The NoAH approach to zeroday worm detection - PowerPoint PPT Presentation
1 / 62
Title:
The NoAH approach to zeroday worm detection
Description:
based on Qemu, an emulator. Asia Slowinska, Vrije Universiteit ... Argos Emulator. Guest OS. Host OS. Applications. Log. Asia Slowinska, Vrije Universiteit ... – PowerPoint PPT presentation
Number of Views:62
Avg rating:3.0/5.0
Title: The NoAH approach to zeroday worm detection
1
The NoAH approach to
zero-day worm detection
- Asia Slowinska (asia_at_few.vu.nl)
- Vrije Universiteit, Amsterdam
2
What is NoAH?
- NoAH is a Specific Support Action in the Sixth
Framework Programme of the European Union - Start 1st April 2005
- End 31st March 2008
- Homepage http//www.fp6-noah.org/
3
Why?
- Too many vulnerabilities
- New worm attacks
- Human intervention too slow
- Current solutions are not perfect
- Time consuming
- Inaccurate
4
Why?
- Too many vulnerabilities
- New worm attacks
- Human intervention too slow
- Current solutions are not perfect
- Time consuming
- Inaccurate
5
Why?
- Too many vulnerabilities
- New worm attacks
- Human intervention too slow
- Current solutions are not perfect
- Time consuming
- Inaccurate
6
Why?
- Too many vulnerabilities
- New worm attacks
- Human intervention too slow
- Current solutions are not perfect
- Time consuming
- Inaccurate
7
Goals
- Design and develop infrastructure for security
monitoring based on honeypots technology - Detect most common attack vectors
- Detect worms in early stage of spreading
- Gather information about attacks
- Generate signatures
8
Honeypots
- A computer system acting as a decoy
- does not provide regular services
- lures in potential hackers in order to study
their activities - honeypots in NoAH listen to unused IP address
space, called further dark space - Two basic types of honeypots
- low interaction (LI) emulate services
- high interaction (HI) run real applications
9
NoAH architecture
Participating Organization
Honey _at_home
Funnel
Internet
Internet
Tunnel
NoAH Core
Funnel
LI honeypot
LI honeypot
LI honeypot
LI honeypot
HI honeypot
HI honeypot
10
NoAH architecture
Participating Organization
Honey _at_home
Funnel
Internet
Internet
Tunnel
NoAH Core
Funnel
LI honeypot
LI honeypot
LI honeypot
LI honeypot
HI honeypot
HI honeypot
11
NoAH architecture
Participating Organization
Honey _at_home
Funnel
Internet
Internet
Tunnel
NoAH Core
Funnel
LI honeypot
LI honeypot
LI honeypot
LI honeypot
HI honeypot
HI honeypot
12
NoAH architecture
Participating Organization
Honey _at_home
Funnel
Internet
Internet
Tunnel
NoAH Core
Funnel
LI honeypot
LI honeypot
LI honeypot
LI honeypot
HI honeypot
HI honeypot
13
NoAH architecture
Participating Organization
Honey _at_home
Funnel
Internet
Internet
Tunnel
NoAH Core
Funnel
LI honeypot
LI honeypot
LI honeypot
LI honeypot
HI honeypot
HI honeypot
14
Core organizations
- host NoAH honeypots
- problem wide dark address space we could
monitor vs limited number of honeypots
15
Core organizations
11.12.15.1
- host NoAH honeypots
- problem wide dark address space we could
monitor vs limited number of honeypots - solution funelling
11.12.15.0/16
11.12.1.1
Internet
NoAH Core
Funnel
11.12.1.1
LI honeypot
HI honeypot
16
Core organizations
11.12.15.1
11.12.15.10
- host NoAH honeypots
- problem wide dark address space we could
monitor vs limited number of honeypots - solution funelling
11.12.15.0/16
11.12.1.1
Internet
NoAH Core
Funnel
11.12.1.1
LI honeypot
HI honeypot
17
Core organizations
11.12.15.1
11.12.15.10
- host NoAH honeypots
- problem wide dark address space we could
monitor vs limited number of honeypots - solution funelling
11.12.15.3
11.12.15.0/16
11.12.1.1
Internet
NoAH Core
Funnel
11.12.1.1
LI honeypot
HI honeypot
18
Core organizations
11.12.15.1
11.12.15.10
- host NoAH honeypots
- problem wide dark address space we could
monitor vs limited number of honeypots - solution funelling
11.12.15.3
11.12.15.5
