helsinkiSept06

The NoAH approach to zero-day worm detection : The NoAH approach to zero-day worm detection Asia Slowinska (asia@few.vu.nl) Vrije Universiteit, Amsterdam


What is NoAH? : What is NoAH? NoAH is a Specific Support Action in the Sixth Framework Programme of the European Union Start: 1st April 2005 End: 31st March 2008 Homepage: http://www.fp6-noah.org/


Why? : Why? Too many vulnerabilities New worm attacks Human intervention too slow Current solutions are not perfect Time consuming Inaccurate


Why? : Why? Too many vulnerabilities New worm attacks Human intervention too slow Current solutions are not perfect Time consuming Inaccurate


Why? : Why? Too many vulnerabilities New worm attacks Human intervention too slow Current solutions are not perfect Time consuming Inaccurate


Why? : Why? Too many vulnerabilities New worm attacks Human intervention too slow Current solutions are not perfect Time consuming Inaccurate


Goals : Goals Design and develop infrastructure for security monitoring based on honeypots technology Detect most common attack vectors Detect worms in early stage of spreading Gather information about attacks Generate signatures


Honeypots : Honeypots A computer system acting as a decoy does not provide regular services lures in potential hackers in order to study their activities honeypots in NoAH listen to unused IP address space, called further dark space Two basic types of honeypots low interaction (LI) – emulate services high interaction (HI) – run real applications


NoAH architecture : NoAH architecture NoAH Core LI honeypot LI honeypot LI honeypot LI honeypot HI honeypot HI honeypot Funnel Internet Funnel Participating Organization Honey @home Internet Tunnel


NoAH architecture : NoAH architecture NoAH Core LI honeypot LI honeypot LI honeypot LI honeypot HI honeypot HI honeypot Funnel Internet Funnel Participating Organization Honey @home Internet Tunnel


NoAH architecture : NoAH architecture NoAH Core LI honeypot LI honeypot LI honeypot LI honeypot HI honeypot HI honeypot Funnel Internet Funnel Participating Organization Honey @home Internet Tunnel


NoAH architecture : NoAH architecture NoAH Core LI honeypot LI honeypot LI honeypot LI honeypot HI honeypot HI honeypot Funnel Internet Funnel Participating Organization Honey @home Internet Tunnel


NoAH architecture : NoAH architecture NoAH Core LI honeypot LI honeypot LI honeypot LI honeypot HI honeypot HI honeypot Funnel Internet Funnel Participating Organization Honey @home Internet Tunnel


Core organizations : Core organizations host NoAH honeypots problem: wide dark address space we could monitor vs limited number of honeypots


Core organizations : Core organizations host NoAH honeypots problem: wide dark address space we could monitor vs limited number of honeypots solution: funelling NoAH Core Funnel LI honeypot HI honeypot Internet 11.12.1.1 11.12.15.0/16 11.12.1.1 11.12.15.1


Core organizations : Core organizations host NoAH honeypots problem: wide dark address space we could monitor vs limited number of honeypots solution: funelling NoAH Core Funnel LI honeypot HI honeypot Internet 11.12.1.1 11.12.15.0/16 11.12.1.1 11.12.15.1 11.12.15.10


Core organizations : Core organizations host NoAH honeypots problem: wide dark address space we could monitor vs limited number of honeypots solution: funelling NoAH Core Funnel LI honeypot HI honeypot Internet 11.12.1.1 11.12.15.0/16 11.12.1.1 11.12.15.1 11.12.15.10 11.12.15.3


Core organizations : Core organizations host NoAH honeypots problem: wide dark address space we could monitor vs limited number of honeypots solution: funelling NoAH Core Funnel LI honeypot HI honeypot Internet 11.12.1.1 11.12.15.0/16 11.12.1.1 11.12.15.1 11.12.15.10 11.12.15.3 11.12.15.5


Cooperating organizations : Cooperating organizations do not maintain NoAH honeypots traffic arriving at the dark space is redirected to the NoAH core install and run funnel component only HI honeypot LI honeypot NoAH Core Internet Participating Organization Tunnel Funnel


