafa;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-INI" data-lang="INI"><span style="color:#00a8c8">[provenance]</span>
<span style="color:#75715e">;unique identifier for the machine, use hostid if set to 0</span>
<span style="color:#75af00">machine_id</span><span style="color:#f92672">=</span><span style="color:#d88200">0</span>
<span style="color:#75715e">;enable provenance capture</span>
<span style="color:#75af00">enabled</span><span style="color:#f92672">=</span><span style="color:#d88200">true</span>
<span style="color:#75715e">;record provenance of all kernel object</span>
<span style="color:#75af00">all</span><span style="color:#f92672">=</span><span style="color:#d88200">false</span>
<span style="color:#75af00">node_filter</span><span style="color:#f92672">=</span><span style="color:#d88200">directory</span>
<span style="color:#75af00">node_filter</span><span style="color:#f92672">=</span><span style="color:#d88200">inode_unknown</span>
<span style="color:#75af00">node_filter</span><span style="color:#f92672">=</span><span style="color:#d88200">char</span>
<span style="color:#75af00">node_filter</span><span style="color:#f92672">=</span><span style="color:#d88200">envp</span>
<span style="color:#75715e">; propagate_node_filter=directory</span>
<span style="color:#75715e">; relation_filter=sh_read</span>
<span style="color:#75715e">; relation_filter=sh_write</span>
<span style="color:#75715e">; propagate_relation_filter=write</span>

<span style="color:#00a8c8">[compression]</span>
<span style="color:#75715e">; enable/disable versioning</span>
<span style="color:#75af00">version</span><span style="color:#f92672">=</span><span style="color:#d88200">true</span>
<span style="color:#75715e">; enable node compression</span>
<span style="color:#75af00">node</span><span style="color:#f92672">=</span><span style="color:#d88200">true</span>
<span style="color:#75715e">; enable edge compression</span>
<span style="color:#75af00">edge</span><span style="color:#f92672">=</span><span style="color:#d88200">true</span>
<span style="color:#75af00">duplicate</span><span style="color:#f92672">=</span><span style="color:#d88200">false</span>

<span style="color:#00a8c8">[file]</span>
<span style="color:#75715e">;set opaque file</span>
<span style="color:#75af00">opaque</span><span style="color:#f92672">=</span><span style="color:#d88200">/usr/bin/bash</span>
<span style="color:#75715e">;set tracked file</span>
<span style="color:#75715e">;track=/home/thomas/test.o</span>
<span style="color:#75715e">;propagate=/home/thomas/test.o</span>

<span style="color:#00a8c8">[ipv4−egress]</span>
<span style="color:#75715e">;propagate=0.0.0.0/0:80</span>
<span style="color:#75715e">;propagate=0.0.0.0/0:404</span>
<span style="color:#75715e">;record exchanged with local server</span>
<span style="color:#75715e">;record=127.0.0.1/32:80</span>

<span style="color:#00a8c8">[ipv4−ingress]</span>
<span style="color:#75715e">;propagate=0.0.0.0/0:80</span>
<span style="color:#75715e">;propagate=0.0.0.0/0:404</span>
<span style="color:#75715e">;record exchanged with local server</span>
<span style="color:#75715e">;record=127.0.0.1/32:80</span>


<span style="color:#00a8c8">[user]</span>
<span style="color:#75715e">;track=vagrant</span>
<span style="color:#75715e">;propagate=vagrant</span>
<span style="color:#75715e">;opaque=vagrant</span>

<span style="color:#00a8c8">[group]</span>
<span style="color:#75715e">;track=vagrant</span>
<span style="color:#75715e">;propagate=vagrant</span>
<span style="color:#75715e">;opaque=vagrant</span>

<span style="color:#00a8c8">[secctx]</span>
<span style="color:#75715e">;track=system_u:object_r:bin_t:s0</span>
<span style="color:#75715e">;propagate=system_u:object_r:bin_t:s0</span>
<span style="color:#75715e">;opaque=system_u:object_r:bin_t:s0</span>

