How many ways to 0wn the Internet? Towards Viable Worm
Download
Report
Transcript How many ways to 0wn the Internet? Towards Viable Worm
Wormholes and a Honeyfarm:
Automatically Detecting Novel Worms
(and other random stuff)
Wormholes and a Honeyfarm: Automatically Detecting New Worms
Nicholas
Weaver
Vern
Paxson
Stuart
Staniford
UC Berkeley
ICIR
ICIR
Silicon Defense
1
Problem: Automatically
Detecting New Worms
Wormholes and a Honeyfarm: Automatically Detecting Novel Worms
• Detect a new worm on the Internet
before many machines are infected
– Use this information to guide defenses
– 30-60 seconds to detect (and stop)
Slammer
• Honeypots are accurate detectors
– Monitor egress to detect worms
– k vulnerable honeypots will detect a
worm when ~1/k of the vulnerable
machines are infected
– But impractical
• Cost: time, not machines
• Trust: must trust all honeypots!
2
Idea: Split the Network
Endpoints from the Honeypots
Wormholes and a Honeyfarm: Automatically Detecting Novel Worms
• Wormholes are traffic tunnels
– Routes connections to
a remote system
– Untrusted endpoints
• Honeyfarm consists of
Virtual Machine honeypots
– Create virtual honeypots
on demand
• See honeynet.org
– Route internally generated
traffic to other images
• Classify based on what
can be infected
3
How
Wormholes Work
Wormholes and a Honeyfarm: Automatically Detecting Novel Worms
• Low cost “appliance”:
– Plugs into network, obtains
address through DHCP
– Contacts the Honeyfarm
– Reconfigures local network stack
• fool nmap style detection
– Forwards all traffic to/from the Honeyfarm
• Clear Box:
– Deployers have source code
• Restrictions built into the wormhole code so it doesn't trust the
honeyfarm, can't contact the local network!
• Instead/addition to wormholes, one can...
– Route small telescopes to the honeyfarm
– Route ALL unused addresses in an institution...
4
How a
Honeyfarm Works
Wormholes and a Honeyfarm: Automatically Detecting Novel Worms
• Creates Virtual Machine images to
implement Honeypots
– Using VMware or similar
– Images exist "in potential" until traffic
received
• Niels Provos suggested: Use honeyd
as a first pass filter
– Completes the illusion that a honeypot
exists at every wormhole location
• Any traffic received from wormhole
– Activate and configure a VM image
– Forward traffic to VM image
• Honeypot image generated traffic is
monitored and redirected
Wormhole
IP: aa.bb.cc.dd
Honeyfarm
VM Image
IP:
IP: xx.xx.xx.xx
aa.bb.cc.dd
VM Image
IP:
IP: xx.xx.xx.xx
aa.bb.cc.ee
5
What Could We Automatically
Learn From a Honeyfarm?
Wormholes and a Honeyfarm: Automatically Detecting Novel Worms
• A new worm is in the Internet
– Triggered based on ability to infect VMs
• What the worm is capable of
– Types of vulnerable configurations
• Including patch level
• Creates a “Vulnerability Signature”
– Some overt, immediate malicious behavior
• Immediate file erasers etc
– Possible attack signatures
• Works best for tracking:
– Human attackers
– Scanning worms
• Slow enough to react effectively
• Randomness hits wormholes
6
What Trust
is Needed?
Wormholes and a Honeyfarm: Automatically Detecting Novel Worms
• Wormhole deployers:
– Need to trust wormhole devices,
not the honeyfarm operator
• Honeyfarm operator:
– Attackers know of some wormholes,
but most are generally unknown
• Wormhole locations are “open secrets”
– Does not trust wormhole deployers
• Detection is based on infected honeypots, not traffic from a wormhole
• Dishonest wormholes are filtered out
• Responding systems receiving an alert:
– Either the honeyfarm and operator are honest and uncompromised
– OR rely on multiple, independent honeyfarms all raising an alarm
• "If CERT and DOD-CERT say..."
