Argos Emulator - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

Argos Emulator

Description:

Argos Emulator. Georgios Portokalidis. Asia Slowinska. Herbert Bos. Vrije Universiteit Amsterdam ... Exec(Netstat or OpenPorts) Connect(argos host) Send(info) ... – PowerPoint PPT presentation

Number of Views:166
Avg rating:3.0/5.0
Slides: 22
Provided by: gportok
Category:
Tags: argos | emulator

less

Transcript and Presenter's Notes

Title: Argos Emulator


1
Argos Emulator
  • Georgios Portokalidis
  • Asia Slowinska
  • Herbert Bos
  • Vrije Universiteit Amsterdam

2
Why?
  • Too many vulnerabilities
  • New worm attacks
  • Human intervention too slow
  • Current solutions are problematic
  • Time consuming
  • Inaccurate

3
Goals
  • Platform for next generation honeypots
  • Protect entire OS
  • Detect most common attack vectors
  • Accuracy

4
It Works!
5
Argos Overview
Applications
Snitch
Guest OS
Argos Emulator
Host OS
Post-Processing Sub-system
6
Network Data Tracking
7
Capturing Attacks
  • Diverting control flow
  • Executing arbitrary instructions
  • Overwriting system call arguments

Tagged Register Operands
JMP CALL
Tagged Memory
RET
SYSCALL
8
Forensics
Applications
Guest OS
Argos Emulator
9
Signature Generation
Argos Memory Log
10
Emulator Performance
Overhead (y times slower)
11
Signature Generation Performance
Time to generate signature(sec)
Tcpdump trace size(MB)
12
Future Work
  • Replaying attacks
  • Integration with nepenthes honeypot
  • Increase data tracking precision
  • Protocol aware signature generation
  • Generate self certifying alerts

13
On The Web
http//www.few.vu.nl/argos
14
Network Data Tracking
  • Tag network data as tainted

EAX
EBX
ECX
EDX
EBX
15
Network Data Tracking
  • Tag network data as tainted
  • Track tainted data propagation
  • Arithmetic, logical operations
  • Memory operations

EBX
EAX
ECX
EDX
EAX
A
16
Network Data Tracking
  • Tag network data as tainted
  • Track tainted data propagation
  • Arithmetic, logical operations
  • Memory operations
  • Sanitise data
  • Floating point, SSE

EAX
EBX
ECX
EDX
A
17
Identifying Attacks
  • Jumps
  • Function calls
  • Function returns
  • System calls

EAX
EBX
ECX
EDX
EBX
JMP EAX CALL EAX RET JMP A INT 0x80
18
SweetBait Design
19
Logs Format
20
Forensics Shellcode Injection
(Windows PE, ELF, etc)
Process Address Space
  • Lookup processs read-only pages
  • Inject code at last text segment page
  • Point EIP to shellcode

.text
21
Forensics The Snitch
  • Pid getpid()
  • Rid injected by Argos
  • Connect(localhost)
  • Send(pid rid)
  • Listen()
  • Accept()
  • Read(pid rid)
  • Exec(Netstat or OpenPorts)
  • Connect(argos host)
  • Send(info)
Write a Comment
User Comments (0)
About PowerShow.com