<span style="color:#00a8c8">[relay]</span>
<span style="color:#75715e">; those parameters set the size of the kernel relay buffer</span>
<span style="color:#75715e">; more info about relay here:</span>
<span style="color:#75715e">; https://www.kernel.org/doc/html/latest/filesystems/relay.html</span>
<span style="color:#75715e">; size of relay buffer is equal to (1 &lt;&lt; buff_exp) * subuf_nb</span>
<span style="color:#75715e">; you may want to change this value if you observe event drops</span>
<span style="color:#75715e">; (i.e. graph with missing edges and nodes), you can check drops</span>
<span style="color:#75715e">; through the command:</span>
<span style="color:#75715e">; camflow --drop</span>
<span style="color:#75715e">; be careful when changing those values.</span>
<span style="color:#75af00">buff_exp</span><span style="color:#f92672">=</span><span style="color:#d88200">20</span>
<span style="color:#75af00">subuf_nb</span><span style="color:#f92672">=</span><span style="color:#d88200">8</span>
</code></pre></div><h2 id="configuration-parameters">Configuration parameters</h2>
<p>Following is a list of the parameters and their effects, broken down by section.
A &ldquo;boolean&rdquo; parameter accepts values &ldquo;true&rdquo; or &ldquo;false&rdquo;.</p>
<h3 id="provenance">provenance</h3>
<table>
<thead>
<tr>
<th>parameter</th>
<th>description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>machine_id</code></td>
<td>unique identifier for the machine in provenance records, use hostid if set to 0</td>
</tr>
<tr>
<td><code>enabled</code></td>
<td>boolean; enable provenance capture? if false, the rest of the parameters do not matter</td>
</tr>
<tr>
<td><code>all</code></td>
<td>boolean; capture provenance of all kernel objects?</td>
</tr>
<tr>
<td><code>node_filter</code></td>
<td>do not capture this kind of node (i.e. vertex)</td>
</tr>
<tr>
<td><code>relation_filter</code></td>
<td>do not capture this kind of relation (i.e. edge)</td>
</tr>
<tr>
<td><code>propagate_node_filter</code></td>
<td>do not propagate tracking through this kind of node (i.e. vertex)</td>
</tr>
<tr>
<td><code>propagate_relation_filter</code></td>
<td>do not propagate tracking through this kind of relation (i.e. edge)</td>
</tr>
</tbody>
</table>
<h4 id="all">all</h4>
<table>
<thead>
<tr>
<th>value</th>
<th>effect</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>true</code></td>
<td>capture provenance for all objects</td>
</tr>
<tr>
<td><code>false</code></td>
<td>capture no provenance except for indicated objects (specified via <code>file</code>, <code>ipv4-ingress</code>, etc.)</td>
</tr>
</tbody>
</table>
<p>In either case the provenance record is affected by:</p>
<ul>
<li>graph filters (<code>node_filter</code>, <code>propagate_node_filter</code>, etc.)</li>
<li>any object marked <code>opaque</code></li>
</ul>
<h4 id="node_filter">node_filter</h4>
<p>You can specify the node_filter parameter multiple times, with a different node type each time.
See <a href="https://github.com/CamFlow/camflow-dev/blob/master/docs/VERTICES.md">here</a> for the list of supported node types.</p>
<h4 id="relation_filter">relation_filter</h4>
<p>You can specify the relation_filter parameter multiple times, with a different relation type each time.
See <a href="https://github.com/CamFlow/camflow-dev/blob/master/docs/RELATIONS.md">here</a> for the list of supported relation types.</p>
<h4 id="propagate_node_filter">propagate_node_filter</h4>
<p>As with node_filter, you can specify this parameter multiple times for various node types.</p>
<h4 id="propagate_relation_filter">propagate_relation_filter</h4>
<p>As with relation_filter, you can specify this parameter multiple times for various relation types.</p>
<!-- raw HTML omitted -->
<p>No provenance records are emitted for nodes (relations) indicated by <code>X_filter=Y</code>.
For nodes (relations) indicated by <code>propagate_X_filter=Y</code>, records will be emitted but tracking will not be propagated through them.</p>
<!-- raw HTML omitted -->
<h3 id="compression">compression</h3>
<p>&ldquo;Compressing&rdquo; provenance means emitting as few provenance records as possible to capture an interaction.
For example, if a process reads a file three times, then a compressed provenance record would contain only one read relation while a complete provenance record would contain three relations.</p>
<p>This is desirable if the goal of provenance collection is to build a provenance graph.
However, if you are trying to perform a security audit, then the fact and timing of multiple accesses may be of interest.
In this example compression may be undesirable.</p>
<table>
<thead>
<tr>
<th>parameter</th>
<th>description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>node</code></td>
<td>boolean; if true only create a new version of an object to avoid a cycle, if false create a new version on any object state change (i.e. when receiving information from other objects)</td>
</tr>
<tr>
<td><code>edge</code></td>
<td>boolean; if true do not repeat multiple consecutive edges of the same type</td>
</tr>
<tr>
<td><code>duplicate</code></td>
<td>boolean; if true publish the vertex pair associated with a relation when publishing that relation, if false omit any previously-published vertices</td>
</tr>
</tbody>
</table>
<h3 id="file">file</h3>
<p>This describes provenance capture behavior for files.</p>
<table>
<thead>
<tr>
<th>parameter</th>
<th>description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>opaque</code></td>
<td>provenance is not captured for any interactions with this file</td>
</tr>
<tr>
<td><code>track</code></td>
<td>directly track any information flow to/from this file and any process resulting from its execution</td>
</tr>
<tr>
<td><code>propagate</code></td>
<td>transitively track any information flow to/from this file</td>
</tr>
</tbody>
</table>
<h4 id="track">track</h4>
<p>Use <code>track</code> if you want the provenance information to include every time this file is read or written.</p>
<h4 id="propagate">propagate</h4>
<p>Use <code>propagate</code> if you want the provenance information to track the flow of data out of this file, through other processes, into other files, etc.</p>
<h3 id="ipv4-egress">ipv4-egress</h3>
<p>Track information leaving the system being monitored (<code>connect</code>).</p>
<table>
<thead>
<tr>
<th>parameter</th>
<th>description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>propagate</code></td>
<td>similar to file, but for data sent to this IPv4 address</td>
</tr>
<tr>
<td><code>record</code></td>
<td>like <code>propagate</code>, but also capture packet content</td>
</tr>
</tbody>
</table>
<p>Specify an IPv4 address using the format <code>&lt;ip&gt;/&lt;mask&gt;:&lt;port&gt;</code>.</p>
<h3 id="ipv4-ingress">ipv4-ingress</h3>
<p>Track information entering the system being monitored (<code>bind</code>).</p>
<table>
<thead>
<tr>
<th>parameter</th>
<th>description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>propagate</code></td>
<td>see ipv4-egress</td>
</tr>
<tr>
<td><code>record</code></td>
<td>see ipv4-egress</td>
</tr>
</tbody>
</table>
<h3 id="user">user</h3>
<p>Like <code>file</code>, but for users.</p>
<table>
<thead>
<tr>
<th>parameter</th>
<th>description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>opaque</code></td>
<td>similar to file, but for this username</td>
</tr>
<tr>
<td><code>track</code></td>
<td>&quot;</td>
</tr>
<tr>
<td><code>propagate</code></td>
<td>&quot;</td>
</tr>
</tbody>
</table>
<h3 id="group">group</h3>
<p>Like <code>file</code>, but for groups.</p>
<h3 id="secctx">secctx</h3>
<p>Same as <code>file</code>, but for security contexts.</p>
<p>Specify a security context using the format of the main Linux Security Module of the system (see <a href="https://selinuxproject.org/page/NB_SC">here</a> for SELinux).</p>
<!-- raw HTML omitted -->
<p>Further information about these parameters may be gleaned by perusing the <a href="https://github.com/CamFlow/camflow-dev/tree/master/security/provenance/include">header files</a> in the kernel module.</p>
<!-- raw HTML omitted -->
<h3 id="relay">relay</h3>
<p>This set the size of the kernel relay buffer.</p>
<!-- raw HTML omitted -->
<p>If you notice event losses, do adjust this parameters (this may happen with systems under heavy workload).
You can check the number of dropped events using <code>camflow --drop</code>.</p>
<!-- raw HTML omitted -->

