210 likes | 431 Vues
Argos Emulator. Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam. CERT/CC Reported Vulnerabilities. Why?. Too many vulnerabilities New worm attacks Human intervention too slow Current solutions are problematic Time consuming Inaccurate. Goals.
E N D
Argos Emulator Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam
CERT/CC Reported Vulnerabilities Why? • Too many vulnerabilities • New worm attacks • Human intervention too slow • Current solutions are problematic • Time consuming • Inaccurate VU Amsterdam
Goals • Platform for next generation honeypots • Protect entire OS • Detect most common attack vectors • Accuracy VU Amsterdam
It Works! VU Amsterdam
Forensics Signature Log Argos Overview Applications Snitch Guest OS Argos Emulator Host OS Post-Processing Sub-system VU Amsterdam
Register = network_read Registers Registers Reg. A = Reg. A + Reg. B Registers Memory(A) = Reg. A Memory Registers Reg.B = Reg.A / 156.345 Network Data Tracking VU Amsterdam
Capturing Attacks • Diverting control flow • Executing arbitrary instructions • Overwriting system call arguments Tagged Register Operands JMP CALL Tagged Memory RET SYSCALL VU Amsterdam
Virtual Address Space Process name Linked Libraries Open Ports Virtual Address Space Registers RAM Forensics Applications Guest OS Argos Emulator VU Amsterdam
Logged Network Flows New Signature Critical Exploit Bytes (e.g. value loaded on EIP) Similar Signatures Generalised Signature Signature Generation Argos Memory Log VU Amsterdam
Emulator Performance Overhead (y times slower) VU Amsterdam
Signature Generation Performance Time to generate signature(sec) Tcpdump trace size(MB) VU Amsterdam
Future Work • Replaying attacks • Integration with nepenthes honeypot • Increase data tracking precision • Protocol aware signature generation • Generate self certifying alerts VU Amsterdam
On The Web http://www.few.vu.nl/argos VU Amsterdam
RAM Port I/O Network Data Tracking • Tag network data as “tainted” EAX EBX EBX ECX EDX VU Amsterdam
RAM Network Data Tracking • Tag network data as “tainted” • Track “tainted” data propagation • Arithmetic, logical operations • Memory operations EAX EAX EBX ECX EDX A VU Amsterdam
EAX EBX RAM Network Data Tracking • Tag network data as “tainted” • Track “tainted” data propagation • Arithmetic, logical operations • Memory operations • Sanitise data • Floating point, SSE EAX EBX ECX EDX A VU Amsterdam
RAM Identifying Attacks • Jumps • Function calls • Function returns • System calls EAX EBX EBX ECX EDX JMP EAX CALL EAX RET JMP A INT 0x80 VU Amsterdam
SweetBait Design VU Amsterdam
Format Type RID Timestamp Register values Register tags EIP origin EIP value EFLAGS Format Tainted Flag Size P. Address V. Address Memory Block Contents Logs Format VU Amsterdam
Forensics Shellcode Injection (Windows PE, ELF, etc) Process Address Space • Lookup process’s read-only pages • Inject code at last text segment page • Point EIP to shellcode .text VU Amsterdam
Pid = getpid() Rid [injected by Argos] Connect(localhost) Send(pid & rid) Listen() Accept() Read(pid & rid) Exec(Netstat or OpenPorts) Connect(argos host) Send(info) Forensics – The Snitch VU Amsterdam