1 / 29

manuka project

manuka project. IEEE IA Workshop June 10, 2004. Agenda. Introduction Inspiration to Solution Manuka Use SE Approach Conclusion. Team Members. Seattle University Masters in Computer Science & Software Engineering Amy Shephard Christian Seifert Don Nguyen Jenks Gibbons Jose Chavez.

khanh
Download Presentation

manuka project

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. manuka project IEEE IA WorkshopJune 10, 2004

  2. Agenda • Introduction • Inspiration to Solution • Manuka Use • SE Approach • Conclusion

  3. Team Members • Seattle University Masters in Computer Science & Software Engineering • Amy Shephard • Christian Seifert • Don Nguyen • Jenks Gibbons • Jose Chavez

  4. Sponsors • University of Washington • Customer: Dave Dittrich • Seattle University • Advisor: Barbara Endicott-Popovsky

  5. Inspiration to Solution

  6. Inspiration • Honeynet Project “Forensic Challenge” • January 15, 2001 • Linux Red Hat 6.2 • Six partitions (1.8GB raw / 170MB gzip) • Time to: • Root the box and rootkit (30 minutes) • Analyze intrusion and report (30+ hours) • Downloaded thousands of times • Used in first SANS FIRE (Forensics course) http://www.honeynet.org/challenge/index.html

  7. Application #1 • 2004 NSF CCLI grant • Highline Community College • Seattle University • University of Washington • Computer and Network Forensics Courses • Using real compromised honeypot images for labs

  8. Use in Forensic Course Lab • Student boots lab system w/custom Linux bootable CD • Chooses which compromised system to analyze • Bits loaded to disk, verified • Student performs analysis, answers specific questions (which are compared with analysis in database) • Lather, rinse, repeat…

  9. Application #2 • DistributedHoneynetusing Honeywalls • “Clone” cleanhoneypot images • Archive compromised honeypot images • Automated honeypot forensics (future)

  10. Application #3 (future) • Distributed Incident Response Toolkit • Customizable (unique) ISO images • Centralized control of analysis • Remote drive acquisition • Asynchronous and semi-automatic operation

  11. Proposed Solution • Use standard x86 hardware (Knoppix) • Bit-image copy of clean/compromised systems • Provide integrity checking (MD5 hashes) and secure file transfer (SSH) • Database storage (compressed) • Database search by attribute (e.g., ID#, OS version, CVE #, etc.) • Remotely retrieve/install bootable systems • Customizable ISO (ala Honeywall)“Customizing ISOs and the Honeynet Project’s Honeywall,”http://staff.washington.edu/dittrich/misc/honeywall/

  12. Manuka Components • Server • Linux, MySQL, Java • Automated Manuka database server installation • Client • Customized Knoppix CD-ROM (similar to Honeywall) • Password protected • Secure login to database • Secure data transfer

  13. Manuka Use

  14. Typical Use • Upload clean • Install new honeypot • Configure vulnerability profile (CVE #N) • Reboot w/Manuka CD, ID system, upload • Download clean • Boot w/Manuka CD • Select image and download • Upload compromised • Boot w/Manuka CD • Associate w/original, annotate, upload

  15. Accessing Manuka • Authentication required for all functionality • Multiple access levels supported

  16. Upload Installation • Stores an installation in the Manuka database • Clean Image • Specify system details • Specify installation details • Specify vulnerabilities • Compromised Image • Associate with existing system • Specify installation details

  17. Upload Component MD5 Hash CD33456765673FE23AD4F13 GZip Compressor Encrypted SSH Tunnel System C, CD33456765673FE23AD4F13 Clean or Compromised System Booted with Knoppix CD System Image Metadata Manuka Database System A, BA6512345AFAED2A3D4E11 System B, BA6512345AFAED2A3D4E11 File Server : 9999

  18. Download Installation • Writes an installation to the specified drive • Download Installation • Specify target, system, and installation details • Wait…

  19. Download Component MD5 Hash CD33456765673FE23AD4F13 Request Binary Images Files GZip UnCompressor Encrypted SSH Tunnel System C, CD33456765673FE23AD4F13 System to restore (Booted with Knoppix CD) Binary Files Location Manuka Database System A, BA651EF45AFAED2A3D4E11 System B, BA6512345AFAED2A3D4E11 Image 3, CD33456765673FE23AD4F13 File Server : 9999

  20. System Search • Allows targeted access to system information • Search by system metadata • Retrieves all matching systems

  21. System and Installation Details • Allows access to system data • general information • vulnerabilities • installation details

  22. Stored Data Management • User updates • Operating Systems • Operating System Versions • Automatic updates • Vulnerabilities

  23. Software Engineering Approach

  24. Approach • Extreme Programming • Pair programming • Methodology • Development of user stories • Estimation/prioritization of user stories • Weekly iteration status meetings • Monthly iteration planning meeting • Working code • Metrics collection

  25. Methodology • Development of user stories • Estimation/prioritization of user stories • Weekly iteration status meetings • Monthly iteration planning meeting • Working code • Metrics collection

  26. Project Plan

  27. The Manuka Times • Tasks due • Current risks • User story status • Delayed tasks • Acceptance tests results

  28. Project Website • Customer communication • Release dissemination • Access to • source control • bug tracking • standards • current iteration information

  29. Conclusion • Support tool for setup/imaging of distributed honeypots • Support for Hands-on Forensics Lab Exercises • Base for Future Honeypot Analysis and IRT toolkit • Example of Extreme Programming Concepts in action Questions? http://staff.washington.edu/dittrich/misc/honeywall/

More Related