From: Herbert Bos <herbertb@cs.vu.nl>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] Argos: qemu-based honeypot
Date: Tue, 20 Dec 2005 21:47:50 +0100 [thread overview]
Message-ID: <43A86DF6.4080005@cs.vu.nl> (raw)
All,
I am happy to announce the first release of Argos: a full system
emulator (based on Qemu) that detects attempts to compromise the system.
It is meant to be used in a honeypot and offers full-system protection,
i.e., it protects the kernel and all applications running on top.
Argos is hosted at: http://www.few.vu.nl/~porto/argos
Note: while there is a full installation guide and info on how to run
Argos, there is currently little additional documentation. We will add
this as soon as possible. People interested in details should contact us
for a technical report (the paper is currently under submission, so we
cannot stick it on the website yet).
Cheers,
HJB
Here is the blurb from the website.
Argos is a /full/ and /secure/ system emulator designed for use in
Honeypots. It is based on QEMU <http://fabrice.bellard.free.fr/qemu/>,
an open source processor emulator that uses dynamic translation to
achieve a fairly good emulation speed.
We have extended QEMU to enable it to detect remote attempts to
compromise the emulated guest operating system. Using dynamic taint
analysis Argos tracks network data throughout the processor's execution
and detects any attempts to use them in a malicious way. When an attack
is detected the memory footprint of the attack is logged and the
emulators exits.
Argos is the first step to create a framework that will use /next
generation honeypots/ to automatically identify and produce remedies for
zero-day worms, and other similar attacks. /Next generation honeypots/
should not require that the honeypot's IP address remains un-advertised.
On the contrary, it should attempt to publicise its services and even
actively generate traffic. In former honeypots this was often
impossible, because malevolent and benevolent traffic could not be
distinguished. Since Argos is explicitly signaling each possibly
successful exploit attempt, we are now able to differentiate malicious
attacks and innocuous traffic.
-------
Dr. Herbert Bos
Vrije Universiteit Amsterdam
www.cs.vu.nl/~herbertb
next reply other threads:[~2005-12-20 20:48 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-12-20 20:47 Herbert Bos [this message]
2005-12-21 10:28 ` [Qemu-devel] Argos: qemu-based honeypot Mulyadi Santosa
2005-12-22 0:19 ` Tace
-- strict thread matches above, loose matches on Subject: below --
2005-12-23 21:03 Herbert Bos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43A86DF6.4080005@cs.vu.nl \
--to=herbertb@cs.vu.nl \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).