ppt for honey pot

Views:
 
Category: Entertainment
     
 

Presentation Description

No description available.

Comments

By: sangeeta_goel (29 month(s) ago)

sir,honeypot is my final year seminar topic so kindly send me this ppt at goelsangeeta43@gmail.com

By: bittythomas (37 month(s) ago)

sir,kindly snd me this ppt at bittythomasadoor@gmail.com

By: satyarout80 (41 month(s) ago)

sir ppt is very good please send me this at satyarout80@gmail.com

By: neemkar (41 month(s) ago)

please i'm in need of this ppt.....try to give me downloading option

By: pritirajvanshi (41 month(s) ago)

ppt is very good

Presentation Transcript

Slide 1: 

Xebek A next generation honeypot monitoring system Nguyen Anh Quynh Takefuji-lab Keio university, Japan EuSecWest/Core06 – London Feb 20-21, 2006

Who am I ? : 

Who am I ? Nguyen Anh Quynh, from Vietnam Currently a PhD candidate of Keio university, Japan Interests: Computer Security, Operating system, Robust system, Virtualization Non-geek hobby: traveling, reading and playing soccer

Motivation : 

Motivation Sebek is a data capture tool of honeynet But there are various ways to defeat Sebek Xebek is our solution on Xen Virtual Machines to address Sebek's problems More covert More flexible

Overview : 

Overview Honeynet architecture and Sebek Sebek's problems Xebek comes to rescue Introduction to Xen Virtual Machine Xebek architecture & implementation Demonstration Q & A

Part I : 

Part I Honeynet architecture and Sebek Honeypot introduction Honeynet architecture Sebek technology

Honeypot technology : 

Honeypot technology What is a honeypot? The information system resource whose value lies in unauthorized or illicit use of that resource Has no production value, anything going in/out the honeypot is likely a probe/attack/compromise Primary value to most organizations is information

Honeypot impact : 

Honeypot impact Advantage High valuable data Reduce false positives Catch new attacks (0-day bug?) & false negatives Work in encrypted or IPv6 environment Disadvantage Limited view Risk of take over

Honeypot types : 

Honeypot types Categorized based on level of interaction Low-interaction Emulate services, applications, OSes Low risk and easy to deploy/maintain But capture limited information High-interaction Real services, application, OSes Capture extensive information But high risk and hard to maintain Honeyd Honeynet

How honeynet works : 

How honeynet works A highly controlled network where every packet entering or leaving is monitored, captured and analyzed

Honeynet components : 

Honeynet components 3 key components Data control Data capture Data analysis

Data control : 

Data control Mitigate risk of honeynet being used to harm production system Count outbound connections IPS (Snort-Inline) Bandwidth throttling

Data capture : 

Data capture Capture activities at various levels Application Network OS level

Data analysis : 

Data analysis Manage and analysis captured data from honeypots Investigate malware Forensic purpose

Honeynet generations : 

Honeynet generations Gen I Gen II, Gen III (currently) radical change in architecture focuses on the data capture tool Sebek as a data capture tool

Sebek : a data capture tool : 

Sebek : a data capture tool Born in Honeynet Gen II Play a key role in Honeynet architecture Gen III (currently) hidden kernel module that captures all host activities dumps activity to the network via UDP protocol to a central logging machine fool attacker by modifying network stack, so Sebek traffic is invisible (well, almost!)

Sebek architecture : 

Sebek architecture Sebek components Data capture tool Central logging server Sebek client Sebek server (sebekd)

Sebek client technique : 

Sebek client technique Data capture tool: patches system-calls (open/fork/read/write/socket) Send out gathered data via network-stack (UDP protocol)

Part 2 : 

Part 2 Current problems of Sebek Easy to identify How easy it is? Possible even with unprileged user How ? 7 methods to defeat Sebek

Sebek client requirement : 

Sebek client requirement Most vital requirement for a data capture tool: Function as covert as possible Otherwise, game over No more chance to watch out the attacker No more chance to catch 0-day bug (you daydream?) Attacker can corrupt the honeypot Who fools who then?

But can Sebek deliver? : 

But can Sebek deliver? Hmm, not really. Various ways to defeat Sebek 1. Can be discover by even unprivileged user 2. Network statistics disclose Sebek 3. Brute-force scanning method 4. System-call address checking 5. Remove Sebek is feasible 6. Sniff at the right place 7. Bring down the central logging server

Method (1) : 

Method (1) Sebek can be discover by even unprivileged user dd-attack (proposed by Maximilian et al) Generate lots of data Check to see if network congestion ? Why? Network stack is employed to send data out

Method (2) : 

Method (2) Network statistics disclose Sebek Compare dev->getstats()->tx_bytes with value found in /proc/net/dev Why? Network stack is employed to send data out

Method (3) : 

