The NoAH Blog

“Essentially, Eudaemon is a ‘good spirit’ that possesses processes in order to protect them form evil.”

Despite all of the attractive properties of Argos and the various signature generators, we are still missing some attacks: those on the client-side. Honeypots have as a disadvantage that they mostly act like servers and wait for attackers to contact them. However, client-side attacks are on the rise. In such attacks, the client visits a malicious website and is infected by the content. Honeypots never see such attacks.

Moreover, the Argos honeypot only protects the exact configuration that it is actually running on top of its emulator. If the production machines have a slightly different configuration (e.g., a different version of the OS, applications, or plugins), Argos may miss attacks. So, ideally we would like to protect the `real’ machines.

In the Eudaemon project, some of the groundwork is done for implementing techniques to bring Argos-like honeypot technology to the desktop of normal users. In other words: client-side protection. This is a major challenge as the emulator that implements all the required instrumentation to detect attacks incurs a slowdown of a factor 15-20. As a result, running a desktop PC in instrumented mode constantly is probably not acceptable.

Instead, the idea is to take over running processes and force them to continue running in honeypot mode when needed or when possible. For instance, in the former case one may run a browser in honeypot mode when we click on an unknown URL in an email message. The browser is then protected against browser attacks by malicious server content. In the latter case, one may switch all of the user’s networking applications to honeypot mode when the machine is idle. For instance, we may switch to honeypot mode as a screensaver.

The mechanism for doing this is described in the Eudaemon paper presented at EUROSYS 2008 in Glasgow. [bibtex]

Cool stuff from the people at MSR Cambridge. Their latest Oakland paper on write integrity checking provides a nice solution for various memory exploits that may otherwise lead to a machine being compromised. Their method uses point-to-analysis at compile time to generate the control flow graph as well as the set of objects that can be written by each instruction. It then instruments these instructions to make sure that they do not write into with objects that are not in the set (and also to ensure that indirect control flow transfers are valid). Runtime overhead is very small. I guess the main catch is that you have to sit on the source code - which is not the case for anyone other than Microsoft. Nevertheless, very good work.

The NoAH Router developed in the context of NoAH has successfully passed the last tests and is now ready to catch attacks on the Internet.

The innovative concept of NoAH Router allows to detect suspicious flows that are currently not seen by the existing Honeypots. Being installed on a router installed at the heart of the Internet, it can identify and redirect flows coming from scanning bots even if the targeted machines are not under monitoring.

During the next phase, the capacity of the NoAH Router for preventing zero-day attacks will be evaluated in a live environment. Keep an eye on the blog for further updates on the NoAH router.

NoAHDB is a command line tool that parses the log files that are emitted by the Argos honeypot and populates the tables of a MySQL database. The goal of NoAHDB is to assist the network administrator to collect and analyse all that precious information emmited by the Argos honeypot.

For more information on NoAHDB tool please visit NoAHDB homepage.

NoAH Database Management Interface (NOAHIF) is a web application (based on Ruby on Rails web framework) that eases the management of a network of honeypots. Information concerning the location of the sensors/honeypots, the hardware and software configuration of the sensors/honeypots and the services running are easily managed.

For more information on NOAHIF please visit NOAHIF homepage.

Finally, the long awaited port to QEMU 0.9.* series is here. Argos v0.4.0 is based upon QEMU v0.9.1.

Some useful changes follow:

version 0.9.1:

• TFTP booting from host directory (Anthony Liguori, Erwan Velu)
• Tap device emulation for Solaris (Sittichai Palanisong)
• Monitor multiplexing to several I/O channels (Jason Wessel)
• CPU model selection support (J. Mayer, Paul Brook, Herve Poussineau)
• Read-only support for Parallels disk images (Alex Beregszaszi)
• SVM (x86 virtualization) support (Alexander Graf)
• Intel mainstone II board emulation (Armin Kuster)
• VMware SVGA II graphics card support (Andrzej Zaborowski)

version 0.9.0:

• Support for relative paths in backing files for disk images
• Async file I/O API
• New qcow2 disk image format
• Support of multiple VM snapshots
• Linux: specific host CDROM and floppy support
• SMM support
• Moved PCI init, MP table init and ACPI table init to Bochs BIOS
• several x86 and x86_64 emulation fixes
• Mouse relative offset VNC extension (Anthony Liguori)
• PXE boot support (Anthony Liguori)
• ‘-daemonize’ option (Anthony Liguori)

Additional changes, besides the port, include a double taintness check before executing a part of code to ensure attackers’ injected code is always detected at the moment it is first executed. The check is performed whenever a TB is scheduled to be executed, as well as within the translated code whenever EIP is modified. This is to cover TB chaining performed by QEMU to speed up emulation. In the future we might consider disabling chaining, if a single check offers a significant performance gain.

For more information on Argos visit: http://www.few.vu.nl/argos

Imagine that a new worm is released at 10pm and that after half an hour has infected a few thousands of computers (10.30pm). Suppose that the goal of this worm is to coordinate a DDoS attack against a critical information system, such as root DNS servers, at 11.30pm. Suppose also that we can avert this attack if we knew about it half an hour before. Are 30 minutes enough for humans to analyze the worm and find out its malicious goal? I believe not.

So we need a way to automatically analyze the above worm, find the time that this attack will take place and the details of the attack (DDoS against root DNS servers). Crandall et al. propose a framework to automate the process of finding the time that the attack will take place. Although manual analysis is required for finding out the details of the attack, this is a step to the right direction.

To be more specific, the authors propose a novel virtual-machine based analysis technique for automating the process of discovering the timetable of a piece of malware. The obvious advantage of automating this process is that it requires less time than careful human analysis. Given that malware is expected to spread faster and faster in the years to come, such information provide invaluable assistance defending against malware.

The main contributions of this paper is that it proposes a framework for a problem space nobody has looked at the past and that it identifies many of the challenges in this new problem space.

Source: Temporal Search: Detecting Hidden Malware Timebombs with Virtual Machines, Jedidiah R. Crandall, Gary Wassermann, Daniela A. S. de Oliveira, Zhendong Su, S. Felix Wu, and Frederic T. Chong.

EuroSec is a new workshop associated with the Annual ACM SIGOPS EuroSys conference. The workshop aims to bring together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the security of computer systems and networks. The focus of the workshop is on novel, practical, systems-oriented work.

EuroSec seeks contributions on all aspects of systems security. You are hereby invited to submit papers of 6-8 single-spaced pages (including figures, tables and references). Font size should be 10pt. The format of submitted papers should correspond to our Latex style file (see http://www.cs.vu.nl/eurosec08/).

EuroSec explicitly encourages members of the systems community to explore leading-edge topics and ideas before they are presented at a major conference. All submissions will be reviewed by the Program Committee. Only papers with original, novel work will be considered for publication. Accepted papers will be published in the proceedings of EuroSec in the ACM Digital Library.

EuroSec will be held on the 31st of March, 2008, in Glasgow, Scotland.

Important Dates

• Paper submission: 15 Feb 2008
• Acceptance notification: 1 Mar 2008
• Final paper due: 14 Mar 2008
• Workshops: 31 Mar 2008

Read the rest of this entry »

Welcome! This is the blog of the NoAH project. NoAH is a EU funded project that aims to develop a pilot infrastructure for automatically gathering and analyzing information about the Internet cyber-attacks and their nature.

This blog is authored by members of the NoAH consortium. It’s main purpose is to discuss the latest news (good or bad) on honeypots, worms, malware and IT security and defense in general. Of course, there will be also posts regarding the news of the NoAH project (workshops, published papers and articles etc).

Currently the consortium is preparing the organization of the 2nd NoAH workshop. It will be held between 19 and 22 May 2008 as one of the 2008 TERENA Networking Conference sessions in Bruges, Belgium. Stay tuned for updates!