Honey@home : Honey@home homes or small offices a honeypot daemon running in the background easy to install dark space unused IP addresses unused TCP/UDP ports (or a subset of them) forwards all traffic for the dark space to the NoAH core via an anonymous path HI honeypot LI honeypot NoAH Core Internet Honey @home Anonymous path


Cooperation between LI and HI honeypots : Cooperation between LI and HI honeypots Attacker Attacker Attacker Low-interaction honeypots High-interaction honeypots Windows XP IIS v2.0 RedHat Linux 9.0 SSH server v1.7 SMTP server RedHat Linux 9.0 SSH server v2.4 Apache v1.3 Windows 2000 Oracle 10g honeyd instance honeyd instance


High-interaction honeypots in NoAH – Argos : High-interaction honeypots in NoAH – Argos based on Qemu, an emulator protects multiple OSs and all applications without modification employs dynamic taint analysis detects attacks that divert conventional control flow, e.g., exploits for buffer overflows, format strings, and double-free vulnerabilities


Argos design : Argos design Argos Emulator Guest OS Host OS Applications


Argos design : Argos design Argos Emulator Guest OS Host OS Applications


Argos design : Argos design Argos Emulator Guest OS Host OS Applications


Argos design : Argos design Argos Emulator Guest OS Host OS Applications


Argos design : Argos design Argos Emulator Guest OS Host OS Applications


Argos design : Argos design Argos Emulator Guest OS Host OS Applications


Argos design : Argos design Argos Emulator Guest OS Host OS Applications Signature and information about attack


Forensics in Argos : Forensics in Argos Argos Emulator Guest OS Host OS Applications


Forensics in Argos : Forensics in Argos Argos Emulator Guest OS Snitch Host OS Applications Forensics Signature, information about attack and additional information about the vulnerable application


Attack detection : Attack detection redirect control flow program counter must be loaded with a tainted value keep track of call, jmp and ret instructions check that the value loaded in program counter is not tainted code-injection attacks format string attacks do not overwrite program counter with a tainted value check that the memory pointed by the value loaded in program counter is not tainted


Argos: simple example : Argos: simple example int main(int argc, char **argv) { if (argc andgt; 1) read_url(argv[1]); return 1; } int read_url(char *request) { char url[100]; if (!strncmp(request, 'GET ', 4)) strcpy(url, request + 4); return 1; }


Argos: simple example : Argos: simple example int main(int argc, char **argv) { if (argc andgt; 1) read_url(argv[1]); return 1; } int read_url(char *request) { char url[100]; if (!strncmp(request, 'GET ', 4)) strcpy(url, request + 4); return 1; }


Argos: simple example : int main(int argc, char **argv) { if (argc andgt; 1) read_url(argv[1]); return 1; } int read_url(char *request) { char url[100]; if (!strncmp(request, 'GET ', 4)) strcpy(url, request + 4); return 1; } Argos: simple example


Argos: simple example : Argos: simple example int main(int argc, char **argv) { if (argc andgt; 1) read_url(argv[1]); return 1; } int read_url(char *request) { char url[100]; if (!strncmp(request, 'GET ', 4)) strcpy(url, request + 4); return 1; } high addresses low addresses address of array containing request saved EIP address for returning to main


Argos: simple example : Argos: simple example int main(int argc, char **argv) { if (argc andgt; 1) read_url(argv[1]); return 1; } int read_url(char *request) { char url[100]; if (!strncmp(request, 'GET ', 4)) strcpy(url, request + 4); return 1; } high addresses low addresses address of array containing request saved EIP address for returning to main saved EBP main's EBP url 100 bytes


Argos: simple example : Argos: simple example int main(int argc, char **argv) { if (argc andgt; 1) read_url(argv[1]); return 1; } int read_url(char *request) { char url[100]; if (!strncmp(request, 'GET ', 4)) strcpy(url, request + 4); return 1; } high addresses low addresses address of array containing request saved EIP address for returning to main saved EBP main's EBP url 100 bytes


Argos: simple example : Argos: simple example int main(int argc, char **argv) { if (argc andgt; 1) read_url(argv[1]); return 1; } int read_url(char *request) { char url[100]; if (!strncmp(request, 'GET ', 4)) strcpy(url, request + 4); return 1; } high addresses low addresses address of array containing request address for returning to main main's EBP 100 bytes AAAA AAAA nasty address AAAA