    </div>
</section>

            
                <section class="page" id="recording">
    <h1>
        <a href="#recording">Recording configuration</a>
    </h1>
    <div class="content">
        <p>After CamFlow captures provenance, you can configure <em>where</em> and <em>in what format</em> the provenance information is published.</p>
<p>The configuration file is <code>/etc/camflowd.ini</code>.</p>
<p>To apply a new configuration, run <code>systemctl restart camflowd.service</code>.</p>
<h2 id="sample-configuration">Sample configuration</h2>
<p>Here is a sample <code>/etc/camflowd.ini</code> configuration.</p>
<div class="highlight"><pre style="color:#272822;background-color:#fafafa;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-INI" data-lang="INI"><span style="color:#00a8c8">[general]</span>
<span style="color:#75715e">;output=null</span>
<span style="color:#75715e">;output=mqtt</span>
<span style="color:#75715e">;output=unix_socket</span>
<span style="color:#75715e">;output=fifo</span>
<span style="color:#75af00">output</span><span style="color:#f92672">=</span><span style="color:#d88200">log</span>

<span style="color:#75715e">;format=w3c</span>
<span style="color:#75af00">format</span><span style="color:#f92672">=</span><span style="color:#d88200">spade_json</span>

<span style="color:#00a8c8">[log]</span>
<span style="color:#75af00">path</span><span style="color:#f92672">=</span><span style="color:#d88200">/tmp/audit.log</span>

<span style="color:#00a8c8">[mqtt]</span>
<span style="color:#75af00">address</span><span style="color:#f92672">=</span><span style="color:#d88200">m12.cloudmqtt.com:17065</span>
<span style="color:#75af00">username</span><span style="color:#f92672">=</span><span style="color:#d88200">camflow</span>
<span style="color:#75af00">password</span><span style="color:#f92672">=</span><span style="color:#d88200">test</span>
<span style="color:#75715e">; message delivered: 0 at most once, 1 at least once, 2 exactly once</span>
<span style="color:#75af00">qos</span><span style="color:#f92672">=</span><span style="color:#d88200">2</span>
<span style="color:#75715e">; topic, provided prefix + machine_id (e.g. camflow/provenance/1234)</span>
<span style="color:#75af00">topic</span><span style="color:#f92672">=</span><span style="color:#d88200">camflow/provenance/</span>

<span style="color:#00a8c8">[unix]</span>
<span style="color:#75af00">address</span><span style="color:#f92672">=</span><span style="color:#d88200">/tmp/camflowd.sock</span>

