160 likes | 327 Views
Web Canary -- client honey pot. UTSA. Architecture of Web canary. Implementation of Web canary. Test-bed – Dell Precision 690 workstation with Dual-core 3.0 GHz CPU, 8GB memory VM -- 256M memory, 8 GB disk space Host OS – Windows XP x64 sp2 Guest OS – Windows XP sp2
E N D
Implementation of Web canary. • Test-bed – Dell Precision 690 workstation with Dual-core 3.0 GHz CPU, 8GB memory • VM -- 256M memory, 8 GB disk space • Host OS – Windows XP x64 sp2 • Guest OS – Windows XP sp2 • VM – Vmware Workstation • Browser – IE 6.0 SP2
Guest OS Guest OS – VMware Workstation: isolation, easy reverting. PS -- Persistent Storage (PS) which is a shared folder between the guest OS and the host OS. In the guest OS, only the BHO and Capture Client can write to this folder. Snapshot -- a pristine state, a tool of VMworkstation
Design of Capture client(1) Capture Client: monitor files, processes and registry changes in the Windows OS at kernel level. supports exclusion lists to filter out the normal changes. The Capture client consists of two components: The kernel drivers operate in kernel space and use event-based detection mechanisms for monitoring the system's state changes. The user space process captures the state changes from the kernel drivers and filters the events based on the exclusion lists
Design of Capture client(2) Exclusion lists Since some events occur during normal operation, exclusion lists allow to ignore certain type of events. Kernel Drivers kernel drivers to monitor the system by using the existing kernel callback mechanism of the kernel that notifies registered drivers when a certain event happens. These callbacks invoke functions inside of a kernel driver and pass the actual event information so that it can be monitored.
Design of Capture client(3) CmRegistryCallback PsSetCreateProcessNotifyRoutine FilterLoad, FltRegisterFilter(filtering I/O operations) e.g. A driver calls CmRegisterCallbackto register a RegistryCallbackroutine. by passing a user allocated buffer from user space into kernel space where the kernel drivers, we can copy information into that buffer, so the application can process it in user space.
BHO BHO -- A Browser Helper Object (BHO) which can capture all the URLs visited by IE. It then writes the URLs to a log the in PS(Permanent storage). They create a browser add-on to capture the URLs requests made by the browser.
Canary Server Canary Server -- shows the health state of the guest OS and can start, stop or revert the VM. send the detected malicious URLs to a remote central server with user's permission. Controls the VMware servers using the VMware C API Auto-reversion -- auto-reversion of the VM to its pristine state upon the detection of unauthorized events. Host OS
Analysis Engine Analysis Engine – reads the log files of the BHO and Capture Client and correlates system changes to the URL according the rule. Rules -- Upon receiving system change events and visited URLs, correlate them together according to the time interval. Host OS
Conclusion Present a system that can leverage a large, distributed network of users, who simply by using a standard Web browser, silently collaborate to detect and report malicious Web pages. The advantages of this method are that it can get meaningful URLs from users and easily visit Web pages that require CAPTCHAs or pass- words.
Appendix 1 Windows Driver Kit: Kernel-Mode Driver Architecture PsSetCreateProcessNotifyRoutine adds a driver-supplied callback routine to, or removes it from, a list of routines to be called whenever a process is created or deleted. CmRegisterCallback The CmRegisterCallback routine registers a RegistryCallback routine.
Appendix 2 • Windows Driver Kit: Installable File System Drivers FltRegisterFilter FltRegisterFilter registers a minifilter driver. • FilterLoad • The FilterLoad function dynamically loads a minifilter driver into the system.
Appendix 3 • Boost::regex library Use it to describe the filer rule (RE).
Questions The method that correlating URL to malicious Web pages according to time interval seems not always right. 2. Try to distribute the browser running on VM is not quite impractical. 3. The idea of real distributed users is good. But how to protect the server which used for collecting various users’ information. The server is the most vulnerable unit in the whole system. And if attacker use the client to send a lot of benign URL as a malicious URL to server, How to distinguish them?