Introduction to Honeypot, measurement, and vulnerability exploits Cliff C. Zou CAP6133 02/06/06

What Is a Honeypot? Abstract definition: “A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.” (Lance Spitzner) Concrete definition: “A honeypot is a faked vulnerable system used for the purpose of being attacked, probed, exploited and compromised.”

Example of a Simple Honeypot Install vulnerable OS and software on a machine Install monitor or IDS software Connect to the Internet (with global IP) Wait & monitor being scanned, attacked, compromised Finish analysis, clean the machine

Benefit of Deploying Honeypots Risk mitigation: Lure an attacker away from the real production systems (“easy target“). IDS-like functionality: Since no legitimate traffic should take place to or from the honeypot, any traffic appearing is evil and can initiate further actions.

Benefit of Deploying Honeypots Attack analysis: Find out reasons, and strategies why and how you are attacked. Binary and behavior analysis of capture malicious code Evidence: Once the attacker is identified, all data captured may be used in a legal procedure. Increased knowledge

Honeypot Classification High-interaction honeypots A full and working OS is provided for being attacked VMware virtual environment Several VMware virtual hosts in one physical machine Low-interaction honeypots Only emulate specific network services No real interaction or OS Honeyd Honeynet/honeyfarm A network of honeypots

Low-Interaction Honeypots Pros: Easy to install (simple program) No risk (no vulnerable software to be attacked) One machine supports hundreds of honeypots, covers hundreds of IP addresses Cons: No real interaction to be captured Limited logging/monitor function Hard to detect unknown attacks; hard to generate filters Easily detectable by attackers

High-Interaction Honeypots Pros: Real OS, capture all attack traffic/actions Can discover unknown attacks/vulnerabilites Can capture and anlayze code behavior Cons: Time-consuming to build/maintain Time-consuming to analysis attack Risk of being used as stepping stone High computer resource requirement

Honeynet A network of honeypots High-interaction honeynet A distributed network composing many honeypots Low-interaction honeynet Emulate a virtual network in one physical machine Example: honeyd Mixed honeynet “Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm”, presented next week Reference: http://www.ccc.de/congress/2004/fahrplan/files/135-honeypot-forensics-slides.ppt

Security Measurement Monitor network traffic to understand/track Internet attack activities Monitor incoming traffic to unused IP space TCP connection requests UDP packets Internet Monitored traffic Unused IP space Local network “Characteristics of internet background radiation. “

Remote host fingerprinting Actively probe remote hosts to identify remote hosts’ OS, physical devices, etc OSes service responses are different Hardware responses are different Purposes: Understand Internet computers Remove DHCP issue in monitored data “Remote Physical Device Fingerprinting”

Remote network fingerprinting By sending probing traffic, learn the structure and characteristics of remote networks Based on TTL to know the hop length Based on return data to infer firewall policy. “ConceptDoppler: A Weather Tracker for Internet Censorship” Others

Data Sharing: Traffic Anonymization Sharing monitored network traffic is important Collaborative attack detection Academic research Privacy and security exposure in data sharing Packet header: IP address, service port exposure Packet content: more serious Data anonymization Change packet header: preserve IP prefix, and … Change packet content

Buffer Over Flow Introduction Attack Steps Inject attack codes onto the buffer or somewhere Redirect the control flow to the attack code Execute the attack code

kernel space stack shared library heap bss static data code 0xFFFFFFFF kernel space 0xC0000000 stack shared library 0x42000000 heap bss static data code 0x08048000 0x00000000 From Dawn Song’s RISE: http://research.microsoft.com/projects/SWSecInstitute/slides/Song.ppt

A Stack Structure Function parameters Return Address SP: stack pointer Function parameters Return Address Calling Frame Pointer Local Variables SP FP is guaranteed to have the same value throughout the execution of the function, so all local data can be accessed via hard-coded offsets from the FP. 00000000

Example a=4; f(5); b=20; 5 Address of instruction (b=20) saved stack pointer x buf1 buf2 f(int m){ int x; char buf1[10]; char buf2[5]; x=m; … }

Overflow 0xFFFFFFFF kernel space argument 2 argument 1 RA frame pointer locals buffer 0xC0000000 stack Attack code Address of shared library 0x42000000 heap bss static data code 0x08048000 0x00000000 From Dawn Song’s RISE: http://research.microsoft.com/projects/SWSecInstitute/slides/Song.ppt

Some unsafe C lib functions strcpy (char *dest, const char *src) strcat (char *dest, const char *src) gets (char *s) scanf ( const char *format, … ) printf (conts char *format, … )

Format String Attack printf specification: snprintf, wsprintf … %d- signed decimal integer %x- unsigned hexadecimal integer %n- number of characters successfully written so far to the stream/buffer. This is stored in the integer whose address is given as the argument. int printf(const char *format [, argument]…);

Vulnerability Write printf(“%s”, str) to printf(str) Possible vulnerabilities: Dump arbitrary memory (information leaking) Write to arbitrary memory

Read More Buffer Overflow “Format string attacks” Lecture notes: http://www.cs.rpi.edu/~hollingd/comporg.2002/notes/overflow/overflow.ppt “buffer overflow for dummy” http://www.sans.org/reading_room/whitepapers/threats/481.php “Format string attacks” http://muse.linuxmafia.org/lost+found/format-string-attacks.pdf "Analysis of format string bugs“ http://downloads.securityfocus.com/library/format-bug-analysis.pdf Lecture notes: http://crypto.stanford.edu/cs155-spring03/lecture3.ppt