<span style="color:#00a8c8">[fifo]</span>
<span style="color:#75af00">path</span><span style="color:#f92672">=</span><span style="color:#d88200">/tmp/camflowd-pipe</span>
</code></pre></div><h2 id="configuration-parameters">Configuration parameters</h2>
<p>Following is a list of the parameters and their effects, broken down by section.</p>
<h3 id="general">general</h3>
<table>
<thead>
<tr>
<th>parameter</th>
<th>description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>output</code></td>
<td>where to publish provenance records?</td>
</tr>
<tr>
<td><code>format</code></td>
<td>in what format to publish provenance records?</td>
</tr>
</tbody>
</table>
<h4 id="output">output</h4>
<table>
<thead>
<tr>
<th>value</th>
<th>effect</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>null</code></td>
<td>discard provenance records</td>
</tr>
<tr>
<td><code>mqtt</code></td>
<td>publish to an MQTT service</td>
</tr>
<tr>
<td><code>unix_socket</code></td>
<td>publish to a UNIX socket</td>
</tr>
<tr>
<td><code>fifo</code></td>
<td>publish to a named pipe (&ldquo;FIFO&rdquo;)</td>
</tr>
<tr>
<td><code>log</code></td>
<td>publish to a log file</td>
</tr>
</tbody>
</table>
<h4 id="format">format</h4>
<table>
<thead>
<tr>
<th>value</th>
<th>effect</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>w3c</code></td>
<td>use <a href="./w3c.md">w3c PROV-JSON</a> format</td>
</tr>
<tr>
<td><code>spade_json</code></td>
<td>use <a href="https://github.com/ashish-gehani/SPADE/wiki/Reporting-provenance-using-JSON">SPADE JSON</a> format</td>
</tr>
</tbody>
</table>
<h3 id="log">log</h3>
<p>If <code>output=log</code>, these parameters take effect.</p>
<table>
<thead>
<tr>
<th>parameter</th>
<th>description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>path</code></td>
<td>publish to this file</td>
</tr>
</tbody>
</table>
<h3 id="mqtt">mqtt</h3>
<p>If <code>output=mqtt</code>, these parameters take effect.</p>
<table>
<thead>
<tr>
<th>parameter</th>
<th>description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>address</code></td>
<td>MQTT broker</td>
</tr>
<tr>
<td><code>username</code></td>
<td>credentials</td>
</tr>
<tr>
<td><code>password</code></td>
<td>credentials</td>
</tr>
<tr>
<td><code>qos</code></td>
<td>delivery guarantees</td>
</tr>
</tbody>
</table>
<h4 id="qos">qos</h4>
<p>For each record, publish to broker&hellip;</p>
<table>
<thead>
<tr>
<th>value</th>
<th>effect</th>
</tr>
</thead>
<tbody>
<tr>
<td>0</td>
<td>at most once</td>
</tr>
<tr>
<td>1</td>
<td>at least once</td>
</tr>
<tr>
<td>2</td>
<td>exactly once</td>
</tr>
</tbody>
</table>
<h3 id="unix_socket">unix_socket</h3>
<p>If <code>output=unix_socket</code>, these parameters take effect.</p>
<table>
<thead>
<tr>
<th>parameter</th>
<th>description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>address</code></td>
<td>publish to the socket at this path</td>
</tr>
</tbody>
</table>
<h3 id="fifo">fifo</h3>
<p>If <code>output=fifo</code>, these parameters take effect.</p>
<table>
<thead>
<tr>
<th>parameter</th>
<th>description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>path</code></td>
<td>publish to the fifo at this path</td>
</tr>
</tbody>
</table>

    </div>
</section>

            



        
            
    <section class="page" id="output_format">
    <h1>
        <a href="#output_format">Output format</a>
    </h1>
    <div class="content">
        <p>The output generated by <a href="https://github.com/CamFlow/camflowd">camflowd</a> supports two formats: <a href="https://www.w3.org/Submission/2013/SUBM-prov-json-20130424/">W3C PROV-JSON</a> format and the <a href="https://github.com/ashish-gehani/SPADE/wiki/Reporting-provenance-using-JSON">SPADE JSON</a> format.</p>
<!-- raw HTML omitted -->
<p>The W3C PROV output is not a single JSON object, but rather a collection of objects each representing an arbitrary sub-part of the graph.</p>
<!-- raw HTML omitted -->
<!-- raw HTML omitted -->
<p>SPADE JSON is CamFlow default output. One can change this setting by <a href="http://localhost:1313/#recording">modifying camflowd configuration</a>.</p>
<!-- raw HTML omitted -->

    </div>
</section>

    
            
