Introduction to Honeypot, measurement, and vulnerability exploits

1
Introduction to Honeypot, measurement, and
vulnerability exploits

• Cliff C. Zou
• CAP6133
• 02/06/06

2
What Is a Honeypot?

• Abstract definition
• A honeypot is an information system resource
  whose value lies in unauthorized or illicit use
  of that resource. (Lance Spitzner)
• Concrete definition
• A honeypot is a faked vulnerable system used
  for the purpose of being attacked, probed,
  exploited and compromised.

3
Example of a Simple Honeypot

• Install vulnerable OS and software on a machine
• Install monitor or IDS software
• Connect to the Internet (with global IP)
• Wait monitor being scanned, attacked,
  compromised
• Finish analysis, clean the machine

4
Benefit of Deploying Honeypots

• Risk mitigation
• Lure an attacker away from the real production
  systems (easy target).
• IDS-like functionality
• Since no legitimate traffic should take place to
  or from the honeypot, any traffic appearing is
  evil and can initiate further actions.

5
Benefit of Deploying Honeypots

• Attack analysis
• Find out reasons, and strategies why and how you
  are attacked.
• Binary and behavior analysis of capture malicious
  code
• Evidence
• Once the attacker is identified, all data
  captured may be used in a legal procedure.
• Increased knowledge

6
Honeypot Classification

• High-interaction honeypots
• A full and working OS is provided for being
  attacked
• VMware virtual environment
• Several VMware virtual hosts in one physical
  machine
• Low-interaction honeypots
• Only emulate specific network services
• No real interaction or OS
• Honeyd
• Honeynet/honeyfarm
• A network of honeypots

7
Low-Interaction Honeypots

• Pros
• Easy to install (simple program)
• No risk (no vulnerable software to be attacked)
• One machine supports hundreds of honeypots,
  covers hundreds of IP addresses
• Cons
• No real interaction to be captured
• Limited logging/monitor function
• Hard to detect unknown attacks hard to generate
  filters
• Easily detectable by attackers

8
High-Interaction Honeypots

• Pros
• Real OS, capture all attack traffic/actions
• Can discover unknown attacks/vulnerabilites
• Can capture and anlayze code behavior
• Cons
• Time-consuming to build/maintain
• Time-consuming to analysis attack
• Risk of being used as stepping stone
• High computer resource requirement

9
Honeynet

• A network of honeypots
• High-interaction honeynet
• A distributed network composing many honeypots
• Low-interaction honeynet
• Emulate a virtual network in one physical machine
• Example honeyd
• Mixed honeynet
• Scalability, Fidelity and Containment in the
  Potemkin Virtual Honeyfarm, presented next week
• Reference http//www.ccc.de/congress/2004/fahrpla
  n/files/135-honeypot-forensics-slides.ppt

10
Security Measurement

• Monitor network traffic to understand/track
  Internet attack activities
• Monitor incoming traffic to unused IP space
• TCP connection requests
• UDP packets

Internet
Unused IP space
Local network
Characteristics of internet background
radiation.
11
Remote host fingerprinting

• Actively probe remote hosts to identify remote
  hosts OS, physical devices, etc
• OSes service responses are different
• Hardware responses are different
• Purposes
• Understand Internet computers
• Remove DHCP issue in monitored data
• Remote Physical Device Fingerprinting

12
Remote network fingerprinting

• By sending probing traffic, learn the structure
  and characteristics of remote networks
• Based on TTL to know the hop length
• Based on return data to infer firewall policy.
• ConceptDoppler A Weather Tracker for Internet
  Censorship
• Others

13
Data Sharing Traffic Anonymization

• Sharing monitored network traffic is important
• Collaborative attack detection
• Academic research
• Privacy and security exposure in data sharing
• Packet header IP address, service port exposure
• Packet content more serious
• Data anonymization
• Change packet header preserve IP prefix, and
• Change packet content

14
Buffer Over Flow Introduction

• Attack Steps
• Inject attack codes onto the buffer or somewhere
• Redirect the control flow to the attack code
• Execute the attack code

15
kernel space
stack
shared library
heap
bss
static data
code
From Dawn Songs RISE http//research.microsoft.c
om/projects/SWSecInstitute/slides/Song.ppt
16
A Stack Structure
SP stack pointer

• Function parameters
• Return Address
• Calling Frame Pointer
• Local Variables

SP
FP is guaranteed to have the same value
throughout the execution of the function, so all
local data can be accessed via hard-coded offsets
from the FP.
00000000
17
Example
a4 f(5) b20

• 5
• Address of instruction (b20)
• saved stack pointer
• x
• buf1
• buf2

f(int m) int x char buf110 char buf25
xm
18
Overflow
kernel space
stack
shared library
heap
bss
static data
code
From Dawn Songs RISE http//research.microsoft.c
om/projects/SWSecInstitute/slides/Song.ppt
19
Some unsafe C lib functions

• strcpy (char dest, const char src)
• strcat (char dest, const char src)
• gets (char s)
• scanf ( const char format, )
• printf (conts char format, )

20
Format String Attack

• printf specification
• snprintf, wsprintf
• d- signed decimal integer
• x- unsigned hexadecimal integer
• n- number of characters successfully written
  so far to the stream/buffer. This is stored
  in the integer whose address is given as
• the argument.

int printf(const char format , argument)
21
Vulnerability

• Write printf(s, str) to printf(str)
• Possible vulnerabilities
• Dump arbitrary memory (information leaking)
• Write to arbitrary memory

22
Read More

• Buffer Overflow
• http//www.cs.rpi.edu/hollingd/comporg.2002/notes
  /overflow/overflow.ppt
• buffer overflow for dummy
• http//www.sans.org/reading_room/whitepapers/threa
  ts/481.php
• Format string attacks
• http//muse.linuxmafia.org/lostfound/format-strin
  g-attacks.pdf
• "Analysis of format string bugs
• http//downloads.securityfocus.com/library/format-
  bug-analysis.pdf
• Lecture notes
• http//crypto.stanford.edu/cs155-spring03/lecture3
  .ppt