[Qemu-devel] Argos: qemu-based honeypot

[Qemu-devel] Argos: qemu-based honeypot

[Herbert Bos]

All,
I am happy to announce the first release of Argos: a full system 
emulator (based on Qemu) that detects attempts to compromise the system. 
It is meant to be used in a honeypot and offers full-system protection, 
i.e., it protects the kernel and all applications running on top.

Argos is  hosted at: http://www.few.vu.nl/~porto/argos

Note: while there is a full installation guide and info on how to run 
Argos, there is currently little additional documentation. We will add 
this as soon as possible. People interested in details should contact us 
for a technical report (the paper is currently under submission, so we 
cannot stick it on the website yet).

Cheers,
HJB

Here is the blurb from the website.

Argos is a /full/ and /secure/ system emulator designed for use in 
Honeypots. It is based on QEMU <http://fabrice.bellard.free.fr/qemu/>, 
an open source processor emulator that uses dynamic translation to 
achieve a fairly good emulation speed.

We have extended QEMU to enable it to detect remote attempts to 
compromise the emulated guest operating system. Using dynamic taint 
analysis Argos tracks network data throughout the processor's execution 
and detects any attempts to use them in a malicious way. When an attack 
is detected the memory footprint of the attack is logged and the 
emulators exits.

Argos is the first step to create a framework that will use /next 
generation honeypots/ to automatically identify and produce remedies for 
zero-day worms, and other similar attacks. /Next generation honeypots/ 
should not require that the honeypot's IP address remains un-advertised. 
On the contrary, it should attempt to publicise its services and even 
actively generate traffic. In former honeypots this was often 
impossible, because malevolent and benevolent traffic could not be 
distinguished. Since Argos is explicitly signaling each possibly 
successful exploit attempt, we are now able to differentiate malicious 
attacks and innocuous traffic.

-------

Dr. Herbert Bos
Vrije Universiteit Amsterdam
www.cs.vu.nl/~herbertb

Re: [Qemu-devel] Argos: qemu-based honeypot

[Mulyadi Santosa]

Dear Dr Bos..

First, congratulations for the Argos release. Looks interesting for 
me..I'll give it a try ASAP.

> We have extended QEMU to enable it to detect remote attempts to
> compromise the emulated guest operating system. Using dynamic taint
> analysis Argos tracks network data throughout the processor's
> execution and detects any attempts to use them in a malicious way.
> When an attack is detected the memory footprint of the attack is
> logged and the emulators exits.

Pardon me, can you explain what dynamic taint means? Is it somekind of 
code instrumentation similar with Bochs? If yes, I'd love to study on 
how you do it since I am planning to do something like that since long 
time ago but still unable to dig deeper about Qemu internals...

regards

Mulyadi

Re: [Qemu-devel] Argos: qemu-based honeypot

[Tace]

Hi Herbert,
    I haven try it yet, but it seems very interesting! Btw, would it
be similar to the Minos (http://minos.cs.ucdavis.edu/) system,
implemented using Bochs?

On 12/21/05, Herbert Bos <herbertb@cs.vu.nl> wrote:
> All,
> I am happy to announce the first release of Argos: a full system
> emulator (based on Qemu) that detects attempts to compromise the system.
> It is meant to be used in a honeypot and offers full-system protection,
> i.e., it protects the kernel and all applications running on top.
>
> Argos is  hosted at: http://www.few.vu.nl/~porto/argos
>
> Note: while there is a full installation guide and info on how to run
> Argos, there is currently little additional documentation. We will add
> this as soon as possible. People interested in details should contact us
> for a technical report (the paper is currently under submission, so we
> cannot stick it on the website yet).
>
> Cheers,
> HJB
>
> Here is the blurb from the website.
>
> Argos is a /full/ and /secure/ system emulator designed for use in
> Honeypots. It is based on QEMU <http://fabrice.bellard.free.fr/qemu/>,
> an open source processor emulator that uses dynamic translation to
> achieve a fairly good emulation speed.
>
> We have extended QEMU to enable it to detect remote attempts to
> compromise the emulated guest operating system. Using dynamic taint
> analysis Argos tracks network data throughout the processor's execution
> and detects any attempts to use them in a malicious way. When an attack
> is detected the memory footprint of the attack is logged and the
> emulators exits.
>
> Argos is the first step to create a framework that will use /next
> generation honeypots/ to automatically identify and produce remedies for
> zero-day worms, and other similar attacks. /Next generation honeypots/
> should not require that the honeypot's IP address remains un-advertised.
> On the contrary, it should attempt to publicise its services and even
> actively generate traffic. In former honeypots this was often
> impossible, because malevolent and benevolent traffic could not be
> distinguished. Since Argos is explicitly signaling each possibly
> successful exploit attempt, we are now able to differentiate malicious
> attacks and innocuous traffic.
>
> -------
>
> Dr. Herbert Bos
> Vrije Universiteit Amsterdam
> www.cs.vu.nl/~herbertb
>
>
>
>
> _______________________________________________
> Qemu-devel mailing list
> Qemu-devel@nongnu.org
> http://lists.nongnu.org/mailman/listinfo/qemu-devel
>