                <section class="page" id="examples">
    <h1>
        <a href="#examples">Examples</a>
    </h1>
    <div class="content">
        <p><em>Example of an inode vertex in W3C PROV format:</em></p>
<pre><code>&quot;ABAAAAAAACAe9wIAAAAAAE7aeaI+200UAAAAAAAAAAA=&quot;: {
    &quot;cf:id&quot;: &quot;194334&quot;,
    &quot;prov:type&quot;: &quot;fifo&quot;,
    &quot;cf:boot_id&quot;: 2725894734,
    &quot;cf:machine_id&quot;: 340646718,
    &quot;cf:version&quot;: 0,
    &quot;cf:date&quot;: &quot;2017:01:03T16:43:30&quot;,
    &quot;cf:jiffies&quot;: &quot;4297436711&quot;,
    &quot;cf:uid&quot;: 1000,
    &quot;cf:gid&quot;: 1000,
    &quot;cf:mode&quot;: &quot;0x1180&quot;,
    &quot;cf:secctx&quot;: &quot;unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023&quot;,
    &quot;cf:ino&quot;: 51964,
    &quot;cf:uuid&quot;: &quot;32b7218a-01a0-c7c9-17b1-666f200b8912&quot;,
    &quot;prov:label&quot;: &quot;[fifo] 0&quot;
}
</code></pre><p><em>Example of an inode vertex in SPADE JSON format:</em></p>
<pre><code>{
  &quot;type&quot;:&quot;Entity&quot;,
  &quot;id&quot;:&quot;ACAAAAAAACDZtAAAAAAAAAEAAACVwxEABgAAAAAAAAA=&quot;,
  &quot;annotations&quot;:
  {
    &quot;object_id&quot;:&quot;46297&quot;,
    &quot;object_type&quot;:&quot;socket&quot;,
    &quot;boot_id&quot;:1,
    &quot;cf:machine_id&quot;:&quot;cf:1164181&quot;,
    &quot;version&quot;:6,&quot;cf:date&quot;:&quot;2020:07:11T10:41:28&quot;,
    &quot;epoch&quot;:2,
    &quot;uid&quot;:0,
    &quot;gid&quot;:0,
    &quot;mode&quot;:&quot;0xc1ff&quot;,
    &quot;secctx&quot;:&quot;system_u:object_r:unlabeled_t:s0&quot;,
    &quot;ino&quot;:18274,
    &quot;uuid&quot;:&quot;00000000-0000-0000-0000-000000000000&quot;
  }
}
</code></pre><p><em>Example of a write edge in W3C PROV format:</em></p>
<pre><code>&quot;QAAAAAAAQIANAAAAAAAAAE7aeaI+200UAAAAAAAAAAA=&quot;: {
    &quot;cf:id&quot;: &quot;13&quot;,
    &quot;prov:type&quot;: &quot;write&quot;,
    &quot;cf:boot_id&quot;: 2725894734,
    &quot;cf:machine_id&quot;: 340646718,
    &quot;cf:date&quot;: &quot;2017:01:03T16:43:30&quot;,
    &quot;cf:jiffies&quot;: &quot;4297436711&quot;,
    &quot;prov:label&quot;: &quot;write&quot;,
    &quot;cf:allowed&quot;: &quot;true&quot;,
    &quot;prov:activity&quot;: &quot;AQAAAAAAAEAf9wIAAAAAAE7aeaI+200UAQAAAAAAAAA=&quot;,
    &quot;prov:entity&quot;: &quot;ABAAAAAAACAe9wIAAAAAAE7aeaI+200UAQAAAAAAAAA=&quot;,
    &quot;cf:offset&quot;: &quot;0&quot;
}
</code></pre><p><em>Example of a write edge in SPADE JSON format:</em></p>
<pre><code>{
  &quot;type&quot;:&quot;WasGeneratedBy&quot;,
  &quot;from&quot;:&quot;ABAAAAAAACCi2wAAAAAAAAEAAACVwxEAAQAAAAAAAAA=&quot;,
  &quot;to&quot;:&quot;AQAAAAAAAECk2wAAAAAAAAEAAACVwxEACQAAAAAAAAA=&quot;,
  &quot;annotations&quot;:
  {
    &quot;id&quot;:&quot;IAAAAAAAQID0CwAAAAAAAAEAAACVwxEAAAAAAAAAAAA=&quot;,
    &quot;relation_id&quot;:&quot;3060&quot;,
    &quot;relation_type&quot;:&quot;write&quot;,
    &quot;boot_id&quot;:1,
    &quot;cf:machine_id&quot;:&quot;cf:1164181&quot;,
    &quot;cf:date&quot;:&quot;2020:07:11T10:41:28&quot;,
    &quot;epoch&quot;:2,
    &quot;jiffies&quot;:&quot;4294759940&quot;,
    &quot;allowed&quot;:&quot;true&quot;,
    &quot;flags&quot;:&quot;2&quot;,
    &quot;task_id&quot;:&quot;56228&quot;,
    &quot;from_type&quot;:&quot;pipe&quot;,
    &quot;to_type&quot;:&quot;task&quot;
  }
}
</code></pre><!-- raw HTML omitted -->
<p>Vertex and edge attributes within the <code>prov:</code> namespace are described in the <a href="https://www.w3.org/Submission/2013/SUBM-prov-json-20130424/">W3C PROV-JSON documentation</a>.
The permissible values for the <code>prov:type</code> are described <a href="https://github.com/CamFlow/camflow-dev/blob/master/docs/RELATIONS.md">for relations</a> and <a href="https://github.com/CamFlow/camflow-dev/blob/master/docs/VERTICES.md">for vertices</a>.
We describe in the next section the attributes within the <code>cf:</code> (<strong>C</strong>am<strong>F</strong>low) namespace.</p>
<!-- raw HTML omitted -->

