230 likes | 521 Views
Introduction to Honeypot, measurement, and vulnerability exploits. Cliff C. Zou CAP6133 02/06/06. What Is a Honeypot?. Abstract definition: “A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.” (Lance Spitzner) Concrete definition:
E N D
Introduction to Honeypot, measurement, and vulnerability exploits Cliff C. Zou CAP6133 02/06/06
What Is a Honeypot? • Abstract definition: “A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.” (Lance Spitzner) • Concrete definition: “A honeypot is a faked vulnerable system used for the purpose of being attacked, probed, exploited and compromised.”
Example of a Simple Honeypot • Install vulnerable OS and software on a machine • Install monitor or IDS software • Connect to the Internet (with global IP) • Wait & monitor being scanned, attacked, compromised • Finish analysis, clean the machine
Benefit of Deploying Honeypots • Risk mitigation: • Lure an attacker away from the real production systems (“easy target“). • IDS-like functionality: • Since no legitimate traffic should take place to or from the honeypot, any traffic appearing is evil and can initiate further actions.
Benefit of Deploying Honeypots • Attack analysis: • Find out reasons, and strategies why and how you are attacked. • Binary and behavior analysis of capture malicious code • Evidence: • Once the attacker is identified, all data captured may be used in a legal procedure. • Increased knowledge
Honeypot Classification • High-interaction honeypots • A full and working OS is provided for being attacked • VMware virtual environment • Several VMware virtual hosts in one physical machine • Low-interaction honeypots • Only emulate specific network services • No real interaction or OS • Honeyd • Honeynet/honeyfarm • A network of honeypots
Low-Interaction Honeypots • Pros: • Easy to install (simple program) • No risk (no vulnerable software to be attacked) • One machine supports hundreds of honeypots, covers hundreds of IP addresses • Cons: • No real interaction to be captured • Limited logging/monitor function • Hard to detect unknown attacks; hard to generate filters • Easily detectable by attackers
High-Interaction Honeypots • Pros: • Real OS, capture all attack traffic/actions • Can discover unknown attacks/vulnerabilites • Can capture and anlayze code behavior • Cons: • Time-consuming to build/maintain • Time-consuming to analysis attack • Risk of being used as stepping stone • High computer resource requirement
Honeynet • A network of honeypots • High-interaction honeynet • A distributed network composing many honeypots • Low-interaction honeynet • Emulate a virtual network in one physical machine • Example: honeyd • Mixed honeynet • “Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm”, presented next week • Reference: http://www.ccc.de/congress/2004/fahrplan/files/135-honeypot-forensics-slides.ppt
Monitored traffic Security Measurement • Monitor network traffic to understand/track Internet attack activities • Monitor incoming traffic to unused IP space • TCP connection requests • UDP packets Internet Unused IP space Local network “Characteristics of internet background radiation. “
Remote host fingerprinting • Actively probe remote hosts to identify remote hosts’ OS, physical devices, etc • OSes service responses are different • Hardware responses are different • Purposes: • Understand Internet computers • Remove DHCP issue in monitored data “Remote Physical Device Fingerprinting”
Remote network fingerprinting • By sending probing traffic, learn the structure and characteristics of remote networks • Based on TTL to know the hop length • Based on return data to infer firewall policy. • “ConceptDoppler: A Weather Tracker for Internet Censorship” • Others
Data Sharing: Traffic Anonymization • Sharing monitored network traffic is important • Collaborative attack detection • Academic research • Privacy and security exposure in data sharing • Packet header: IP address, service port exposure • Packet content: more serious • Data anonymization • Change packet header: preserve IP prefix, and … • Change packet content
Buffer Over Flow Introduction • Attack Steps • Inject attack codes onto the buffer or somewhere • Redirect the control flow to the attack code • Execute the attack code
0x00000000 0x08048000 0x42000000 0xC0000000 0xFFFFFFFF kernel space stack shared library heap bss static data code From Dawn Song’s RISE: http://research.microsoft.com/projects/SWSecInstitute/slides/Song.ppt
A Stack Structure Function parameters Return Address Calling Frame Pointer Local Variables SP: stack pointer SP FP is guaranteed to have the same value throughout the execution of the function, so all local data can be accessed via hard-coded offsets from the FP. 00000000
Example a=4; f(5); b=20; 5 Address of instruction (b=20) saved stack pointer x buf1 buf2 f(int m){ int x; char buf1[10]; char buf2[5]; x=m; … }
argument 2 argument 1 Address of Attack code RA frame pointer locals Attack code buffer 0x00000000 0x08048000 0x42000000 0xC0000000 0xFFFFFFFF Overflow kernel space stack shared library heap bss static data code From Dawn Song’s RISE: http://research.microsoft.com/projects/SWSecInstitute/slides/Song.ppt
Some unsafe C lib functions strcpy (char *dest, const char *src) strcat (char *dest, const char *src) gets (char *s) scanf ( const char *format, … ) printf (conts char *format, … )
Format String Attack • printf specification: • snprintf, wsprintf … • %d- signed decimal integer • %x- unsigned hexadecimal integer • %n- number of characters successfully written so far to the stream/buffer. This is stored in the integer whose address is given as the argument. int printf(const char *format [, argument]…);
Vulnerability • Write printf(“%s”, str) to printf(str) • Possible vulnerabilities: • Dump arbitrary memory (information leaking) • Write to arbitrary memory
Read More • Buffer Overflow • http://www.cs.rpi.edu/~hollingd/comporg.2002/notes/overflow/overflow.ppt • “buffer overflow for dummy” • http://www.sans.org/reading_room/whitepapers/threats/481.php • “Format string attacks” • http://muse.linuxmafia.org/lost+found/format-string-attacks.pdf • "Analysis of format string bugs“ • http://downloads.securityfocus.com/library/format-bug-analysis.pdf • Lecture notes: • http://crypto.stanford.edu/cs155-spring03/lecture3.ppt