Re: [Qemu-devel] Argos: qemu-based honeypot

From: Tace <tacetan@gmail.com>
To: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] Argos: qemu-based honeypot
Date: Thu, 22 Dec 2005 08:19:10 +0800	[thread overview]
Message-ID: <92c265230512211619v30aecaa3g2e0d8d9dfc45aad4@mail.gmail.com> (raw)
In-Reply-To: <43A86DF6.4080005@cs.vu.nl>

Hi Herbert,
    I haven try it yet, but it seems very interesting! Btw, would it
be similar to the Minos (http://minos.cs.ucdavis.edu/) system,
implemented using Bochs?

On 12/21/05, Herbert Bos <herbertb@cs.vu.nl> wrote:
> All,
> I am happy to announce the first release of Argos: a full system
> emulator (based on Qemu) that detects attempts to compromise the system.
> It is meant to be used in a honeypot and offers full-system protection,
> i.e., it protects the kernel and all applications running on top.
>
> Argos is  hosted at: http://www.few.vu.nl/~porto/argos
>
> Note: while there is a full installation guide and info on how to run
> Argos, there is currently little additional documentation. We will add
> this as soon as possible. People interested in details should contact us
> for a technical report (the paper is currently under submission, so we
> cannot stick it on the website yet).
>
> Cheers,
> HJB
>
> Here is the blurb from the website.
>
> Argos is a /full/ and /secure/ system emulator designed for use in
> Honeypots. It is based on QEMU <http://fabrice.bellard.free.fr/qemu/>,
> an open source processor emulator that uses dynamic translation to
> achieve a fairly good emulation speed.
>
> We have extended QEMU to enable it to detect remote attempts to
> compromise the emulated guest operating system. Using dynamic taint
> analysis Argos tracks network data throughout the processor's execution
> and detects any attempts to use them in a malicious way. When an attack
> is detected the memory footprint of the attack is logged and the
> emulators exits.
>
> Argos is the first step to create a framework that will use /next
> generation honeypots/ to automatically identify and produce remedies for
> zero-day worms, and other similar attacks. /Next generation honeypots/
> should not require that the honeypot's IP address remains un-advertised.
> On the contrary, it should attempt to publicise its services and even
> actively generate traffic. In former honeypots this was often
> impossible, because malevolent and benevolent traffic could not be
> distinguished. Since Argos is explicitly signaling each possibly
> successful exploit attempt, we are now able to differentiate malicious
> attacks and innocuous traffic.
>
> -------
>
> Dr. Herbert Bos
> Vrije Universiteit Amsterdam
> www.cs.vu.nl/~herbertb
>
>
>
>
> _______________________________________________
> Qemu-devel mailing list
> Qemu-devel@nongnu.org
> http://lists.nongnu.org/mailman/listinfo/qemu-devel
>