    </div>
</section>

            
                <section class="page" id="attributes">
    <h1>
        <a href="#attributes">Attributes</a>
    </h1>
    <div class="content">
        <p><strong>cf:machine_id</strong> machine unique identifier. (uint32)</p>
<p><strong>cf:boot_id</strong> boot identifier, unique per machine. (uint32)</p>
<p><strong>cf:id</strong> vertex/edge identifier, unique per boot+machine. (uint64)</p>
<p><strong>cf:date</strong> date captured when vertex/edge is recorded in userspace. (string)</p>
<p><strong>cf:jiffies</strong> <a href="http://www.makelinux.net/ldd3/chp-7-sect-1">jiffies</a> captured when vertex/edge is recorded in kernel (uint64)</p>
<h2 id="edge-attributes">Edge attributes</h2>
<p><strong>cf:offset</strong> offset on file object (int64)</p>
<h2 id="vertex-attributes">Vertex attributes</h2>
<p><strong>cf:version</strong> object version (version correspond to a state of an object). (uint32)</p>
<p><strong>cf:uid</strong> <a href="https://en.wikipedia.org/wiki/User_identifier">user ID</a>. (uint32)</p>
<p><strong>cf:gid</strong> <a href="https://en.wikipedia.org/wiki/Group_identifier">group ID</a>. (uint32)</p>
<p><strong>cf:pid</strong> <a href="https://en.wikipedia.org/wiki/Process_identifier">process identifier</a>. (uint32)</p>
<p><strong>cf:vpid</strong> <a href="https://lwn.net/Articles/259217/">virtual process identifier</a>. (uint32)</p>
<p><strong>cf:XXXns</strong> ino corresponding to a given <a href="http://man7.org/linux/man-pages/man7/namespaces.7.html">namespace</a>. (uint32)</p>
<p><strong>cf:secctx</strong> security context as defined by the major <a href="https://www.kernel.org/doc/Documentation/security/LSM.txt">linux security module</a> (e.g. <a href="https://fedoraproject.org/wiki/Security_context">SELinux</a>, <a href="http://wiki.apparmor.net/index.php/AppArmorInterfaces#Security_contexts">AppArmor</a> depending on your distribution). (string)</p>
<p><strong>cf:mode</strong> inode mode. (uint32)</p>
<p><strong>cf:ino</strong> inode number. (uint32)</p>
<p><strong>cf:uuid</strong> <a href="http://www.linfo.org/superblock">superblock</a> uuid. (uuid)</p>
<p><strong>cf:length</strong> size of path/value/name/content attribute when present. (uint32)</p>
<p><strong>cf:valid</strong> iattribute valid value. (uint32)</p>
<p><strong>cf:atime</strong> access time. (int64)</p>
<p><strong>cf:ctime</strong> change time. (int64)</p>
<p><strong>cf:mtime</strong> modification time. (int64)</p>
<p><strong>cf:truncated</strong> if the value/name/content have been truncated. (boolean)</p>
<p><strong>cf:content</strong> IP packet content value. (binary)</p>
<p><strong>cf:seq</strong> IP sequence number. (uint32)</p>
<p><strong>cf:sender</strong> packet sender IP address. (string)</p>
<p><strong>cf:receiver</strong> packet receiver IP address. (string)</p>
<p><strong>cf:address</strong> IP address. (JSON struct)</p>
<p><strong>cf:pathname</strong> pathname. (string)</p>
<p><strong>cf:value</strong> environment/argument variable value. (string)</p>

    </div>
</section>

            
                <section class="page" id="formal">
    <h1>
        <a href="#formal">Formal modelling</a>
    </h1>
    <div class="content">
        <p>We are exploring means to formally model the provenance generated by CamFlow capture system.
This is achieved by performing static analysis of the kernel source code.
We have made available the models corresponding to <a href="https://github.com/CamFlow/camflow-dev/blob/master/docs/HOOKS.md">LSM hooks</a> and <a href="https://github.com/CamFlow/camflow-dev/blob/master/docs/COVERAGE.md">system calls</a>.
The models are also available in raw <a href="https://github.com/CamFlow/camflow-dev/tree/master/docs/dot">dot format</a>.
An early description of the process is described in our <a href="./publications/ccs-2018.pdf">CCS'18 paper</a>.</p>

    </div>
</section>

            



        
            
