1 / 22

Introduction to Honeypot, measurement, and vulnerability exploits

Introduction to Honeypot, measurement, and vulnerability exploits. Cliff C. Zou CAP6133 02/06/06. What Is a Honeypot?. Abstract definition: “A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.” (Lance Spitzner) Concrete definition:

alagan
Download Presentation

Introduction to Honeypot, measurement, and vulnerability exploits

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to Honeypot, measurement, and vulnerability exploits Cliff C. Zou CAP6133 02/06/06

  2. What Is a Honeypot? • Abstract definition: “A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.” (Lance Spitzner) • Concrete definition: “A honeypot is a faked vulnerable system used for the purpose of being attacked, probed, exploited and compromised.”

  3. Example of a Simple Honeypot • Install vulnerable OS and software on a machine • Install monitor or IDS software • Connect to the Internet (with global IP) • Wait & monitor being scanned, attacked, compromised • Finish analysis, clean the machine

  4. Benefit of Deploying Honeypots • Risk mitigation: • Lure an attacker away from the real production systems (“easy target“). • IDS-like functionality: • Since no legitimate traffic should take place to or from the honeypot, any traffic appearing is evil and can initiate further actions.

  5. Benefit of Deploying Honeypots • Attack analysis: • Find out reasons, and strategies why and how you are attacked. • Binary and behavior analysis of capture malicious code • Evidence: • Once the attacker is identified, all data captured may be used in a legal procedure. • Increased knowledge

  6. Honeypot Classification • High-interaction honeypots • A full and working OS is provided for being attacked • VMware virtual environment • Several VMware virtual hosts in one physical machine • Low-interaction honeypots • Only emulate specific network services • No real interaction or OS • Honeyd • Honeynet/honeyfarm • A network of honeypots

  7. Low-Interaction Honeypots • Pros: • Easy to install (simple program) • No risk (no vulnerable software to be attacked) • One machine supports hundreds of honeypots, covers hundreds of IP addresses • Cons: • No real interaction to be captured • Limited logging/monitor function • Hard to detect unknown attacks; hard to generate filters • Easily detectable by attackers

  8. High-Interaction Honeypots • Pros: • Real OS, capture all attack traffic/actions • Can discover unknown attacks/vulnerabilites • Can capture and anlayze code behavior • Cons: • Time-consuming to build/maintain • Time-consuming to analysis attack • Risk of being used as stepping stone • High computer resource requirement

  9. Honeynet • A network of honeypots • High-interaction honeynet • A distributed network composing many honeypots • Low-interaction honeynet • Emulate a virtual network in one physical machine • Example: honeyd • Mixed honeynet • “Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm”, presented next week • Reference: http://www.ccc.de/congress/2004/fahrplan/files/135-honeypot-forensics-slides.ppt

  10. Monitored traffic Security Measurement • Monitor network traffic to understand/track Internet attack activities • Monitor incoming traffic to unused IP space • TCP connection requests • UDP packets Internet Unused IP space Local network “Characteristics of internet background radiation. “

  11. Remote host fingerprinting • Actively probe remote hosts to identify remote hosts’ OS, physical devices, etc • OSes service responses are different • Hardware responses are different • Purposes: • Understand Internet computers • Remove DHCP issue in monitored data “Remote Physical Device Fingerprinting”

  12. Remote network fingerprinting • By sending probing traffic, learn the structure and characteristics of remote networks • Based on TTL to know the hop length • Based on return data to infer firewall policy. • “ConceptDoppler: A Weather Tracker for Internet Censorship” • Others

  13. Data Sharing: Traffic Anonymization • Sharing monitored network traffic is important • Collaborative attack detection • Academic research • Privacy and security exposure in data sharing • Packet header: IP address, service port exposure • Packet content: more serious • Data anonymization • Change packet header: preserve IP prefix, and … • Change packet content

  14. Buffer Over Flow Introduction • Attack Steps • Inject attack codes onto the buffer or somewhere • Redirect the control flow to the attack code • Execute the attack code

  15. 0x00000000 0x08048000 0x42000000 0xC0000000 0xFFFFFFFF kernel space stack shared library heap bss static data code From Dawn Song’s RISE: http://research.microsoft.com/projects/SWSecInstitute/slides/Song.ppt

  16. A Stack Structure Function parameters Return Address Calling Frame Pointer Local Variables SP: stack pointer SP FP is guaranteed to have the same value throughout the execution of the function, so all local data can be accessed via hard-coded offsets from the FP. 00000000

  17. Example a=4; f(5); b=20; 5 Address of instruction (b=20) saved stack pointer x buf1 buf2 f(int m){ int x; char buf1[10]; char buf2[5]; x=m; … }

  18. argument 2 argument 1 Address of Attack code RA frame pointer locals Attack code buffer 0x00000000 0x08048000 0x42000000 0xC0000000 0xFFFFFFFF Overflow kernel space stack shared library heap bss static data code From Dawn Song’s RISE: http://research.microsoft.com/projects/SWSecInstitute/slides/Song.ppt

  19. Some unsafe C lib functions strcpy (char *dest, const char *src) strcat (char *dest, const char *src) gets (char *s) scanf ( const char *format, … ) printf (conts char *format, … )

  20. Format String Attack • printf specification: • snprintf, wsprintf … • %d- signed decimal integer • %x- unsigned hexadecimal integer • %n- number of characters successfully written so far to the stream/buffer. This is stored in the integer whose address is given as the argument. int printf(const char *format [, argument]…);

  21. Vulnerability • Write printf(“%s”, str) to printf(str) • Possible vulnerabilities: • Dump arbitrary memory (information leaking) • Write to arbitrary memory

  22. Read More • Buffer Overflow • http://www.cs.rpi.edu/~hollingd/comporg.2002/notes/overflow/overflow.ppt • “buffer overflow for dummy” • http://www.sans.org/reading_room/whitepapers/threats/481.php • “Format string attacks” • http://muse.linuxmafia.org/lost+found/format-string-attacks.pdf • "Analysis of format string bugs“ • http://downloads.securityfocus.com/library/format-bug-analysis.pdf • Lecture notes: • http://crypto.stanford.edu/cs155-spring03/lecture3.ppt

More Related