Transcript The Manuka Project - University of Washington

manuka project
IEEE IA Workshop
June 10, 2004
Agenda
•
•
•
•
•
Introduction
Inspiration to Solution
Manuka Use
SE Approach
Conclusion
Team Members
• Seattle University Masters in Computer
Science & Software Engineering
– Amy Shephard
– Christian Seifert
– Don Nguyen
– Jenks Gibbons
– Jose Chavez
Sponsors
– University of Washington
• Customer: Dave Dittrich
– Seattle University
• Advisor: Barbara Endicott-Popovsky
Inspiration to Solution
Inspiration
• Honeynet Project “Forensic Challenge”
– January 15, 2001
– Linux Red Hat 6.2
– Six partitions (1.8GB raw / 170MB gzip)
– Time to:
• Root the box and rootkit (30 minutes)
• Analyze intrusion and report (30+ hours)
– Downloaded thousands of times
– Used in first SANS FIRE (Forensics course)
http://www.honeynet.org/challenge/index.html
Application #1
• 2004 NSF CCLI grant
– Highline Community College
– Seattle University
– University of Washington
• Computer and Network Forensics Courses
• Using real compromised honeypot images for
labs
Use in Forensic Course Lab
• Student boots lab system w/custom Linux
bootable CD
• Chooses which compromised system to
analyze
• Bits loaded to disk, verified
• Student performs analysis, answers specific
questions (which are compared with analysis
in database)
• Lather, rinse, repeat…
Application #2
• Distributed
Honeynet
using Honeywalls
– “Clone” clean
honeypot images
– Archive compromised
honeypot images
– Automated honeypot
forensics (future)
Application #3 (future)
• Distributed Incident Response Toolkit
– Customizable (unique) ISO images
– Centralized control of analysis
– Remote drive acquisition
– Asynchronous and semi-automatic operation
Proposed Solution
• Use standard x86 hardware (Knoppix)
• Bit-image copy of clean/compromised systems
• Provide integrity checking (MD5 hashes) and
secure file transfer (SSH)
• Database storage (compressed)
• Database search by attribute (e.g., ID#, OS
version, CVE #, etc.)
• Remotely retrieve/install bootable systems
• Customizable ISO (ala Honeywall)
“Customizing ISOs and the Honeynet Project’s Honeywall,”
http://staff.washington.edu/dittrich/misc/honeywall/
Manuka
Components
– Server
• Linux, MySQL, Java
• Automated Manuka database server installation
– Client
• Customized Knoppix CD-ROM (similar to
Honeywall)
– Password protected
– Secure login to database
– Secure data transfer
Manuka Use
Typical Use
•
Upload clean
1) Install new honeypot
2) Configure vulnerability profile (CVE #N)
3) Reboot w/Manuka CD, ID system, upload
•
Download clean
1) Boot w/Manuka CD
2) Select image and download
•
Upload compromised
1) Boot w/Manuka CD
2) Associate w/original, annotate, upload
Accessing Manuka
– Authentication
required for all
functionality
– Multiple access
levels supported
Upload Installation
– Stores an installation in
the Manuka database
– Clean Image
• Specify system details
• Specify installation details
• Specify vulnerabilities
– Compromised Image
• Associate with existing
system
• Specify installation details
Clean or Compromised System
Booted with Knoppix CD
Upload Component
System Image
Metadata
Manuka
Database
MD5 Hash
CD33456765673FE23AD4F13
GZip
Compressor
System A, BA6512345AFAED2A3D4E11
System B, BA6512345AFAED2A3D4E11
System C, CD33456765673FE23AD4F13
Encrypted
SSH Tunnel
File Server : 9999
Download Installation
– Writes an installation
to the specified drive
– Download Installation
• Specify target, system,
and installation details
• Wait…
System to restore
(Booted with Knoppix CD)
Download Component
Binary Files
Location
Manuka
Database
MD5 Hash
CD33456765673FE23AD4F13
Request Binary
Images Files
GZip
UnCompressor
System A, BA651EF45AFAED2A3D4E11
System B, BA6512345AFAED2A3D4E11
System
Image 3,
C,CD33456765673FE23AD4F13
CD33456765673FE23AD4F13
Encrypted
SSH Tunnel
File Server : 9999
System Search
– Allows targeted
access to system
information
– Search by system
metadata
– Retrieves all
matching systems
System and Installation Details
– Allows access
to system data
• general
information
• vulnerabilities
• installation
details
Stored Data Management
– User updates
• Operating Systems
• Operating System
Versions
– Automatic updates
• Vulnerabilities
Software Engineering
Approach
Approach
• Extreme Programming
– Pair programming
• Methodology
– Development of user stories
– Estimation/prioritization of user stories
– Weekly iteration status meetings
– Monthly iteration planning meeting
– Working code
– Metrics collection
Methodology
• Development of user stories
• Estimation/prioritization of user stories
• Weekly iteration status meetings
• Monthly iteration planning meeting
• Working code
• Metrics collection
Project Plan
The Manuka Times
•
•
•
•
•
Tasks due
Current risks
User story status
Delayed tasks
Acceptance tests results
Project Website
• Customer
communication
• Release dissemination
• Access to
–
–
–
–
source control
bug tracking
standards
current iteration
information
Conclusion
• Support tool for setup/imaging of distributed
honeypots
• Support for Hands-on Forensics Lab Exercises
• Base for Future Honeypot Analysis and IRT
toolkit
• Example of Extreme Programming Concepts in
action
Questions?
http://staff.washington.edu/dittrich/misc/honeywall/