From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1EooPk-00066n-5D for qemu-devel@nongnu.org; Tue, 20 Dec 2005 15:48:52 -0500 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1EooPh-000666-RZ for qemu-devel@nongnu.org; Tue, 20 Dec 2005 15:48:51 -0500 Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1EooPh-000660-Iq for qemu-devel@nongnu.org; Tue, 20 Dec 2005 15:48:49 -0500 Received: from [195.121.247.7] (helo=smtp16.wxs.nl) by monty-python.gnu.org with esmtp (Exim 4.34) id 1EooSs-0007UM-Mx for qemu-devel@nongnu.org; Tue, 20 Dec 2005 15:52:06 -0500 Received: from [127.0.0.1] (ip5453b0ce.speed.planet.nl [84.83.176.206]) by smtp16.wxs.nl (iPlanet Messaging Server 5.2 Patch 2 (built Jul 14 2004)) with ESMTP id <0IRT00KSNDRON4@smtp16.wxs.nl> for qemu-devel@nongnu.org; Tue, 20 Dec 2005 21:47:50 +0100 (CET) Date: Tue, 20 Dec 2005 21:47:50 +0100 From: Herbert Bos Message-id: <43A86DF6.4080005@cs.vu.nl> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1; format=flowed Content-transfer-encoding: 7BIT Subject: [Qemu-devel] Argos: qemu-based honeypot Reply-To: qemu-devel@nongnu.org List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org All, I am happy to announce the first release of Argos: a full system emulator (based on Qemu) that detects attempts to compromise the system. It is meant to be used in a honeypot and offers full-system protection, i.e., it protects the kernel and all applications running on top. Argos is hosted at: http://www.few.vu.nl/~porto/argos Note: while there is a full installation guide and info on how to run Argos, there is currently little additional documentation. We will add this as soon as possible. People interested in details should contact us for a technical report (the paper is currently under submission, so we cannot stick it on the website yet). Cheers, HJB Here is the blurb from the website. Argos is a /full/ and /secure/ system emulator designed for use in Honeypots. It is based on QEMU , an open source processor emulator that uses dynamic translation to achieve a fairly good emulation speed. We have extended QEMU to enable it to detect remote attempts to compromise the emulated guest operating system. Using dynamic taint analysis Argos tracks network data throughout the processor's execution and detects any attempts to use them in a malicious way. When an attack is detected the memory footprint of the attack is logged and the emulators exits. Argos is the first step to create a framework that will use /next generation honeypots/ to automatically identify and produce remedies for zero-day worms, and other similar attacks. /Next generation honeypots/ should not require that the honeypot's IP address remains un-advertised. On the contrary, it should attempt to publicise its services and even actively generate traffic. In former honeypots this was often impossible, because malevolent and benevolent traffic could not be distinguished. Since Argos is explicitly signaling each possibly successful exploit attempt, we are now able to differentiate malicious attacks and innocuous traffic. ------- Dr. Herbert Bos Vrije Universiteit Amsterdam www.cs.vu.nl/~herbertb