1 introduction to honeypot, measurement, and vulnerability exploits cliff c. zou cap6133 02/06/06
TRANSCRIPT
1
Introduction to Honeypot, measurement, and vulnerability exploits
Cliff C. ZouCAP613302/06/06
2
What Is a Honeypot?
Abstract definition: “A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.” (Lance Spitzner)
Concrete definition: “A honeypot is a faked vulnerable system used for the purpose of being attacked, probed, exploited and compromised.”
3
Example of a Simple Honeypot
Install vulnerable OS and software on a machine
Install monitor or IDS software Connect to the Internet (with global IP) Wait & monitor being scanned,
attacked, compromised Finish analysis, clean the machine
4
Benefit of Deploying Honeypots
Risk mitigation: Lure an attacker away from the real
production systems (“easy target“).
IDS-like functionality: Since no legitimate traffic should take
place to or from the honeypot, any traffic appearing is evil and can initiate further actions.
5
Benefit of Deploying Honeypots
Attack analysis: Find out reasons, and strategies why and
how you are attacked. Binary and behavior analysis of capture
malicious code Evidence:
Once the attacker is identified, all data captured may be used in a legal procedure.
Increased knowledge
6
Honeypot Classification
High-interaction honeypots A full and working OS is provided for being
attacked VMware virtual environment
Several VMware virtual hosts in one physical machine
Low-interaction honeypots Only emulate specific network services No real interaction or OS
Honeyd
Honeynet/honeyfarm A network of honeypots
7
Low-Interaction Honeypots
Pros: Easy to install (simple program) No risk (no vulnerable software to be attacked) One machine supports hundreds of honeypots,
covers hundreds of IP addresses
Cons: No real interaction to be captured
Limited logging/monitor function Hard to detect unknown attacks; hard to generate filters
Easily detectable by attackers
8
High-Interaction Honeypots
Pros: Real OS, capture all attack traffic/actions Can discover unknown attacks/vulnerabilites Can capture and anlayze code behavior
Cons: Time-consuming to build/maintain Time-consuming to analysis attack Risk of being used as stepping stone High computer resource requirement
9
Honeynet A network of honeypots High-interaction honeynet
A distributed network composing many honeypots Low-interaction honeynet
Emulate a virtual network in one physical machine
Example: honeyd Mixed honeynet
“Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm”, presented next week
Reference: http://www.ccc.de/congress/2004/fahrplan/files/135-honeypot-forensics-slides.ppt
10
Security Measurement
Monitor network traffic to understand/track Internet attack activities
Monitor incoming traffic to unused IP space
TCP connection requests UDP packets
Unused IP space
Monitoredtraffic
Internet
Local network
“Characteristics of internet background radiation. “
11
Remote host fingerprinting
Actively probe remote hosts to identify remote hosts’ OS, physical devices, etc OSes service responses are different Hardware responses are different
Purposes: Understand Internet computers Remove DHCP issue in monitored data
“Remote Physical Device Fingerprinting”
12
Remote network fingerprinting
By sending probing traffic, learn the structure and characteristics of remote networks Based on TTL to know the hop length Based on return data to infer firewall
policy. “ConceptDoppler: A Weather Tracker for Internet
Censorship”
Others
13
Data Sharing: Traffic Anonymization
Sharing monitored network traffic is important Collaborative attack detection Academic research
Privacy and security exposure in data sharing Packet header: IP address, service port exposure Packet content: more serious
Data anonymization Change packet header: preserve IP prefix, and … Change packet content
14
Buffer Over Flow Introduction
Attack Steps Inject attack codes onto the buffer or
somewhere Redirect the control flow to the attack
code Execute the attack code
15
0x00000000
0x08048000code
static data
bss
heap
shared library
stack
kernel space
0x42000000
0xC0000000
0xFFFFFFFF
From Dawn Song’s RISE: http://research.microsoft.com/projects/SWSecInstitute/slides/Song.ppt
16
Function parameters
Return Address
Calling Frame Pointer
Local Variables
A Stack Structure
00000000
SP
SP: stack pointer
FP is guaranteed to have the same value throughout the execution of the function, so all local data can be accessed via hard-coded offsets from the FP.
17
Example
5Address of instruction
(b=20)saved stack pointerxbuf1buf2
a=4;
f(5);
b=20;
f(int m){
int x;
char buf1[10];
char buf2[5];
x=m;
…
}
18
Overflow
0x00000000
0x08048000code
static data
bss
heap
shared library
stack
kernel space
0x42000000
0xC0000000
0xFFFFFFFF
From Dawn Song’s RISE: http://research.microsoft.com/projects/SWSecInstitute/slides/Song.ppt
argument 2
argument 1
RA
frame pointer
locals
buffer
Attack codeAttack code
Address ofAddress ofAttack codeAttack code
19
Some unsafe C lib functions
strcpy (char *dest, const char *src)
strcat (char *dest, const char *src)
gets (char *s)
scanf ( const char *format, … )
printf (conts char *format, … )
20
Format String Attack printf specification:
snprintf, wsprintf … %d- signed decimal integer %x- unsigned hexadecimal integer %n- number of characters successfully written
so far to the stream/buffer. This is stored in the integer whose address is given as
the argument.
int printf(const char *format [, argument]…);
21
Vulnerability
Write printf(“%s”, str) to printf(str) Possible vulnerabilities:
Dump arbitrary memory (information leaking) Write to arbitrary memory
22
Read More
Buffer Overflow http://www.cs.rpi.edu/~hollingd/comporg.2002/notes/overflow/overflow.ppt
“buffer overflow for dummy” http://www.sans.org/reading_room/whitepapers/threats/481.php
“Format string attacks” http://muse.linuxmafia.org/lost+found/format-string-attacks.pdf
"Analysis of format string bugs“ http://downloads.securityfocus.com/library/format-bug-analysis.pdf
Lecture notes: http://crypto.stanford.edu/cs155-spring03/lecture
3.ppt