1 / 21

Argos Emulator

Argos Emulator. Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam. CERT/CC Reported Vulnerabilities. Why?. Too many vulnerabilities New worm attacks Human intervention too slow Current solutions are problematic Time consuming Inaccurate. Goals.

apria
Download Presentation

Argos Emulator

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Argos Emulator Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam

  2. CERT/CC Reported Vulnerabilities Why? • Too many vulnerabilities • New worm attacks • Human intervention too slow • Current solutions are problematic • Time consuming • Inaccurate VU Amsterdam

  3. Goals • Platform for next generation honeypots • Protect entire OS • Detect most common attack vectors • Accuracy VU Amsterdam

  4. It Works! VU Amsterdam

  5. Forensics Signature Log Argos Overview Applications Snitch Guest OS Argos Emulator Host OS Post-Processing Sub-system VU Amsterdam

  6. Register = network_read Registers Registers Reg. A = Reg. A + Reg. B Registers Memory(A) = Reg. A Memory Registers Reg.B = Reg.A / 156.345 Network Data Tracking VU Amsterdam

  7. Capturing Attacks • Diverting control flow • Executing arbitrary instructions • Overwriting system call arguments Tagged Register Operands JMP CALL Tagged Memory RET SYSCALL VU Amsterdam

  8. Virtual Address Space Process name Linked Libraries Open Ports Virtual Address Space Registers RAM Forensics Applications Guest OS Argos Emulator VU Amsterdam

  9. Logged Network Flows New Signature Critical Exploit Bytes (e.g. value loaded on EIP) Similar Signatures Generalised Signature Signature Generation Argos Memory Log VU Amsterdam

  10. Emulator Performance Overhead (y times slower) VU Amsterdam

  11. Signature Generation Performance Time to generate signature(sec) Tcpdump trace size(MB) VU Amsterdam

  12. Future Work • Replaying attacks • Integration with nepenthes honeypot • Increase data tracking precision • Protocol aware signature generation • Generate self certifying alerts VU Amsterdam

  13. On The Web http://www.few.vu.nl/argos VU Amsterdam

  14. RAM Port I/O Network Data Tracking • Tag network data as “tainted” EAX EBX EBX ECX EDX VU Amsterdam

  15. RAM Network Data Tracking • Tag network data as “tainted” • Track “tainted” data propagation • Arithmetic, logical operations • Memory operations EAX EAX EBX ECX EDX A VU Amsterdam

  16. EAX EBX RAM Network Data Tracking • Tag network data as “tainted” • Track “tainted” data propagation • Arithmetic, logical operations • Memory operations • Sanitise data • Floating point, SSE EAX EBX ECX EDX A VU Amsterdam

  17. RAM Identifying Attacks • Jumps • Function calls • Function returns • System calls EAX EBX EBX ECX EDX JMP EAX CALL EAX RET JMP A INT 0x80 VU Amsterdam

  18. SweetBait Design VU Amsterdam

  19. Format Type RID Timestamp Register values Register tags EIP origin EIP value EFLAGS Format Tainted Flag Size P. Address V. Address Memory Block Contents Logs Format VU Amsterdam

  20. Forensics Shellcode Injection (Windows PE, ELF, etc) Process Address Space • Lookup process’s read-only pages • Inject code at last text segment page • Point EIP to shellcode .text VU Amsterdam

  21. Pid = getpid() Rid [injected by Argos] Connect(localhost) Send(pid & rid) Listen() Accept() Read(pid & rid) Exec(Netstat or OpenPorts) Connect(argos host) Send(info) Forensics – The Snitch VU Amsterdam

More Related