7
Status and
Acknowledgements
Wormholes and a Honeyfarm: Automatically Detecting Novel Worms
• Status: Paper design
– Idea, attacks, costs, development time
• Lots of attacks on the honeyfarm system and possible defenses
• Plan to build honeyfarm first, attached to a small telescope
• Wormholes can be built for <$350, no moving parts,
50 Watts power, quantity 1
• Acknowledgements:
– Honeypot technology: Honeynet project, honeyd, DTK
– Feedback from many people: Stefan Savage, David
Moore, David Wagner, Niels Provos, etc etc etc.
8
Random Slide: 1 Gb (ASAP),
10 Gb (+2-3 years)
Wormholes and a Honeyfarm: Automatically Detecting Novel Worms
• Need wiring-closet defenses:
– As close to the endpoint as possible, need to be reprogrammable
– <$1000 for GigE today (build for $500)
• Optical ideal, +$100 for 1000-base-T
– <$2000 for 10GigE in 2-3 years (build for $1000)
– New FPGAs with SERDESes, embedded processors, massive
parallelism and pipelining
DIMM
SX Transceiver
SX Transceiver
SX Transceiver
FPGA
DIMM
1000-BaseT
PHY
1000-BaseT
PHY
9
Random Slide: Colonel
John R. Boyd’s OODA “Loop”
Wormholes and a Honeyfarm: Automatically Detecting Novel Worms
Observe
Orient
Implicit
Guidance
& Control
Unfolding
Circumstances
Observations
Feed
Forward
Genetic
Heritage
Unfolding
Interaction
With
Environment
Act
Implicit
Guidance
& Control
Cultural
Traditions
New
Information
Outside
Information
Decide
Analyses &
Synthesis
Previous
Experience
Feedback
Feed
Forward
Decision
(Hypothesis)
Feed
Forward
Action
(Test)
Unfolding
Interaction
With
Environment
Feedback
Note how orientation shapes observation, shapes decision, shapes action, and in turn is shaped by the feedback
and other phenomena coming into our sensing or observing window.
Also note how the entire “loop” (not just orientation) is an ongoing many-sided implicit cross-referencing process
of projection, empathy, correlation, and rejection.
From “The Essence of Winning and Losing,” John R. Boyd, January 1996.
From Defense and the National Interest, http://www.d-n-i.net, copyright 2001 the estate of John Boyd Used with permission
10
Ranom Slide:
What is the OODA loop?
Wormholes and a Honeyfarm: Automatically Detecting Novel Worms
• The OODA (Observe, Orient, Decide, Act) cycle was designed as a
semi-formal model of adversarial decision making
– Really a complex nest of feedback loops
– Originally designed to represent strategic and tactical decision-making
• Implicit shortcuts are critical in human-based systems
– Every participant or group has its own OODA loop
• Attack the opponent’s decision making process
– Avoid/confuse/manipulate the opponent’s observation/detection
• Stealthy worms
– Take advantage of errors in orientation/analysis
• Not yet but will begin to happen!
– Move faster than the opponent’s reaction time
• Why autonomous worms outrace “human-in-the-loop” systems
• Reactive worm defenses need fully-automated OODA loops
• The fastest, accurate OODA loop usually wins
11
Random Slide:
Automated OODA Loops
Wormholes and a Honeyfarm: Automatically Detecting Novel Worms
• Since both the worms and worm-defense routines are automatic while
a fast worm is spreading, the OODA loops are much simpler
– No implicit paths, everything is now explicit
• Orientation and decision making are combined
– Communication is also made explicit
– The OODA loops are shaped by the designer’s goals, objectives, and skills
• Observation is often critical for both sides
Observe
Orient/Decide
Passive
Local
Active
Automatic
Decision
Making
Information
Control
Act
Control
Actions
Feedback
Interaction with
Communication Environment
12