    <section class="page" id="query">
    <h1>
        <a href="#query">CamQuery</a>
    </h1>
    <div class="content">
        <p>The concept behind CamQuery is described in our <a href="http://camflow.org/publications/ccs-2018.pdf">CCS'18 paper</a>.</p>
<!-- raw HTML omitted -->
<p>This section is under construction as we work further on this aspect of the project.
If you encounter any difficulty, please contact <a href="https://tfjmp.org/">Thomas Pasquier</a>!</p>
<!-- raw HTML omitted -->
<p>We assume a machine with CamFlow newly installed and running.
To build and load the demo query, do as follow:</p>
<pre><code>git clone https://github.com/camflow/libcamquery
cd libcamquery
make build
make load
</code></pre><p>You may need to install dependencies such as <code>elfutils-libelf-devel</code>.</p>
<p>To test that the query has been properly loaded:</p>
<pre><code>dmesg
</code></pre><p>You should see the following entries:</p>
<pre><code>Provenance: loading new query... (My Example Query)
Hello World!
Provenance: registering policy hook...
</code></pre><p>By default CamFlow does not generate provenance. We are going to change its configuration (more info <a href="https://github.com/CamFlow/documentation/blob/master/docs/configuration.md">here</a>).</p>
<pre><code>sudo camflow -a true
sudo camflow -a false
</code></pre><p>Those commands turned on and off whole-system provenance capture. You now run:</p>
<pre><code>dmesg
</code></pre><p>You should see a list of edges and vertices.</p>

    </div>
</section>




        
            
    <section class="page" id="publications">
    <h1>
        <a href="#publications">Publications</a>
    </h1>
    <div class="content">
        <p>CamFlow is discussed in the following publications.
Details given in these papers may be outdated &ndash; please refer to the code if in doubt or contact us.</p>
<!-- raw HTML omitted -->
<p>Using <a href="./publications/socc-2017.pdf">CamFlow</a> in your paper? Cite the following paper:</p>
<pre><code>@inproceedings{pasquier-socc2017,
	title = {Practical Whole-System Provenance Capture},
	booktitle = {Symposium on Cloud Computing (SoCC{\textquoteright}17)},
	year = {2017}
	organization = {ACM},
	author = {Pasquier, Thomas and Xueyuan Han and Goldstein, Mark and Moyer, Thomas and Eyers, David and Margo Seltzer and Bacon, Jean}
}
</code></pre><p>If you are using <a href="./publications/ccs-2018.pdf">CamQuery</a>, please do cite the following paper:</p>
<pre><code>@inproceedings{pasquier2018ccs,
	title={Runtime Analysis of Whole-System Provenance},
	author={Pasquier, Thomas and Han, Xueyuan and Moyer, Thomas and Bates, Adam and Hermant, Olivier and Eyers, David and Bacon, Jean and Seltzer, Margo},
	booktitle={Conference on Computer and Communications Security (CCS'18)},
	year={2018},
	organization={ACM}
}
</code></pre><!-- raw HTML omitted -->

    </div>
</section>

    
            
                <section class="page" id="publications_capture">
    <h1>
        <a href="#publications_capture">Capture</a>
    </h1>
    <div class="content">
        <p>[4] Pasquier T., Han X., Moyer T., Bates A.,  Eyers D., Hermant O., Bacon J. and  Seltzer M. <!-- raw HTML omitted -->Runtime Analysis of Whole-System Provenance<!-- raw HTML omitted -->. Conference on Computer and Communications Security (CCS'18) (2018), ACM. <a href="./publications/ccs-2018.pdf">pdf</a> <a href="./citations/ccs-2018.bib">bib</a> <a href="http://tfjmp.org/talk/2018-css/">video</a></p>
<p>[3] Pasquier T., Han X., Goldstein M., Moyer T., Eyers D., Seltzer M. and Bacon J. <!-- raw HTML omitted -->Practical Whole-System Provenance Capture<!-- raw HTML omitted -->. Symposium on Cloud Computing (SoCC'17) (2017), ACM. <a href="./publications/socc-2017.pdf">pdf</a> <a href="./citations/socc-2017.bib">bib</a> <a href="./posters/socc-2017.pdf">poster</a></p>
<p>[2] Pasquier T., Singh J., , Bacon J., and Eyers D. <!-- raw HTML omitted -->Information Flow Audit for PaaS Clouds<!-- raw HTML omitted -->. In International Conference on Cloud Engineering (IC2E'16) (2016), IEEE. <a href="./publications/ic2e-2016.pdf">pdf</a> <a href="./citations/ic2e-2016.bib">bib</a></p>
<p>[1] Pasquier T., Singh J., Eyers D., and Bacon J. <!-- raw HTML omitted -->CamFlow: Managed Data-Sharing for Cloud Services<!-- raw HTML omitted -->. IEEE Transactions on Cloud Computing (TCC) (2015), IEEE. <a href="./publications/tcc-2015.pdf">pdf</a> <a href="./citations/tcc-2015.bib">bib</a></p>

