Introduction of honeypot and security measurement
Download
Report
Transcript Introduction of honeypot and security measurement
Introduction to Honeypot, measurement,
and vulnerability exploits
Cliff C. Zou
CAP6133
02/06/06
1
What Is a Honeypot?
Abstract definition:
“A honeypot is an information
system resource whose value lies
in unauthorized or illicit use of
that resource.” (Lance Spitzner)
Concrete definition:
“A honeypot is a faked
vulnerable system used for the
purpose of being attacked,
probed, exploited and
compromised.”
2
Example of a Simple Honeypot
Install vulnerable OS and software on a
machine
Install monitor or IDS software
Connect to the Internet (with global IP)
Wait & monitor being scanned, attacked,
compromised
Finish analysis, clean the machine
3
Benefit of Deploying Honeypots
Risk mitigation:
Lure an attacker away from the real production
systems (“easy target“).
IDS-like functionality:
Since no legitimate traffic should take place to or
from the honeypot, any traffic appearing is evil
and can initiate further actions.
4
Benefit of Deploying Honeypots
Attack analysis:
Find out reasons, and strategies why and how
you are attacked.
Binary and behavior analysis of capture
malicious code
Evidence:
Once the attacker is identified, all data captured
may be used in a legal procedure.
Increased knowledge
5
Honeypot Classification
High-interaction honeypots
A full and working OS is provided for being attacked
VMware virtual environment
Low-interaction honeypots
Only emulate specific network services
No real interaction or OS
Several VMware virtual hosts in one physical machine
Honeyd
Honeynet/honeyfarm
A network of honeypots
6
Low-Interaction Honeypots
Pros:
Easy to install (simple program)
No risk (no vulnerable software to be attacked)
One machine supports hundreds of honeypots, covers
hundreds of IP addresses
Cons:
No real interaction to be captured
Limited logging/monitor function
Hard to detect unknown attacks; hard to generate filters
Easily detectable by attackers
7
High-Interaction Honeypots
Pros:
Real OS, capture all attack traffic/actions
Can discover unknown attacks/vulnerabilites
Can capture and anlayze code behavior
Cons:
Time-consuming to build/maintain
Time-consuming to analysis attack
Risk of being used as stepping stone
High computer resource requirement
8
Honeynet
A network of honeypots
High-interaction honeynet
Low-interaction honeynet
A distributed network composing many honeypots
Emulate a virtual network in one physical machine
Example: honeyd
Mixed honeynet
“Scalability, Fidelity and Containment in the
Potemkin Virtual Honeyfarm”, presented next
week
Reference: http://www.ccc.de/congress/2004/fahrplan/files/135honeypot-forensics-slides.ppt
9
Security Measurement
Monitor network traffic to
understand/track Internet
attack activities
Internet
Monitor incoming traffic to
unused IP space
Monitored
traffic
TCP connection requests
UDP packets
Local network
Unused
IP space
“Characteristics of internet background radiation. “
10
Remote host fingerprinting
Actively probe remote hosts to identify
remote hosts’ OS, physical devices, etc
OSes service responses are different
Hardware responses are different
Purposes:
Understand Internet computers
Remove DHCP issue in monitored data
“Remote Physical Device Fingerprinting”
11
Remote network fingerprinting
By sending probing traffic, learn the
structure and characteristics of remote
networks
Based on TTL to know the hop length
Based on return data to infer firewall policy.
“ConceptDoppler: A Weather Tracker for Internet Censorship”
Others
12
Data Sharing:
Traffic Anonymization
Sharing monitored network traffic is important
Privacy and security exposure in data sharing
Collaborative attack detection
Academic research
Packet header: IP address, service port exposure
Packet content: more serious
Data anonymization
Change packet header: preserve IP prefix, and …
Change packet content
13
Buffer Over Flow Introduction
Attack Steps
Inject attack codes onto the buffer or somewhere
Redirect the control flow to the attack code
Execute the attack code
14
0xFFFFFFFF
kernel space
0xC0000000
stack
shared library
0x42000000
heap
bss
static data
code
0x08048000
0x00000000
From Dawn Song’s RISE: http://research.microsoft.com/projects/SWSecInstitute/slides/Song.ppt
15
A Stack Structure
SP: stack pointer
Function parameters
Return Address
Calling Frame Pointer
SP
00000000
Local Variables
FP is guaranteed to have the same
value throughout the execution of
the function, so all local data can
be accessed via hard-coded
offsets from the FP.
16
Example
a=4;
f(5);
b=20;
f(int m){
int x;
char buf1[10];
char buf2[5];
x=m;
…
}
5
Address of instruction (b=20)
saved stack pointer
x
buf1
buf2
17
Overflow
0xFFFFFFFF
kernel space
0xC0000000
argument 2
stack
argument 1
Address of
RAcode
Attack
shared library
0x42000000
frame pointer
locals
Attack code
buffer
heap
bss
static data
code
0x08048000
0x00000000
From Dawn Song’s RISE: http://research.microsoft.com/projects/SWSecInstitute/slides/Song.ppt
18
Some unsafe C lib functions
strcpy (char *dest, const char *src)
strcat (char *dest, const char *src)
gets (char *s)
scanf ( const char *format, … )
printf (conts char *format, … )
19
Format String Attack
printf specification:
int printf(const char *format [, argument]…);
snprintf, wsprintf …
%d- signed decimal integer
%x- unsigned hexadecimal integer
%n- number of characters successfully written
so far to the stream/buffer. This is stored
in the integer whose address is given as
the argument.
20
Vulnerability
Write printf(“%s”, str) to printf(str)
Possible vulnerabilities:
Dump arbitrary memory (information leaking)
Write to arbitrary memory
21
Read More
Buffer Overflow
“buffer overflow for dummy”
http://muse.linuxmafia.org/lost+found/format-string-attacks.pdf
"Analysis of format string bugs“
http://www.sans.org/reading_room/whitepapers/threats/481.php
“Format string attacks”
http://www.cs.rpi.edu/~hollingd/comporg.2002/notes/overflow/overflow.ppt
http://downloads.securityfocus.com/library/format-bug-analysis.pdf
Lecture notes:
http://crypto.stanford.edu/cs155-spring03/lecture3.ppt
22