11.12.15.0/16
11.12.1.1
Internet
NoAH Core
Funnel
11.12.1.1
LI honeypot
HI honeypot
19
Cooperating organizations
Participating Organization
- do not maintain NoAH honeypots
- traffic arriving at the dark space is redirected
to the NoAH core - install and run funnel component only
Funnel
Internet
Tunnel
NoAH Core
LI honeypot
HI honeypot
20
Honey_at_home
- homes or small offices
- a honeypot daemon running in the background
- easy to install
- dark space
- unused IP addresses
- unused TCP/UDP ports (or a subset of them)
- forwards all traffic for the dark space to the
NoAH core via an anonymous path
Honey _at_home
Anonymous path
Internet
NoAH Core
LI honeypot
HI honeypot
21
Cooperation between LI and HI honeypots
High-interaction honeypots
Low-interaction honeypots
Windows XP IIS v2.0
Attacker
honeyd instance
RedHat Linux 9.0 SSH server v1.7 SMTP server
Attacker
RedHat Linux 9.0 SSH server v2.4 Apache v1.3
honeyd instance
Windows 2000 Oracle 10g
Attacker
22
High-interaction honeypots in NoAH Argos
- based on Qemu, an emulator
- protects multiple OSs and all applications
without modification - employs dynamic taint analysis
- detects attacks that divert conventional control
flow, e.g., exploits for buffer overflows, format
strings, and double-free vulnerabilities
23
Argos design
Applications
Guest OS
Argos Emulator
Host OS
24
Argos design
Applications
Guest OS
Argos Emulator
Host OS
25
Argos design
Applications
Guest OS
Argos Emulator
Host OS
26
Argos design
Applications
Guest OS
Argos Emulator
Host OS
27
Argos design
Applications
Guest OS
Argos Emulator
Host OS
28
Argos design
Applications
Guest OS
Argos Emulator
Host OS
29
Argos design
Applications
Guest OS
Argos Emulator
Host OS
Signature and information about attack
30
Forensics in Argos
Applications
Guest OS
Argos Emulator
Host OS
31
Forensics in Argos
Forensics
Snitch
Applications
Guest OS
Argos Emulator
Host OS
Signature, information about attack and
additional information about the vulnerable
application
32
Attack detection
- redirect control flow
- program counter must be loaded with a tainted
value - keep track of call, jmp and ret instructions
- check that the value loaded in program counter
is not tainted - code-injection attacks
- format string attacks do not overwrite program
counter with a tainted value - check that the memory pointed by the value
loaded in program counter is not tainted
33
Argos simple example
int main(int argc, char argv) if (argc gt 1)
read_url(argv1) return 1 int
read_url(char request) char url100 if
(!strncmp(request, GET , 4)) strcpy(url,
request 4) return 1
34
Argos simple example
int main(int argc, char argv) if (argc gt 1)
read_url(argv1) return 1 int
read_url(char request) char url100 if
(!strncmp(request, GET , 4)) strcpy(url,
request 4) return 1
35
Argos simple example
int main(int argc, char argv) if (argc gt 1)
read_url(argv1) return 1 int
read_url(char request) char url100 if
(!strncmp(request, GET , 4)) strcpy(url,
request 4) return 1
36
Argos simple example
high addresses
int main(int argc, char argv) if (argc gt 1)
read_url(argv1) return 1 int
read_url(char request) char url100 if
(!strncmp(request, GET , 4)) strcpy(url,
request 4) return 1
address of array containing request
saved EIP
address for returning to main
low addresses
37
Argos simple example
high addresses
int main(int argc, char argv) if (argc gt 1)
read_url(argv1) return 1 int
read_url(char request) char url100 if
(!strncmp(request, GET , 4)) strcpy(url,
request 4) return 1
address of array containing request
saved EIP
address for returning to main
saved EBP
main's EBP
url
100 bytes
low addresses
38
Argos simple example
high addresses
int main(int argc, char argv) if (argc gt 1)
read_url(argv1) return 1 int
read_url(char request) char url100 if
(!strncmp(request, GET , 4)) strcpy(url,
request 4) return 1
address of array containing request
saved EIP
address for returning to main
saved EBP
