Upload File

argos emulator georgios portokalidis asia slowinska herbert bos vrije universiteit amsterdam

  • Home
  • Documents
  • Argos Emulator Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam
21
Argos Emulator Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam

Upload: charlotte-golden

Post on 19-Jan-2016

215 views

Category:

Documents


1 download

Report

TRANSCRIPT

Page 1: Argos Emulator Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam

Argos Emulator

Georgios Portokalidis

Asia Slowinska

Herbert Bos

Vrije Universiteit Amsterdam

Page 2: Argos Emulator Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam

Georgios Portokalidis VU Amsterdam 2

0

1000

2000

3000

4000

5000

6000

2003 2004 2005

CERT/CC Reported Vulnerabilities

Why?

Too many vulnerabilities

New worm attacks Human intervention

too slow Current solutions

are problematic– Time consuming– Inaccurate

Page 3: Argos Emulator Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam

Georgios Portokalidis VU Amsterdam 3

Goals

Platform for next generation honeypots

Protect entire OS Detect most

common attack vectors

Accuracy

Page 4: Argos Emulator Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam

Georgios Portokalidis VU Amsterdam 4

It Works!

Apache chunked encoding overflow

IIS ISAPI .printer host header overflow

WebDav ntdll.dll overflow

FrontPage Server Extensions Debug Overflow

War-FTP overflow

ASN.1 Library Bitstring Heap Overflow

Windows Message Queueing Remote Overflow

RPC DCOM Interface overflow

LSASS Overflow

Windows PnP Service Remote Overflow

nbSMTP remote format string exploit

WMF exploit

Page 5: Argos Emulator Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam

Georgios Portokalidis VU Amsterdam 5

Argos Overview

Argos Emulator

Guest OS

Host OS

Applications

Log

Forensics

Snitch

Signature Post-ProcessingSub-system

Page 6: Argos Emulator Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam

Georgios Portokalidis VU Amsterdam 6

Network Data Tracking

Register = network_read Registers

Reg. A = Reg. A + Reg. B Registers

Registers

MemoryMemory(A) = Reg. A

Reg.B = Reg.A / 156.345 Registers

Page 7: Argos Emulator Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam

Georgios Portokalidis VU Amsterdam 7

Capturing Attacks

Diverting control flow

Executing arbitrary instructions

Overwriting system call arguments

JMPCALL

RET

TaggedRegisterOperands

TaggedMemory

SYSCALL

Page 8: Argos Emulator Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam

Georgios Portokalidis VU Amsterdam 8

Forensics

Registers

RAMArgos Emulator

Guest OS

Applications

Virtual Address Space

Virtual Address Space Process name

Linked Libraries

Open Ports

Page 9: Argos Emulator Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam

Georgios Portokalidis VU Amsterdam 9

Logged Network Flows

Signature Generation

Argos Memory Log

Critical Exploit Bytes(e.g. value loaded on EIP)

NewSignature

SimilarSignatures

GeneralisedSignature

Page 10: Argos Emulator Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam

Georgios Portokalidis VU Amsterdam 10

Emulator Performance

0

5

10

15

20

25

30

bunzip2 apache nbenchinteger

nbenchfloat

nbenchmemory

Vanilla Qemu ArgosOverhead (y times slower)

Page 11: Argos Emulator Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam

Georgios Portokalidis VU Amsterdam 11

Signature Generation Performance

0

2

4

6

8

10

12

14

1.15 5 10 15 20 25 30 60Tcpdump trace size(MB)

Time to generate signature(sec)

Page 12: Argos Emulator Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam

Georgios Portokalidis VU Amsterdam 12

Future Work

Replaying attacks Integration with nepenthes honeypot Increase data tracking precision Protocol aware signature generation Generate self certifying alerts

Page 13: Argos Emulator Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam

Georgios Portokalidis VU Amsterdam 13

On The Web

http://www.few.vu.nl/argos

Page 14: Argos Emulator Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam

Georgios Portokalidis VU Amsterdam 14

Network Data Tracking

Tag network data as “tainted”

EAX EBX ECX EDX RAM

Port I/O

EBX

Page 15: Argos Emulator Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam

Georgios Portokalidis VU Amsterdam 15

EBX

Network Data Tracking

Tag network data as “tainted”

Track “tainted” data propagation– Arithmetic, logical

operations– Memory operations

EAX ECX EDX RAMEAX

A

Page 16: Argos Emulator Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam

Georgios Portokalidis VU Amsterdam 16

EAX EBX

Network Data Tracking

Tag network data as “tainted”