Method (3) Brute-force scanning method to detect hidden kernel module Look for hidden kernel module airt tool by madsys Why? Sebek is implemented as a kernel module

Method (4) : 

Method (4) System-call addresses checking System-call addresses at abnormal places? Why? Sebek replaces original system-calls

Method (5) : 

Method (5) Remove Sebek is feasible (unsebek.c by J.Corey) Look for the sys_call_table by scanning in memory Recover original system-call with exported symbols Why? Sebek replaces orginal system-calls

Method (6) : 

Method (6) Detect honeypot with Sebek Sniff at the right place from outside sebekd Sebek client UDP packets Attacker Why? Sebek sends data out to other machine

Method (7) : 

Method (7) Bring down the central logging server Data logging server (sebekd) has vulnerable libpcap? (J.Corey's method) Sebekd with buggy libpcap Attacker Malicious packets Why? sebekd exposed to network

Results make Sebek sux ? : 

Results make Sebek sux ? (1) Uses network stack to send data out (2) Data can be sniffed (3) Function as kernel module + replace original system-calls (4) Central logging server (sebekd) exposed to the network (5) Data transfer might not be reliable (UDP)

Do you still think that current honeynet can fool skillful hackers? : 

Do you still think that current honeynet can fool skillful hackers? I seriously doubt that! Should we give up? No, let's keep fighting and raise the bar a little bit ;-)

Part 3 : 

Part 3 Xebek comes to rescue Virtual honeypot on virtual machine Xen Virtual Machine technology Xebek solution

How to fix Sebek's problems : 

How to fix Sebek's problems Bring up virtual machine technology: Xen Exploit the advantage introduced by Xen to address outstanding problems

What is Xen ? : 

What is Xen ? Xen extensions to x86 arch Like x86, but Xen invoked for privileged ops Avoids binary rewriting Minimize number of privilege transitions into Xen Modifications relatively simple and self-contained Modify kernel to understand virtualised env. Wall-clock time vs. virtual processor time Desire both types of alarm timer Expose real resource availability Enables OS to optimise its own behaviour

Xen 3.0 Architecture : 

Xen 3.0 Architecture Event Channel Virtual MMU Virtual CPU Control IF Hardware (SMP, MMU, physical memory, Ethernet, SCSI/IDE) Native Device Driver GuestOS (XenLinux) Device Manager & Control s/w Domain-0 Native Device Driver GuestOS (XenLinux) Unmodified User Software Domain-U Front-End Device Drivers GuestOS (XenLinux) Unmodified User Software Domain-U Front-End Device Drivers Unmodified GuestOS (WinXP)) Unmodified User Software Domain-U Safe HW IF Xen Virtual Machine Monitor Back-End Back-End VT-x 32/64bit AGP ACPI PCI SMP

Xen's main components : 

Xen's main components Xen hypervisor runs on top of hardware Domains with modified kernel for Xen architecture, run on top of Xen Special device drivers in Dom0 & DomU (backend-frontend architecture) Xen control tools in Dom0 (xend, xm) Others: xenbus, xenstore, event-channel, balloon driver, ...

Virtualization approaches : 

Virtualization approaches Single OS image: Virtuozo, Vservers, Zones Group user processes into resource containers Hard to get strong isolation Full virtualization: VMware, VirtualPC, QEMU Run multiple unmodified guest OSes Hard to efficiently virtualize x86 Para-virtualization: UML, Xen Run multiple guest OSes ported to special arch Arch Xen/x86 is very close to normal x86

x86 CPU virtualization : 

x86 CPU virtualization Xen runs in ring 0 (most privileged) Ring 1/2 for guest OS, 3 for user-space GPF if guest attempts to use privileged instr Xen lives in top 64MB of linear addr space Segmentation used to protect Xen as switching page tables too slow on standard x86 Hypercalls jump to Xen in ring 0

MMU Micro-Benchmarks : 

MMU Micro-Benchmarks L X V U Page fault (µs) L X V U Process fork (µs) 0.0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0 1.1 lmbench results on Linux (L), Xen (X), VMWare Workstation (V), and UML (U)

TCP results : 

TCP results L X V U Tx, MTU 1500 (Mbps) L X V U Rx, MTU 1500 (Mbps) L X V U Tx, MTU 500 (Mbps) L X V U Rx, MTU 500 (Mbps) 0.0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0 1.1 TCP bandwidth on Linux (L), Xen (X), VMWare Workstation (V), and UML (U)

Scalability : 

Scalability L X 2 L X 4 L X 8 L X 16 0 200 400 600 800 1000 Simultaneous SPEC WEB99 Instances on Linux (L) and Xen(X)

Xen's future: Bright : 

Xen's future: Bright Xen 3.0 was realeased at the end of 2005 Object: to be gradually merged into Linux kernel from first half of 2006 Already adopted by ISPs, datacenters, banks,... Will be widely used in the near future

