Title: Introduction to Honeypot, measurement, and vulnerability exploits
1Introduction to Honeypot, measurement, and
vulnerability exploits
- Cliff C. Zou
- CAP6133
- 02/06/06
2What Is a Honeypot?
- Abstract definition
- A honeypot is an information system resource
whose value lies in unauthorized or illicit use
of that resource. (Lance Spitzner) - Concrete definition
- A honeypot is a faked vulnerable system used
for the purpose of being attacked, probed,
exploited and compromised.
3Example of a Simple Honeypot
- Install vulnerable OS and software on a machine
- Install monitor or IDS software
- Connect to the Internet (with global IP)
- Wait monitor being scanned, attacked,
compromised - Finish analysis, clean the machine
4Benefit of Deploying Honeypots
- Risk mitigation
- Lure an attacker away from the real production
systems (easy target). - IDS-like functionality
- Since no legitimate traffic should take place to
or from the honeypot, any traffic appearing is
evil and can initiate further actions.
5Benefit of Deploying Honeypots
- Attack analysis
- Find out reasons, and strategies why and how you
are attacked. - Binary and behavior analysis of capture malicious
code - Evidence
- Once the attacker is identified, all data
captured may be used in a legal procedure. - Increased knowledge
6Honeypot Classification
- High-interaction honeypots
- A full and working OS is provided for being
attacked - VMware virtual environment
- Several VMware virtual hosts in one physical
machine - Low-interaction honeypots
- Only emulate specific network services
- No real interaction or OS
- Honeyd
- Honeynet/honeyfarm
- A network of honeypots
7Low-Interaction Honeypots
- Pros
- Easy to install (simple program)
- No risk (no vulnerable software to be attacked)
- One machine supports hundreds of honeypots,
covers hundreds of IP addresses - Cons
- No real interaction to be captured
- Limited logging/monitor function
- Hard to detect unknown attacks hard to generate
filters - Easily detectable by attackers
8High-Interaction Honeypots
- Pros
- Real OS, capture all attack traffic/actions
- Can discover unknown attacks/vulnerabilites
- Can capture and anlayze code behavior
- Cons
- Time-consuming to build/maintain
- Time-consuming to analysis attack
- Risk of being used as stepping stone
- High computer resource requirement
9Honeynet
- A network of honeypots
- High-interaction honeynet
- A distributed network composing many honeypots
- Low-interaction honeynet
- Emulate a virtual network in one physical machine
- Example honeyd
- Mixed honeynet
- Scalability, Fidelity and Containment in the
Potemkin Virtual Honeyfarm, presented next week - Reference http//www.ccc.de/congress/2004/fahrpla
n/files/135-honeypot-forensics-slides.ppt
10Security Measurement
- Monitor network traffic to understand/track
Internet attack activities - Monitor incoming traffic to unused IP space
- TCP connection requests
- UDP packets
Internet
Unused IP space
Local network
Characteristics of internet background
radiation.
11Remote host fingerprinting
- Actively probe remote hosts to identify remote
hosts OS, physical devices, etc - OSes service responses are different
- Hardware responses are different
- Purposes
- Understand Internet computers
- Remove DHCP issue in monitored data
- Remote Physical Device Fingerprinting
12Remote network fingerprinting
- By sending probing traffic, learn the structure
and characteristics of remote networks - Based on TTL to know the hop length
- Based on return data to infer firewall policy.
- ConceptDoppler A Weather Tracker for Internet
Censorship - Others
13Data Sharing Traffic Anonymization
- Sharing monitored network traffic is important
- Collaborative attack detection
- Academic research
- Privacy and security exposure in data sharing
- Packet header IP address, service port exposure
- Packet content more serious
- Data anonymization
- Change packet header preserve IP prefix, and
- Change packet content
14Buffer Over Flow Introduction
- Attack Steps
- Inject attack codes onto the buffer or somewhere
- Redirect the control flow to the attack code
- Execute the attack code
15kernel space
stack
shared library
heap
bss
static data
code
From Dawn Songs RISE http//research.microsoft.c
om/projects/SWSecInstitute/slides/Song.ppt
16A Stack Structure
SP stack pointer
- Function parameters
- Return Address
- Calling Frame Pointer
- Local Variables
SP
FP is guaranteed to have the same value
throughout the execution of the function, so all
local data can be accessed via hard-coded offsets
from the FP.
00000000
17Example
a4 f(5) b20
- 5
- Address of instruction (b20)
- saved stack pointer
- x
- buf1
- buf2
f(int m) int x char buf110 char buf25
xm
18Overflow
kernel space
stack
shared library
heap
bss
static data
code
From Dawn Songs RISE http//research.microsoft.c
om/projects/SWSecInstitute/slides/Song.ppt
19Some unsafe C lib functions
- strcpy (char dest, const char src)
- strcat (char dest, const char src)
- gets (char s)
- scanf ( const char format, )
- printf (conts char format, )
20Format String Attack
- printf specification
- snprintf, wsprintf
- d- signed decimal integer
- x- unsigned hexadecimal integer
- n- number of characters successfully written
so far to the stream/buffer. This is stored
in the integer whose address is given as - the argument.
int printf(const char format , argument)
21Vulnerability
- Write printf(s, str) to printf(str)
- Possible vulnerabilities
- Dump arbitrary memory (information leaking)
- Write to arbitrary memory
22Read More
- Buffer Overflow
- http//www.cs.rpi.edu/hollingd/comporg.2002/notes
/overflow/overflow.ppt - buffer overflow for dummy
- http//www.sans.org/reading_room/whitepapers/threa
ts/481.php - Format string attacks
- http//muse.linuxmafia.org/lostfound/format-strin
g-attacks.pdf - "Analysis of format string bugs
- http//downloads.securityfocus.com/library/format-
bug-analysis.pdf - Lecture notes
- http//crypto.stanford.edu/cs155-spring03/lecture3
.ppt