Knowing Where Your Input Is From: Kernel-Level Data-Provenance Verification

This paper describes a cryptographic provenance verification approach for ensuring system properties and system-data integrity at kernel-level. Its two concrete applications are demonstrated in malware traffic detection and keystroke-based bot identification. Specifically, the authors first demonstrate the provenance verification approach by realizing a lightweight framework for blocking outbound malware traffic. This traffic-monitoring framework leverages the differences in legitimate user traffic and kernel-level malware-traffic, and provides a powerful checkpoint for examining all outbound traffic of a host, which cannot be bypassed.