Track “tainted” data propagation– Arithmetic, logical

operations– Memory operations

Sanitise data– Floating point, SSE

ECX EDX RAM

A

EAX EBX

Page 17: Argos Emulator Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam

Georgios Portokalidis VU Amsterdam 17

Identifying Attacks

Jumps Function calls Function returns System calls

EAX EBX ECX EDX RAMEBX

JMP EAXCALL EAXRETJMP AINT 0x80

Page 18: Argos Emulator Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam

Georgios Portokalidis VU Amsterdam 18

SweetBait Design

Page 19: Argos Emulator Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam

Georgios Portokalidis VU Amsterdam 19

Logs Format

Type RIDFormat TimestampRegister values Register tagsEIP value EIP origin EFLAGS

Format Tainted Flag V. AddressP. AddressSizeMemory Block Contents

Page 20: Argos Emulator Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam

Georgios Portokalidis VU Amsterdam 20

Forensics Shellcode Injection

Lookup process’s read-only pages

Inject code at last text segment page

Point EIP to shellcode

.text

Process Address Space(Windows PE, ELF, etc)

Page 21: Argos Emulator Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam

Georgios Portokalidis VU Amsterdam 21

Forensics – The Snitch

Pid = getpid() Rid [injected by

Argos] Connect(localhost) Send(pid & rid)

Listen() Accept() Read(pid & rid) Exec(Netstat or

OpenPorts) Connect(argos host) Send(info)


ARGOS Reporting - Liberty University Basic User Guide.… · ARGOS Basic User Guide 3 Logging-into ARGOS Installation ARGOS is a server-based application and does not need to be installed

PRODUCT: Argos - Alligare · Argos Algaecide and Herbicide Argos’ chelated copper ethanolamine complexes delivers a rapid acting, hard water stable, contact algaecide. Controls

Argos Users Guide

User Manual Argos

SPECIAL EDITION - Argos

CS 695 Host Forensics: Introduction GEORGIOS PORTOKALIDIS [email protected]

Argos SpineNews 2

ARGOS Web Viewer - Cuesta College...Argos vs. Argos for Special Reporting • Argos (Web Viewer), the easier-to-use web-based tool, is the preferred method for accessing data. •

Argos - Office of Information TechnologyFeb 04, 2019  · Argos Training 2 Version 2019-02-04 Argos Training Overview Argos is a campus reporting tool that allows end-users to access

Embalse Argos Embalse Argos big catch

GP02605 - Argos New Business Cat & Dog › assets › themes › argos › ... · 2019-11-01 · Argos Pet Portal means the online platform (argospetinsurance.co.uk/portal) where

Intro to CS – Honors I Programming Basics GEORGIOS PORTOKALIDIS [email protected]

Argos Basic Training - Office of Information Technologyoit.siu.edu/sis/_common/documents/training/Argos_Basic_Training.pdf · Argos Basic Training Overview Argos is a campus reporting

Argos FAQ - University of Idaho€¦ · Argos FAQ What is covered in this FAQ? - Accessing Argos - Types of Reports - Getting information out of Argos reports - Closing Argos while

PLATAFORMA ARGOS (HERMES –ARGOS)1 Title: HERMES-ARGOS Security Target EAL2+ 2 Version: 1.8 3 Author: INDRA Sistemas S.A. 4 Publication date: 1st August 2011 TOE reference 5 HERMES-ARGOS,

CS 695 Host Forensics: Auditing Using VMs GEORGIOS PORTOKALIDIS

Intro to CS – Honors I Introduction GEORGIOS PORTOKALIDIS [email protected]

Argos - Brochure 2015

Argos SpineNews 1

Argos Technologies Flexifuge Mini Centrifuge€¦ · 3 Argos Technologies Flexifuge™ Mini Centrifuge — Operator’s Manual English Introduction The Argos Technologies Flexifuge

ARGOS Catalogo 2010

CS 695 Host Forensics: Forensic Investigation Basics GEORGIOS PORTOKALIDIS [email protected]

Argos: Practical Base Stations for Large-scale Beamformingargos.rice.edu/pubs/ThesisSlides.pdfArgos Interconnect Argos Interconnect Argos Interconnect Central Controller (Host PC w

Intro to CS – Honors I Representing Numbers GEORGIOS PORTOKALIDIS [email protected]

Argos Tech Track

ARGOS Investigation

argos - Alexis Nass

ARGOS satellite system status & improvements · PAGE 3 Argos system status 8 Argos operational satellites: - 4 x Argos-2 - 4 x Argos-3 (only 2 with downlink ON) Argos-4 instruments

Argos SpineNews 3

NEW ARGOS FASHIONS

Argos Case Studies - Evisionsgo.evisions.com/hubfs/CoHEsion Louisville Session Content/Argos... · Argos Case Studies Alice Levy ... Reporting Possibilities with Argos 7 Letter Generation

Argos-3 to Argos-4 - Satellite Conferencessatelliteconferences.noaa.gov/2015/doc/presentation... · ARGOS : an International Cooperation 12 EUROPE / EUMETSAT USA / NOAA INDIA / ISRO

 · ARGOS Pro ARGOS Save Report Filename: ARGOS Batch001 Sample001 Folder: /c:/ARGOS Parent Folder Measurements Software run Cancel ARGOS Test Report

Cementos argos

Argos Resources Limited