Re: [Qemu-devel] Argos: qemu-based honeypot

[Herbert Bos]

Tace,

>Hi Herbert,
>    I haven try it yet, but it seems very interesting! Btw, would it
>be similar to the Minos (http://minos.cs.ucdavis.edu/) system,
>implemented using Bochs?
>  
>
Yes, it is a bit like Minos, but (a) considerably faster than the Minos 
implementation on Bochs (but then Minos was intended as a hardware 
solution, and Argos is not), and (b) we have actually done a bit more 
than what we have now released. For instance, we also implemented an 
automated signature generator, that makes an attempt to figure out which 
application is attacked (or indeed the kernel) and generates a Snort 
signature that can be used to block the worm. It is currently not stable 
enough to release. We do have a TR that describes how it works. Drop me 
an email and I will send it to you. In addition, we are working on a 
more advanced signature generator.

My knowledge of Minos is admittedly limited, but I also think it simpler 
to 'do stuff' in Argos (e.g., deal with register spring attacks) as we 
have convenient access to all aspects of the machine and both physical 
and virtual addresses. I realise this is a little speculative - perhaps 
a Minos person could comment.

HJB

>On 12/21/05, Herbert Bos <address@hidden> wrote:
>>/ All,/
>>/ I am happy to announce the first release of Argos: a full system/
>>/ emulator (based on Qemu) that detects attempts to compromise the system./
>>/ It is meant to be used in a honeypot and offers full-system protection,/
>>/ i.e., it protects the kernel and all applications running on top./
>>
>>/ Argos is  hosted at: http://www.few.vu.nl/~porto/argos <http://www.few.vu.nl/%7Eporto/argos>/
>>
>>/ Note: while there is a full installation guide and info on how to run/
>>/ Argos, there is currently little additional documentation. We will add/
>>/ this as soon as possible. People interested in details should contact us/
>>/ for a technical report (the paper is currently under submission, so we/
>>/ cannot stick it on the website yet)./
>>
>>/ Cheers,/
>>/ HJB/
>>
>>/ Here is the blurb from the website./
>>
>>/ Argos is a /full/ and /secure/ system emulator designed for use in/
>>/ Honeypots. It is based on QEMU <http://fabrice.bellard.free.fr/qemu/>,/
>>/ an open source processor emulator that uses dynamic translation to/
>>/ achieve a fairly good emulation speed./
>>
>>/ We have extended QEMU to enable it to detect remote attempts to/
>>/ compromise the emulated guest operating system. Using dynamic taint/
>>/ analysis Argos tracks network data throughout the processor's execution/
>>/ and detects any attempts to use them in a malicious way. When an attack/
>>/ is detected the memory footprint of the attack is logged and the/
>>/ emulators exits./
>>
>>/ Argos is the first step to create a framework that will use /next/
>>/ generation honeypots/ to automatically identify and produce remedies for/
>>/ zero-day worms, and other similar attacks. /Next generation honeypots//
>>/ should not require that the honeypot's IP address remains un-advertised./
>>/ On the contrary, it should attempt to publicise its services and even/
>>/ actively generate traffic. In former honeypots this was often/
>>/ impossible, because malevolent and benevolent traffic could not be/
>>/ distinguished. Since Argos is explicitly signaling each possibly/
>>/ successful exploit attempt, we are now able to differentiate malicious/
>>/ attacks and innocuous traffic./
>>
>>/ -------/
>>
>>/ Dr. Herbert Bos/
>>/ Vrije Universiteit Amsterdam/
>>/ www.cs.vu.nl/~herbertb/
>>
>>
>>
>>
>>/ _______________________________________________/
>>/ Qemu-devel mailing list/
>>/ address@hidden/
>>/ http://lists.nongnu.org/mailman/listinfo/qemu-devel/
>