Argos: simple example : Argos: simple example int main(int argc, char **argv) { if (argc andgt; 1) read_url(argv[1]); return 1; } int read_url(char *request) { char url[100]; if (!strncmp(request, 'GET ', 4)) strcpy(url, request + 4); return 1; } high addresses low addresses address of array containing request address for returning to main main's EBP 100 bytes AAAA AAAA nasty address AAAA


Argos: simple example : Argos: simple example int main(int argc, char **argv) { if (argc andgt; 1) read_url(argv[1]); return 1; } int read_url(char *request) { char url[100]; if (!strncmp(request, 'GET ', 4)) strcpy(url, request + 4); return 1; } high addresses low addresses address of array containing request address for returning to main main's EBP 100 bytes AAAA AAAA nasty address AAAA


Argos: simple example : Argos: simple example int main(int argc, char **argv) { if (argc andgt; 1) read_url(argv[1]); return 1; } int read_url(char *request) { char url[100]; if (!strncmp(request, 'GET ', 4)) strcpy(url, request + 4); return 1; } high addresses low addresses address of array containing request address for returning to main main's EBP 100 bytes AAAA AAAA nasty address AAAA


Slide43 : Security evaluation


Slide44 : Performance


Slide45 : http://www.fp6-noah.org http://www.few.vu.nl/argos


NoAH partners : NoAH partners Foundation of Research and Technology (FORTH), Heraklion, Greece – coordinator Vrije Universiteit, Amsterdam, The Netherlands ETH, Zurich, Switzerland TERENA, Amsterdam, The Netherlands FORTHnet SA, Heraklion, Greece DFN-CERT, Hamburg, Germany Virtual Trip Limited, Greece ALCATEL, France


Backup slides : Backup slides


Funneling : Funneling arpd to collect IP addresses user-space daemon that responds to ARP requests arriving to the network interface of the honeypot honeyd handles traffic arriving at honeypots funneling has no overhead we tested emulating /24, /16, and /8 subnets without any noticeable difference in performance


Tunneling : Tunneling OpenVPN 2.0 as tunnel software Encrypted channel, supports packet compression


Honey@home - challenges : Honey@home - challenges We cannot trust clients Anyone will be able to set up honey@home Clients must not know the address of honeypot Honeypots may become victims of flooding Address of client must also remain hidden Attacker can use their black space for flooding Computer-based mass installation of mockup client should be prevented


Network Data Tracking : Network Data Tracking Reg B = network_read Registers


Network Data Tracking : Network Data Tracking Reg B = network_read Registers


Network Data Tracking : Network Data Tracking Reg B = network_read Registers Reg A = Reg A + Reg B


Network Data Tracking : Network Data Tracking Reg B = network_read Registers Reg A = Reg A + Reg B


Network Data Tracking : Network Data Tracking Reg B = network_read Registers Reg A = Reg A + Reg B Memory(B) = Reg B Registers Memory


Network Data Tracking : Network Data Tracking Reg B = network_read Registers Reg A = Reg A + Reg B Memory(B) = Reg B Registers Memory


Network Data Tracking : Network Data Tracking Reg B = network_read Registers Reg A = Reg A + Reg B Memory(B) = Reg B Registers Memory Reg B = Reg A / 12.34 (Sanitise data)


Network Data Tracking : Network Data Tracking Reg B = network_read Registers Reg A = Reg A + Reg B Memory(B) = Reg B Registers Memory Reg B = Reg A / 12.34 (Sanitise data)


Guest forensics : Guest forensics Applications Guest OS Argos Emulator Snitch Virtual address space Virtual address space Registers Memory Process name Linked libraries Open Ports


Forensics shellcode injection : Forensics shellcode injection lookup process's read-only pages inject code at last text segment page point EIP to shellcode .text Process Address Space


Forensics Snitch : Forensics Snitch pid = getpid() connect(localhost) send(pid) listen() accept() read(pid) exec(netstat or OpenPorts) connect(argos host) send(info)


Network tracking : Network tracking RAM Reg A Reg B Network trace Network flows