Xen-based honeynet : 

Xen-based honeynet Event Channel Virtual MMU Virtual CPU Control IF Hardware (SMP, MMU, physical memory, Ethernet, SCSI/IDE) Native Device Driver GuestOS (XenLinux) Device Manager & Control s/w Domain-0 GuestOS (XenLinux) Unmodified User Software Front-End Device Drivers GuestOS (XenLinux) Unmodified User Software Front-End Device Drivers Unmodified GuestOS (WinXP)) Unmodified User Software Safe HW IF Xen Virtual Machine Monitor Back-End SMP Front-End Device Drivers

Xen for virtual Honeynet : 

Xen for virtual Honeynet Advantage Free, open source Portable Plug and catch Disadvantage Single point of failure Limited software

Xebek solution for Xen-based honeynet : 

Xebek solution for Xen-based honeynet Xebek: Goals and approaches Xebek Architecture Xebek Implementation Xebek Evaluation Hardening Xebek

Xebek goals and approaches : 

Xebek goals and approaches (1) Capture data as Sebek does, but with some improvements (2) Eliminate problems of leaving too many traces when forwarding data out (3) Harden the central logging server

Goal (1) : 

Goal (1) Capture data as Sebek does, but with some improvements Sebek3 captures data by intercepting system-calls (read/write/open/fork/socket) ==> so Xebek does. But Xebek patches the system-calls, so Xebek does not run as a kernel module (1) Uses network stack to send data out (2) Data can be sniffed (3) Function as KLM & replace original system-calls (4) Central logging server exposed to the network (5) Data transfer might not be reliable (UDP)

Goal (2) : 

Goal (2) Eliminate problems of leaving too many traces when forwarding data out Xebek does not use network stack to deliver data as Sebek does Using shared memory between DomU and Dom0 instead to exchange data (1) Uses network stack to send data out (2) Data can be sniffed (3) Function as KLM & replace original system-calls (4) Central logging server exposed to the network (5) Data transfer might not be reliable (UDP)

Goal (3) : 

Goal (3) Harden the central logging server Put the central logging server in Dom0 to pick up data forwarded from DomU No more exposed to the network (1) Uses network stack to send data out (2) Data can be sniffed (3) Function as KLM & replace original system-calls (4) Central logging server exposed to the network (5) Data transfer might not be reliable (UDP)

Xebek architecture : 

Xebek architecture

xebekU : 

xebekU Xebek component in DomU's kernel patch the system-calls (open/read/write/fork/socket) establish shared memory with Dom0 put the gathered data from system-calls to shared-memory, then notify xebekd

xebekd : 

xebekd logging recorder in Dom0 waits for notification from xebekU pick up data in shared-memory, then save to corresponding logging file notify xebekU on completion

Xebek utilities : 

Xebek utilities

Implementation issues : 

Implementation issues Shared memory structure Need to be accessed at the same time by 2 parties xebekU writes to shared memory xebekd reads from shared memory ring buffer format

Ring buffer format : 

Ring buffer format struct ringbuf { { u32 write; /* write head */ u32 read; /* read head */ u32 size; /* buffer size */ char buf[0]; } __attribute__((packed)); Buffer with 2 heads Write head: fill up buffer Read head: realease buffer space

Xebek packet format : 

Xebek packet format xebekU formats the gathered data to put into the shared memory xebek_packet structure struct xebek_packet { uint16_t event, magic, version; uint32_t size; pid_t pid, ppid; uid_t uid; unsigned int fd; unsigned long inode; char comm[12]; struct timeval time; } __attribute__((packed));

xebekd: multiple threading : 

xebekd: multiple threading main thread worker thread host_ring: ring buffer structure

Coding : 

Coding Version 0.2 – DomU Linux only ATM Kernel patch Kernel module xebekd + xebeklive+ xkeys: 1676 lines xebekU: 1848 lines (linux-2.6.16-rc2) Small increase in kernel binary size 946550 bytes -> 948494 bytes Small patch to kernel

Hardening Xebek : 

Hardening Xebek Harden DomU: Protect kernel binary? No need ? Protect kernel symbol? No need ? Shutdown all the paths to the kernel No kernel module loading /dev/{kmem, mem, port} removed Harden Dom0 Harden system (SELinux, LIDS, AppArmor ?) Run Dom0 with no network access

Future work : 

Future work Analysis tool: Adapt Walleye for Xebek Make Xebek more flexible Allow to enable/disable specific events (READ/WRITE/OPEN/FORK/SOCKET) at run-time ???

Conclusions : 

Conclusions Xenbek is a robust data capture tool for Xen-based virtual honeypot More stealthy More reliable/flexible Open source: released under GPL licencse very soon

Demonstration : 

Demonstration

Thank you! : 

Thank you! Questions or Comments?