main's EBP
url
100 bytes
low addresses
39
Argos simple example
high addresses
int main(int argc, char argv) if (argc gt 1)
read_url(argv1) return 1 int
read_url(char request) char url100 if
(!strncmp(request, GET , 4)) strcpy(url,
request 4) return 1
address of array containing request
address for returning to main
nasty address
main's EBP
AAAA
AAAA
100 bytes
AAAA
low addresses
40
Argos simple example
high addresses
int main(int argc, char argv) if (argc gt 1)
read_url(argv1) return 1 int
read_url(char request) char url100 if
(!strncmp(request, GET , 4)) strcpy(url,
request 4) return 1
address of array containing request
address for returning to main
nasty address
main's EBP
AAAA
AAAA
100 bytes
AAAA
low addresses
41
Argos simple example
high addresses
int main(int argc, char argv) if (argc gt 1)
read_url(argv1) return 1 int
read_url(char request) char url100 if
(!strncmp(request, GET , 4)) strcpy(url,
request 4) return 1
address of array containing request
address for returning to main
nasty address
main's EBP
AAAA
AAAA
100 bytes
AAAA
low addresses
42
Argos simple example
high addresses
int main(int argc, char argv) if (argc gt 1)
read_url(argv1) return 1 int
read_url(char request) char url100 if
(!strncmp(request, GET , 4)) strcpy(url,
request 4) return 1
address of array containing request
address for returning to main
nasty address
main's EBP
AAAA
AAAA
100 bytes
AAAA
low addresses
43
Security evaluation
44
Performance
45
http//www.few.vu.nl/argos
- http//www.fp6-noah.org
46
NoAH partners
- Foundation of Research and Technology (FORTH),
Heraklion, Greece coordinator - Vrije Universiteit, Amsterdam, The Netherlands
- ETH, Zurich, Switzerland
- TERENA, Amsterdam, The Netherlands
- FORTHnet SA, Heraklion, Greece
- DFN-CERT, Hamburg, Germany
- Virtual Trip Limited, Greece
- ALCATEL, France
47
Backup slides
48
Funneling
- arpd to collect IP addresses
- user-space daemon that responds to ARP requests
arriving to the network interface of the honeypot - honeyd handles traffic arriving at honeypots
- funneling has no overhead
- we tested emulating /24, /16, and /8 subnets
without any noticeable difference in performance
49
Tunneling
- OpenVPN 2.0 as tunnel software
- Encrypted channel, supports packet compression
50
Honey_at_home - challenges
- We cannot trust clients
- Anyone will be able to set up honey_at_home
- Clients must not know the address of honeypot
- Honeypots may become victims of flooding
- Address of client must also remain hidden
- Attacker can use their black space for flooding
- Computer-based mass installation of mockup
client should be prevented
51
Network Data Tracking
Reg B network_read
Registers
52
Network Data Tracking
Reg B network_read
Registers
53
Network Data Tracking
Reg B network_read
Registers
Reg A Reg A Reg B
54
Network Data Tracking
Reg B network_read
Registers
Reg A Reg A Reg B
55
Network Data Tracking
Reg B network_read
Registers
Reg A Reg A Reg B
Registers
Memory(B) Reg B
Memory
56
Network Data Tracking
Reg B network_read
Registers
Reg A Reg A Reg B
Registers
Memory(B) Reg B
Memory
57
Network Data Tracking
Reg B network_read
Registers
Reg A Reg A Reg B
Registers
Memory(B) Reg B
Memory
Reg B Reg A / 12.34 (Sanitise data)
58
Network Data Tracking
Reg B network_read
Registers
Reg A Reg A Reg B
Registers
Memory(B) Reg B
Memory
Reg B Reg A / 12.34 (Sanitise data)
59
Guest forensics
Snitch
Applications
Virtual address space
Process name Linked libraries Open Ports
Guest OS
Virtual address space
Argos Emulator
Registers
Memory
60
Forensics shellcode injection
- lookup process's read-only pages
- inject code at last text segment page
- point EIP to shellcode
Process Address Space
.text
61
Forensics Snitch
- pid getpid()
- connect(localhost)
- send(pid)
- listen()
- accept()
- read(pid)
- exec(netstat or OpenPorts)
- connect(argos host)
- send(info)
62
Network tracking
RAM
Reg A
Reg B
Network trace
Network flows
