From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1Ep3Tb-0005EC-Ed for qemu-devel@nongnu.org; Wed, 21 Dec 2005 07:53:52 -0500 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1Ep1yI-0000W4-6w for qemu-devel@nongnu.org; Wed, 21 Dec 2005 06:17:29 -0500 Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Ep1Iu-0005Wu-Uk for qemu-devel@nongnu.org; Wed, 21 Dec 2005 05:34:41 -0500 Received: from [66.54.152.27] (helo=jive.SoftHome.net) by monty-python.gnu.org with smtp (Exim 4.34) id 1Ep1MC-0001Zn-7G for qemu-devel@nongnu.org; Wed, 21 Dec 2005 05:38:04 -0500 From: Mulyadi Santosa Subject: Re: [Qemu-devel] Argos: qemu-based honeypot Date: Wed, 21 Dec 2005 17:28:55 +0700 References: <43A86DF6.4080005@cs.vu.nl> In-Reply-To: <43A86DF6.4080005@cs.vu.nl> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200512211728.55521.a_mulyadi@softhome.net> Reply-To: a_mulyadi@softhome.net, qemu-devel@nongnu.org List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org, Herbert Bos Dear Dr Bos.. First, congratulations for the Argos release. Looks interesting for me..I'll give it a try ASAP. > We have extended QEMU to enable it to detect remote attempts to > compromise the emulated guest operating system. Using dynamic taint > analysis Argos tracks network data throughout the processor's > execution and detects any attempts to use them in a malicious way. > When an attack is detected the memory footprint of the attack is > logged and the emulators exits. Pardon me, can you explain what dynamic taint means? Is it somekind of code instrumentation similar with Bochs? If yes, I'd love to study on how you do it since I am planning to do something like that since long time ago but still unable to dig deeper about Qemu internals... regards Mulyadi