Abstract
We present a honeypot technique based on an emulated environment of the Minos architecture [1] and describe our experiences and observations capturing and analyzing attacks. The main advantage of a Minos-enabled honeypot is that exploits based on corrupting control data can be stopped at the critical point where control flow is hijacked from the legitimate program, facilitating a detailed analysis of the exploit.
Although Minos hardware has not yet been implemented, we are able to deploy Minos systems with the Bochs full system Pentium emulator. We discuss complexities of the exploits Minos has caught that are not accounted for in the simple model of “buffer overflow exploits” prevalent in the literature. We then propose the Epsilon-Gamma-Pi model to describe control data attacks in a way that is useful towards understanding polymorphic techniques. This model can not only aim at the centers of the concepts of exploit vector (ε), bogus control data (γ), and payload (π) but also give them shape. This paper will quantify the polymorphism available to an attacker for γ and π, while so characterizing ε is left for future work.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Crandall, J.R., Chong, F.T.: Minos: Control data attack prevention orthogonal to memory model. In: The 37th International Symposium on Microarchitecture (2004)
Bochs: The Open Source IA-32 Emulation Project, Home Page (2005), http://bochs.sourceforge.net
Biba, K.J.: Integrity considerations for secure computer systems. In: MITRE Technical Report TR-3153 (1977)
Crandall, J.R., Chong, F.T.: A security assessment of the minos architecture. In: Workshop on Architectural Support for Security and Anti-Virus (2004)
von Clausewitz, C.: On War (1832)
dark spyrit: Win32 Buffer Overflows (Location, Exploitation, and Prevention), Phrack 55 (1999)
Kolesnikov, O., Lee, W.: Advanced polymorphic worms: Evading ids by blending in with normal traffic (2004)
Litchfield, D.: Defeating the stack based buffer overflow prevention mechanism of microsoft windows 2003 server at black hat asia 2003 (2003), http://www.blackhat.com/presentations/bh-asia-03/bh-asia-03-litchfield.pdf
Toth, T., Krügel, C.: Accurate buffer overflow detection via abstract payload execution. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 274–291. Springer, Heidelberg (2002)
CLET team: Polymorphic Shellcode Engine Using Spectrum Analysis, Phrack 61 (2003)
ktwo: ADMmutate (2003), http://www.ktwo.ca
Phantasmal Phantasmagoria: White Paper on Polymorphic Evasion (2004), Available at http://www.addict3d.org
SANS Institute: SANS Intrusion Detection FAQ: What is polymorphism and what can it do? (2005)
sk: History and Advances in Windows Shellcode, Phrack 62 (2004)
Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: OSDI (2004)
Nergal: The advanced return-into-lib(c) exploits: PaX case study. Phrack 58 (2001)
Castaneda, F., Sezer, E.C., Xu, J.: WORM vs. WORM: preliminary study of an active counter-attack mechanism. In: WORM 2004: Proceedings of the 2004 ACM workshop on Rapid malcode, pp. 83–93. ACM Press, New York (2004)
Pasupulati, A., Coit, J., Levitt, K., Wu, S., Li, S., Kuo, R., Fan, K.: Buttercup: On network-based detection of polymorphic buffer overflow vulnerabilities. In: 9th IEEE/IFIP Network Operation and Management Symposium (2004)
Wang, H.J., Guo, C., Simon, D.R., Zugenmaier, A.: Shield: vulnerability-driven network filters for preventing known vulnerability exploits. In: SIGCOMM 2004: Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications, pp. 193–204. ACM Press, New York (2004)
Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium (2005)
Spitzner, L.: The honeynet project: Trapping the hackers. IEEE Security and Privacy 1, 15–23 (2003)
The Eurecom Honeypot Project: (Home Page) (2005), http://www.eurecom.fr/~pouget/projects.htm
Staniford, S., Paxson, V., Weaver, N.: How to own the internet in your spare time. In: Proceedings of the USENIX Security Symposium, pp. 149–167 (2002)
Suh, G.E., Lee, J., Devadas, S.: Secure program execution via dynamic information flow tracking. In: Proceedings of ASPLOS-XI (2004)
Sidiroglou, S., Keromytis, A.: Countering network worms through automatic patch generation (2003)
Dagon, D., Qin, X., Gu, G., Lee, W., Grizzard, J.B., Levine, J.G., Owen, H.L.: Honeystat: Local worm detection using honeypots. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 39–58. Springer, Heidelberg (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Crandall, J.R., Wu, S.F., Chong, F.T. (2005). Experiences Using Minos as a Tool for Capturing and Analyzing Novel Worms for Unknown Vulnerabilities. In: Julisch, K., Kruegel, C. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2005. Lecture Notes in Computer Science, vol 3548. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11506881_3
Download citation
DOI: https://doi.org/10.1007/11506881_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-26613-6
Online ISBN: 978-3-540-31645-9
eBook Packages: Computer ScienceComputer Science (R0)