Skip to main content

Experiences Using Minos as a Tool for Capturing and Analyzing Novel Worms for Unknown Vulnerabilities

  • Conference paper
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2005)

Abstract

We present a honeypot technique based on an emulated environment of the Minos architecture [1] and describe our experiences and observations capturing and analyzing attacks. The main advantage of a Minos-enabled honeypot is that exploits based on corrupting control data can be stopped at the critical point where control flow is hijacked from the legitimate program, facilitating a detailed analysis of the exploit.

Although Minos hardware has not yet been implemented, we are able to deploy Minos systems with the Bochs full system Pentium emulator. We discuss complexities of the exploits Minos has caught that are not accounted for in the simple model of “buffer overflow exploits” prevalent in the literature. We then propose the Epsilon-Gamma-Pi model to describe control data attacks in a way that is useful towards understanding polymorphic techniques. This model can not only aim at the centers of the concepts of exploit vector (ε), bogus control data (γ), and payload (π) but also give them shape. This paper will quantify the polymorphism available to an attacker for γ and π, while so characterizing ε is left for future work.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Crandall, J.R., Chong, F.T.: Minos: Control data attack prevention orthogonal to memory model. In: The 37th International Symposium on Microarchitecture (2004)

    Google Scholar 

  2. Bochs: The Open Source IA-32 Emulation Project, Home Page (2005), http://bochs.sourceforge.net

  3. Biba, K.J.: Integrity considerations for secure computer systems. In: MITRE Technical Report TR-3153 (1977)

    Google Scholar 

  4. Crandall, J.R., Chong, F.T.: A security assessment of the minos architecture. In: Workshop on Architectural Support for Security and Anti-Virus (2004)

    Google Scholar 

  5. von Clausewitz, C.: On War (1832)

    Google Scholar 

  6. dark spyrit: Win32 Buffer Overflows (Location, Exploitation, and Prevention), Phrack 55 (1999)

    Google Scholar 

  7. Kolesnikov, O., Lee, W.: Advanced polymorphic worms: Evading ids by blending in with normal traffic (2004)

    Google Scholar 

  8. Litchfield, D.: Defeating the stack based buffer overflow prevention mechanism of microsoft windows 2003 server at black hat asia 2003 (2003), http://www.blackhat.com/presentations/bh-asia-03/bh-asia-03-litchfield.pdf

  9. Toth, T., Krügel, C.: Accurate buffer overflow detection via abstract payload execution. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 274–291. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  10. CLET team: Polymorphic Shellcode Engine Using Spectrum Analysis, Phrack 61 (2003)

    Google Scholar 

  11. ktwo: ADMmutate (2003), http://www.ktwo.ca

  12. Phantasmal Phantasmagoria: White Paper on Polymorphic Evasion (2004), Available at http://www.addict3d.org

  13. SANS Institute: SANS Intrusion Detection FAQ: What is polymorphism and what can it do? (2005)

    Google Scholar 

  14. sk: History and Advances in Windows Shellcode, Phrack 62 (2004)

    Google Scholar 

  15. Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: OSDI (2004)

    Google Scholar 

  16. Nergal: The advanced return-into-lib(c) exploits: PaX case study. Phrack 58 (2001)

    Google Scholar 

  17. Castaneda, F., Sezer, E.C., Xu, J.: WORM vs. WORM: preliminary study of an active counter-attack mechanism. In: WORM 2004: Proceedings of the 2004 ACM workshop on Rapid malcode, pp. 83–93. ACM Press, New York (2004)

    Chapter  Google Scholar 

  18. Pasupulati, A., Coit, J., Levitt, K., Wu, S., Li, S., Kuo, R., Fan, K.: Buttercup: On network-based detection of polymorphic buffer overflow vulnerabilities. In: 9th IEEE/IFIP Network Operation and Management Symposium (2004)

    Google Scholar 

  19. Wang, H.J., Guo, C., Simon, D.R., Zugenmaier, A.: Shield: vulnerability-driven network filters for preventing known vulnerability exploits. In: SIGCOMM 2004: Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications, pp. 193–204. ACM Press, New York (2004)

    Chapter  Google Scholar 

  20. Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium (2005)

    Google Scholar 

  21. Spitzner, L.: The honeynet project: Trapping the hackers. IEEE Security and Privacy 1, 15–23 (2003)

    Google Scholar 

  22. The Eurecom Honeypot Project: (Home Page) (2005), http://www.eurecom.fr/~pouget/projects.htm

  23. Staniford, S., Paxson, V., Weaver, N.: How to own the internet in your spare time. In: Proceedings of the USENIX Security Symposium, pp. 149–167 (2002)

    Google Scholar 

  24. Suh, G.E., Lee, J., Devadas, S.: Secure program execution via dynamic information flow tracking. In: Proceedings of ASPLOS-XI (2004)

    Google Scholar 

  25. Sidiroglou, S., Keromytis, A.: Countering network worms through automatic patch generation (2003)

    Google Scholar 

  26. Dagon, D., Qin, X., Gu, G., Lee, W., Grizzard, J.B., Levine, J.G., Owen, H.L.: Honeystat: Local worm detection using honeypots. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 39–58. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Crandall, J.R., Wu, S.F., Chong, F.T. (2005). Experiences Using Minos as a Tool for Capturing and Analyzing Novel Worms for Unknown Vulnerabilities. In: Julisch, K., Kruegel, C. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2005. Lecture Notes in Computer Science, vol 3548. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11506881_3

Download citation

  • DOI: https://doi.org/10.1007/11506881_3

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-26613-6

  • Online ISBN: 978-3-540-31645-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics