search

darpa-i2o / Transparent-Computing

Material from the DARPA Transparent Computing Program
http://www.darpa.mil/program/transparent-computing
172 stars 25 forks source link

Clone event in TC3 theia interpretation #7

Open aanand300 opened 7 months ago

aanand300 commented 7 months ago

Can someone please explain what does EVENT_CLONE means in TC3 theia dataset? Specifically, I'm curious to understand how the "subject" and "predicateObject" are related in the clone event.

Chaves2021 commented 7 months ago

You can check it at CDM18.avdl, stated in the readme file as human-readable version of CDM used by the consumer to create avro files and then creates the json files. It's on lines 336 and 337:

 336         /* Subject -> Object */
 337         EVENT_CLONE,                  // clone a subject
aanand300 commented 7 months ago

Hi @Chaves2021 thanks for pointing that out. However, when I look at the TC3 theia-6r dataset I'm finding some entries in the json logs like the following:

{"datum":{"com.bbn.tc.schema.avro.cdm18.Event":{"uuid":"F7EE2E0B-C022-2415-DE16-020000000010","sequence":{"long":1741},"type":"EVENT_CLONE","threadId":{"int":3636},"hostId":"0A00063C-5254-00F0-0D60-000000000070","subject":{"com.bbn.tc.schema.avro.cdm18.UUID":"340EE419-0000-0000-0000-000000000020"},"predicateObject":{"com.bbn.tc.schema.avro.cdm18.UUID":"3A0EE519-0000-0000-0000-000000000020"},"predicateObjectPath":null,"predicateObject2":{"com.bbn.tc.schema.avro.cdm18.UUID":"00000000-0000-0000-0000-000000000000"},"predicateObject2Path":null,"timestampNanos":1523380782174760695,"name":{"string":"clone"},"parameters":null,"location":null,"size":null,"programPoint":null,"properties":{"map":{}}}},"CDMVersion":"18","source":"SOURCE_LINUX_THEIA"}

where the subject seems like a fluxbox process with "path" /usr/bin/fluxbox and the predicate object seems like a firefox process with "path" /home/admin/Downloads/firefox/firefox. Do you know why the effect of clone changes the path (if it is really just the clone system call)? (Also, do you know why the "cmdLine" "string" of subject and predicate object are different?)

Just for reference the subject and predicate object log entries are as follows respectively: Subject- 

{"datum":{"com.bbn.tc.schema.avro.cdm18.Subject":{"uuid":"340EE419-0000-0000-0000-000000000020","type":"SUBJECT_PROCESS","cid":3636,"parentSubject":{"com.bbn.tc.schema.avro.cdm18.UUID":"8C081700-0000-0000-0000-000000000020"},"hostId":"0A00063C-5254-00F0-0D60-000000000070","localPrincipal":"EC000000-0000-0000-0000-000000000060","startTimestampNanos":1523380781445905515,"unitId":null,"iteration":null,"count":null,"cmdLine":{"string":"fluxbox"},"privilegeLevel":null,"importedLibraries":null,"exportedLibraries":null,"properties":{"map":{"tgid":"3636","path":"/usr/bin/fluxbox","ppid":"2188"}}}},"CDMVersion":"18","source":"SOURCE_LINUX_THEIA"}

Object-

{"datum":{"com.bbn.tc.schema.avro.cdm18.Subject":{"uuid":"3A0EE519-0000-0000-0000-000000000020","type":"SUBJECT_PROCESS","cid":3642,"parentSubject":{"com.bbn.tc.schema.avro.cdm18.UUID":"8C081700-0000-0000-0000-000000000020"},"hostId":"0A00063C-5254-00F0-0D60-000000000070","localPrincipal":"EC000000-0000-0000-0000-000000000060","startTimestampNanos":1523380782174724294,"unitId":null,"iteration":null,"count":null,"cmdLine":{"string":"/usr/bin/firefox"},"privilegeLevel":null,"importedLibraries":null,"exportedLibraries":null,"properties":{"map":{"tgid":"3636","path":"/home/admin/Downloads/firefox/firefox","ppid":"2188"}}}},"CDMVersion":"18","source":"SOURCE_LINUX_THEIA"}