Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm Authors: Michael Vrable, Justin Ma, Jay chen, David Moore, Erik Vandekieft, Alex C. Snoeren, Geoffrey M. Voelker and Stefan Savage University of California, San Diego Proceedings of the ACM Symposium on Operating System Principles (SOSP), Brighton, UK, October 2005 Presented By: Dan DeBlasio for CAP 6133, Spring 2008
Outline Architectural Overview Implementation Results Commentary/Conclusion
Overview when a packet comes in, routed it to an existing VM, else makes a new one with that address makes a copy of a template system to cary out interaction only keeps track of differences from template contains infection data to keep it from infecting others
Honeyfarm Architecture Packet Comes In IP Already A VM Outbound Packet Safe To Internet Yes VM Create VM No Forward Packet Yes No
Honeyfarm Architecture
Containment until now only seen low interaction honeyfarms how to keep honeyfarm from becoming worm incubator relies on gateway router to “scrub” the outgoing traffic emulates destination addresses if needed on internal network
Gateway Router incoming packets to inactive IP are sent to a non-overloaded physical server so it can be emulated choice is random, or calculated packets directed to an active IP pass to the machine where a VM has been created filters out “known” attacks so they don’t over-emulate the same worm
Gateway Router must prevent a worm or outbreak from starving honeyfarm of resources due to reflection decides when a VM should be reclaimed due to inactivity and not being successfully compromised also decides when a compromised machine should be reclaimed to reallocate resources
Virtual Machine Monitor at startup the system boots guest OS, and lets it warm up and start server services takes snapshot if system (like hibernate) use this snapshot to create new VMs on the fly leaves it running so it will update memory
passed to clone manager’s queue “clone VM” cloned VM’s response forward to cloned VM packets flushed from queue “okay” “change to IP A” “okay” VMM - Flash Cloning time Domain Network StackXen Management Daemon Cloned VM Clone Manager New packet for address A queues packets until clone is ready
Delta Virtualization At copy, each VM maps all it memory to the reference VM on write a private copy is stored in its own memory memory sharing to further reduce the amount of memory needed
Delta Virtualization
Results /16 == Class B ~65,536 addresses ~2 16
Results
Contributions Show that you can make a large scale high interaction honeyfarm gives proof (in simulation) that it can improve efficiency of a honeyfarm
Weaknesses only tested in simulation only used linux based server VMs only tried at a /16 level
Improvements use windows PC as well as Linux Servers use honeyd type first response so that you don’t have to clone for scanning packets