    </div>
</section>

            
                <section class="page" id="publications_usecases">
    <h1>
        <a href="#publications_usecases">Applications</a>
    </h1>
    <div class="content">
        <p>[9] Han X., Pasquier T., Bates A., Mickens J. and Seltzer M. <!-- raw HTML omitted -->UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats<!-- raw HTML omitted -->. Network and Distributed System Security Symposium (NDSS'20) (2020). <a href="./publications/2020-ndss.pdf">pdf</a> <a href="./citations/2020-ndss.bib">bib</a> <a href="https://www.youtube.com/watch?v=B9ACkb320s0">video</a></p>
<p>[8] Han X., Mickens J., Gehani A., Seltzer M. and Pasquier T. <!-- raw HTML omitted -->Xanthus: Push-button Orchestration of Host Provenance Data Collection<!-- raw HTML omitted -->. International Workshop on Practical Reproducible Evaluation of Systems (P-RECS'20) (2020). <a href="./publications/2020-precs.pdf">pdf</a> <a href="./citations/2020-precs.bib">bib</a></p>
<p>[7] G. Ayoade, A. Khandakar, S. Pracheta, G. Yang, A. Anmol, J. Kangkook, K. Latifur, and S. Anoop. <!-- raw HTML omitted -->Evolving Advanced Persistent Threat Detection using Provenance Graph and Metric Learning<!-- raw HTML omitted -->. Conference on Communications and Network Security (CNS'20) (2020). <a href="https://ieeexplore.ieee.org/abstract/document/9162264?casa_token=Ou1p7TqBNKIAAAAA:k77G2HXhG2EbMg0MmwpeIEr0yIGh6PE2VwCPL5J-Y-F6EHLsU7rSNMEcDtYcE5fufYGnogmgXQ">article</a> <a href="./citations/2020-cns.bib">bib</a></p>
<p>[7] Chan S. C., Cheney J., Bhatotia P., Gehani A., Irshad H., Pasquier T., Carata L. and Seltzer M. <!-- raw HTML omitted -->ProvMark: A Provenance Expressiveness Benchmarking System<!-- raw HTML omitted -->. International Middleware Conference (Middleware'19) (2019), ACM/IFIP. <a href="./publications/mw-2019.pdf">pdf</a> <a href="./citations/mw-2019.bib">bib</a></p>
<p>[6] Pasquier T., Eyers D. and Seltzer M. <!-- raw HTML omitted -->From Here to Provtopia<!-- raw HTML omitted -->. VLDB Workshop on Towards Polystores that manage multiple Databases, Privacy, Security and/or Policy Issues for Heterogenous Data (Poly'19) (2019), Springer. <a href="./publications/poly-2019.pdf">pdf</a> <a href="./citations/poly-2019.bib">bib</a></p>
<p>[5] Englbrecht L., Langner G., Pernul G. and Quirchmayr G. <!-- raw HTML omitted --> Enhancing credibility of digital evidence through provenance-based incident response handling<!-- raw HTML omitted -->. International Conference on Availability, Reliability and Security (ARES'19), ACM. <a href="https://dl.acm.org/ft_gateway.cfm?id=3339275&amp;ftid=2079332&amp;dwn=1&amp;#URLTOKEN">pdf</a> <a href="https://dl.acm.org/downformats.cfm?id=3339275&amp;parent_id=3339252&amp;expformat=bibtex">bib</a></p>
<p>[4] Han X., Pasquier T. and Seltzer M. <!-- raw HTML omitted -->Provenance-based Intrusion Detection: Opportunities and Challenges<!-- raw HTML omitted -->. Workshop on the Theory and Practice of Provenance (TaPP'18) (2018), USENIX. <a href="./publications/tapp-2018.pdf">pdf</a> <a href="./citations/tapp-2018.bib">bib</a> <a href="https://www.usenix.org/conference/tapp2018/presentation/han">website</a></p>
<p>[3] Wang F., Joung Y., and Mickens J. <!-- raw HTML omitted -->Cobweb: Practical Remote Attestation Using Contextual Graphs<!-- raw HTML omitted -->. Workshop on System Software for Trusted Execution (SysTEX'17) (2017), ACM. <a href="https://mickens.seas.harvard.edu/files/mickens/files/cobweb.pdf">pdf</a> <a href="https://dl.acm.org/downformats.cfm?id=3152705&amp;parent_id=3152701&amp;expformat=bibtex&amp;CFID=837880949&amp;CFTOKEN=91832166">bib</a></p>
<p>[2] Han X., Pasquier T., Ranjan T., Goldstein M., and Seltzer M. <!-- raw HTML omitted -->FRAPpuccino: Fault-detection through Runtime Analysis of Provenance<!-- raw HTML omitted -->. Workshop on Hot Topics in Cloud Computing (HotCloud'17) (2017), USENIX. <a href="./publications/hotcloud-2017.pdf">pdf</a> <a href="./citations/hotcloud-2017.bib">bib</a> <a href="https://www.usenix.org/conference/hotcloud17/program/presentation/han">website</a> <a href="./posters/hotcloud-2017.pdf">poster</a></p>
<p>[1] Pasquier T.  and Eyers D. <!-- raw HTML omitted -->Information Flow Audit for Transparency and Compliance in the Handling of Personal Data<!-- raw HTML omitted -->. IC2E International Workshop on Legal and Technical Issues in Cloud Computing (CLaw'16) (2016),  IEEE. <a href="./publications/claw-2016.pdf">pdf</a> <a href="./citations/claw-2016.bib">bib</a></p>

    </div>
</section>

            



        
    
</div>
</body>
</html>