Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Honeypot, measurement, and vulnerability exploits

Published byAmberly McCoy Modified over 8 years ago

Similar presentations

Presentation on theme: "Introduction to Honeypot, measurement, and vulnerability exploits"— Presentation transcript:

1 Introduction to Honeypot, measurement, and vulnerability exploits
Cliff C. Zou CAP6133 02/06/06

2 What Is a Honeypot? Abstract definition:
“A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.” (Lance Spitzner) Concrete definition: “A honeypot is a faked vulnerable system used for the purpose of being attacked, probed, exploited and compromised.”

3 Example of a Simple Honeypot
Install vulnerable OS and software on a machine Install monitor or IDS software Connect to the Internet (with global IP) Wait & monitor being scanned, attacked, compromised Finish analysis, clean the machine

4 Benefit of Deploying Honeypots
Risk mitigation: Lure an attacker away from the real production systems (“easy target“). IDS-like functionality: Since no legitimate traffic should take place to or from the honeypot, any traffic appearing is evil and can initiate further actions.

5 Benefit of Deploying Honeypots
Attack analysis: Find out reasons, and strategies why and how you are attacked. Binary and behavior analysis of capture malicious code Evidence: Once the attacker is identified, all data captured may be used in a legal procedure. Increased knowledge

6 Honeypot Classification
High-interaction honeypots A full and working OS is provided for being attacked VMware virtual environment Several VMware virtual hosts in one physical machine Low-interaction honeypots Only emulate specific network services No real interaction or OS Honeyd Honeynet/honeyfarm A network of honeypots

7 Low-Interaction Honeypots
Pros: Easy to install (simple program) No risk (no vulnerable software to be attacked) One machine supports hundreds of honeypots, covers hundreds of IP addresses Cons: No real interaction to be captured Limited logging/monitor function Hard to detect unknown attacks; hard to generate filters Easily detectable by attackers

8 High-Interaction Honeypots
Pros: Real OS, capture all attack traffic/actions Can discover unknown attacks/vulnerabilites Can capture and anlayze code behavior Cons: Time-consuming to build/maintain Time-consuming to analysis attack Risk of being used as stepping stone High computer resource requirement

9 Honeynet A network of honeypots High-interaction honeynet
A distributed network composing many honeypots Low-interaction honeynet Emulate a virtual network in one physical machine Example: honeyd Mixed honeynet “Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm”, presented next week Reference:

10 Security Measurement Monitor network traffic to understand/track Internet attack activities Monitor incoming traffic to unused IP space TCP connection requests UDP packets Internet Monitored traffic Unused IP space Local network “Characteristics of internet background radiation. “

11 Remote host fingerprinting
Actively probe remote hosts to identify remote hosts’ OS, physical devices, etc OSes service responses are different Hardware responses are different Purposes: Understand Internet computers Remove DHCP issue in monitored data “Remote Physical Device Fingerprinting”

12 Remote network fingerprinting
By sending probing traffic, learn the structure and characteristics of remote networks Based on TTL to know the hop length Based on return data to infer firewall policy. “ConceptDoppler: A Weather Tracker for Internet Censorship” Others

13 Data Sharing: Traffic Anonymization
Sharing monitored network traffic is important Collaborative attack detection Academic research Privacy and security exposure in data sharing Packet header: IP address, service port exposure Packet content: more serious Data anonymization Change packet header: preserve IP prefix, and … Change packet content

14 Buffer Over Flow Introduction
Attack Steps Inject attack codes onto the buffer or somewhere Redirect the control flow to the attack code Execute the attack code

15 kernel space stack shared library heap bss static data code
0xFFFFFFFF kernel space 0xC stack shared library 0x heap bss static data code 0x 0x From Dawn Song’s RISE:

16 A Stack Structure Function parameters Return Address
SP: stack pointer Function parameters Return Address Calling Frame Pointer Local Variables SP FP is guaranteed to have the same value throughout the execution of the function, so all local data can be accessed via hard-coded offsets from the FP.

17 Example a=4; f(5); b=20; 5 Address of instruction (b=20)
saved stack pointer x buf1 buf2 f(int m){ int x; char buf1[10]; char buf2[5]; x=m; }

18 Overflow 0xFFFFFFFF kernel space argument 2 argument 1 RA
frame pointer locals buffer 0xC stack Attack code Address of shared library 0x heap bss static data code 0x 0x From Dawn Song’s RISE:

19 Some unsafe C lib functions
strcpy (char *dest, const char *src) strcat (char *dest, const char *src) gets (char *s) scanf ( const char *format, … ) printf (conts char *format, … )

20 Format String Attack printf specification: snprintf, wsprintf …
%d- signed decimal integer %x- unsigned hexadecimal integer %n- number of characters successfully written so far to the stream/buffer. This is stored in the integer whose address is given as the argument. int printf(const char *format [, argument]…);

21 Vulnerability Write printf(“%s”, str) to printf(str)
Possible vulnerabilities: Dump arbitrary memory (information leaking) Write to arbitrary memory

22 Read More Buffer Overflow “Format string attacks” Lecture notes:
“buffer overflow for dummy” “Format string attacks” "Analysis of format string bugs“ Lecture notes:

Download ppt "Introduction to Honeypot, measurement, and vulnerability exploits"

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
1 Introduction to Honeypot, Denial-of- Service, and Rootkit Cliff C. Zou CAP6135 Spring, 2010.

1 Introduction to Honeypot, Denial-of- Service, and Rootkit Cliff C. Zou CAP6135 Spring, 2010.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.

Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.
Dec, 20081 Honeyd Virtual Honeypot Frame Work Niels Provos Presented by: Fadi MohsenSupervised by: Dr. Chow CS591 Research Project Presented by: Fadi Mohsen.

Dec, Honeyd Virtual Honeypot Frame Work Niels Provos Presented by: Fadi MohsenSupervised by: Dr. Chow CS591 Research Project Presented by: Fadi Mohsen.
Stopping Worm/Virus Attacks Chiu Wah So (Kelvin).

Stopping Worm/Virus Attacks Chiu Wah So (Kelvin).
C and Data Structures Baojian Hua

C and Data Structures Baojian Hua
Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.

Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.
Memory Layout C and Data Structures Baojian Hua

Memory Layout C and Data Structures Baojian Hua
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.

Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow I: Attack Introduction Cliff Zou Spring 2012.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow I: Attack Introduction Cliff Zou Spring 2012.
Michael Vrable, Justin Ma, Jay Chen, David Moore, Erik Vandekieft, Alex C. Snoeren, Geoffrey M. Voelker, and Stefan Savage Presenter: Martin Krogel.

Michael Vrable, Justin Ma, Jay Chen, David Moore, Erik Vandekieft, Alex C. Snoeren, Geoffrey M. Voelker, and Stefan Savage Presenter: Martin Krogel.
CS252: Systems Programming Ninghui Li Final Exam Review.

CS252: Systems Programming Ninghui Li Final Exam Review.
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
A survey of Buffer overflow exploitation on HTC touch mobile phone Advanced Defense Lab CSIE NCU Chih-Wen Ou.

A survey of Buffer overflow exploitation on HTC touch mobile phone Advanced Defense Lab CSIE NCU Chih-Wen Ou.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Similar presentations

Ads by Google