Introduction to Honeypot, measurement, and vulnerability exploits - PowerPoint PPT Presentation

About This Presentation
Title:

Introduction to Honeypot, measurement, and vulnerability exploits

Description:

'A honeypot is an information system resource whose value lies in ... Song's RISE: http://research.microsoft.com/projects/SWSecInstitute/s/Song.ppt ... – PowerPoint PPT presentation

Number of Views:362
Avg rating:3.0/5.0
Slides: 23
Provided by: csU73
Learn more at: http://www.cs.ucf.edu
Category:

less

Transcript and Presenter's Notes

Title: Introduction to Honeypot, measurement, and vulnerability exploits


1
Introduction to Honeypot, measurement, and
vulnerability exploits
  • Cliff C. Zou
  • CAP6133
  • 02/06/06

2
What Is a Honeypot?
  • Abstract definition
  • A honeypot is an information system resource
    whose value lies in unauthorized or illicit use
    of that resource. (Lance Spitzner)
  • Concrete definition
  • A honeypot is a faked vulnerable system used
    for the purpose of being attacked, probed,
    exploited and compromised.

3
Example of a Simple Honeypot
  • Install vulnerable OS and software on a machine
  • Install monitor or IDS software
  • Connect to the Internet (with global IP)
  • Wait monitor being scanned, attacked,
    compromised
  • Finish analysis, clean the machine

4
Benefit of Deploying Honeypots
  • Risk mitigation
  • Lure an attacker away from the real production
    systems (easy target).
  • IDS-like functionality
  • Since no legitimate traffic should take place to
    or from the honeypot, any traffic appearing is
    evil and can initiate further actions.

5
Benefit of Deploying Honeypots
  • Attack analysis
  • Find out reasons, and strategies why and how you
    are attacked.
  • Binary and behavior analysis of capture malicious
    code
  • Evidence
  • Once the attacker is identified, all data
    captured may be used in a legal procedure.
  • Increased knowledge

6
Honeypot Classification
  • High-interaction honeypots
  • A full and working OS is provided for being
    attacked
  • VMware virtual environment
  • Several VMware virtual hosts in one physical
    machine
  • Low-interaction honeypots
  • Only emulate specific network services
  • No real interaction or OS
  • Honeyd
  • Honeynet/honeyfarm
  • A network of honeypots

7
Low-Interaction Honeypots
  • Pros
  • Easy to install (simple program)
  • No risk (no vulnerable software to be attacked)
  • One machine supports hundreds of honeypots,
    covers hundreds of IP addresses
  • Cons
  • No real interaction to be captured
  • Limited logging/monitor function
  • Hard to detect unknown attacks hard to generate
    filters
  • Easily detectable by attackers

8
High-Interaction Honeypots
  • Pros
  • Real OS, capture all attack traffic/actions
  • Can discover unknown attacks/vulnerabilites
  • Can capture and anlayze code behavior
  • Cons
  • Time-consuming to build/maintain
  • Time-consuming to analysis attack
  • Risk of being used as stepping stone
  • High computer resource requirement

9
Honeynet
  • A network of honeypots
  • High-interaction honeynet
  • A distributed network composing many honeypots
  • Low-interaction honeynet
  • Emulate a virtual network in one physical machine
  • Example honeyd
  • Mixed honeynet
  • Scalability, Fidelity and Containment in the
    Potemkin Virtual Honeyfarm, presented next week
  • Reference http//www.ccc.de/congress/2004/fahrpla
    n/files/135-honeypot-forensics-slides.ppt

10
Security Measurement
  • Monitor network traffic to understand/track
    Internet attack activities
  • Monitor incoming traffic to unused IP space
  • TCP connection requests
  • UDP packets

Internet
Unused IP space
Local network
Characteristics of internet background
radiation.
11
Remote host fingerprinting
  • Actively probe remote hosts to identify remote
    hosts OS, physical devices, etc
  • OSes service responses are different
  • Hardware responses are different
  • Purposes
  • Understand Internet computers
  • Remove DHCP issue in monitored data
  • Remote Physical Device Fingerprinting

12
Remote network fingerprinting
  • By sending probing traffic, learn the structure
    and characteristics of remote networks
  • Based on TTL to know the hop length
  • Based on return data to infer firewall policy.
  • ConceptDoppler A Weather Tracker for Internet
    Censorship
  • Others

13
Data Sharing Traffic Anonymization
  • Sharing monitored network traffic is important
  • Collaborative attack detection
  • Academic research
  • Privacy and security exposure in data sharing
  • Packet header IP address, service port exposure
  • Packet content more serious
  • Data anonymization
  • Change packet header preserve IP prefix, and
  • Change packet content

14
Buffer Over Flow Introduction
  • Attack Steps
  • Inject attack codes onto the buffer or somewhere
  • Redirect the control flow to the attack code
  • Execute the attack code

15
kernel space
stack
shared library
heap
bss
static data
code
From Dawn Songs RISE http//research.microsoft.c
om/projects/SWSecInstitute/slides/Song.ppt
16
A Stack Structure
SP stack pointer
  • Function parameters
  • Return Address
  • Calling Frame Pointer
  • Local Variables

SP
FP is guaranteed to have the same value
throughout the execution of the function, so all
local data can be accessed via hard-coded offsets
from the FP.
00000000
17
Example
a4 f(5) b20
  • 5
  • Address of instruction (b20)
  • saved stack pointer
  • x
  • buf1
  • buf2

f(int m) int x char buf110 char buf25
xm
18
Overflow
kernel space
stack
shared library
heap
bss
static data
code
From Dawn Songs RISE http//research.microsoft.c
om/projects/SWSecInstitute/slides/Song.ppt
19
Some unsafe C lib functions
  • strcpy (char dest, const char src)
  • strcat (char dest, const char src)
  • gets (char s)
  • scanf ( const char format, )
  • printf (conts char format, )

20
Format String Attack
  • printf specification
  • snprintf, wsprintf
  • d- signed decimal integer
  • x- unsigned hexadecimal integer
  • n- number of characters successfully written
    so far to the stream/buffer. This is stored
    in the integer whose address is given as
  • the argument.

int printf(const char format , argument)
21
Vulnerability
  • Write printf(s, str) to printf(str)
  • Possible vulnerabilities
  • Dump arbitrary memory (information leaking)
  • Write to arbitrary memory

22
Read More
  • Buffer Overflow
  • http//www.cs.rpi.edu/hollingd/comporg.2002/notes
    /overflow/overflow.ppt
  • buffer overflow for dummy
  • http//www.sans.org/reading_room/whitepapers/threa
    ts/481.php
  • Format string attacks
  • http//muse.linuxmafia.org/lostfound/format-strin
    g-attacks.pdf
  • "Analysis of format string bugs
  • http//downloads.securityfocus.com/library/format-
    bug-analysis.pdf
  • Lecture notes
  • http//crypto.stanford.edu/cs155-spring03/lecture3
    .ppt
Write a Comment
User Comments (0)
About PowerShow.com