Re: [Qemu-devel] Argos: qemu-based honeypot

[Herbert Bos]

Tace,

> Hi Herbert,
>    I haven try it yet, but it seems very interesting! Btw, would it
> be similar to the Minos (http://minos.cs.ucdavis.edu/) system,
> implemented using Bochs?
>  
Yes, it is a bit like Minos, but (a) considerably faster than the Minos 
implementation on Bochs (but then Minos was intended as a hardware 
solution, and Argos is not), and (b) we have actually done a bit more 
than what we have now released. For instance, we also implemented an 
automated signature generator, that makes an attempt to figure out which 
application is attacked (or indeed the kernel) and generates a Snort 
signature that can be used to block the worm. It is currently not stable 
enough to release. We do have a TR that describes how it works. Drop me 
an email and I will send it to you. In addition, we are working on a 
more advanced signature generator.

My knowledge of Minos is admittedly limited, but I also think it simpler 
to 'do stuff' in Argos (e.g., deal with register spring attacks) as we 
have convenient access to all aspects of the machine and both physical 
and virtual addresses. I realise this is a little speculative - perhaps 
a Minos person could comment.

HJB

> On 12/21/05, Herbert Bos <address@hidden> wrote:
> > / All,/
> > / I am happy to announce the first release of Argos: a full system/
> > / emulator (based on Qemu) that detects attempts to compromise the system./
> > / It is meant to be used in a honeypot and offers full-system protection,/
> > / i.e., it protects the kernel and all applications running on top./
> >
> > / Argos is  hosted at: http://www.few.vu.nl/~porto/argos 
> > <http://www.few.vu.nl/%7Eporto/argos>/
> >
> > / Note: while there is a full installation guide and info on how to run/
> > / Argos, there is currently little additional documentation. We will add/
> > / this as soon as possible. People interested in details should contact us/
> > / for a technical report (the paper is currently under submission, so we/
> > / cannot stick it on the website yet)./
> >
> > / Cheers,/
> > / HJB/
> >
> > / Here is the blurb from the website./
> >
> > / Argos is a /full/ and /secure/ system emulator designed for use in/
> > / Honeypots. It is based on QEMU <http://fabrice.bellard.free.fr/qemu/>,/
> > / an open source processor emulator that uses dynamic translation to/
> > / achieve a fairly good emulation speed./
> >
> > / We have extended QEMU to enable it to detect remote attempts to/
> > / compromise the emulated guest operating system. Using dynamic taint/
> > / analysis Argos tracks network data throughout the processor's execution/
> > / and detects any attempts to use them in a malicious way. When an attack/
> > / is detected the memory footprint of the attack is logged and the/
> > / emulators exits./
> >
> > / Argos is the first step to create a framework that will use /next/
> > / generation honeypots/ to automatically identify and produce remedies for/
> > / zero-day worms, and other similar attacks. /Next generation honeypots//
> > / should not require that the honeypot's IP address remains un-advertised./
> > / On the contrary, it should attempt to publicise its services and even/
> > / actively generate traffic. In former honeypots this was often/
> > / impossible, because malevolent and benevolent traffic could not be/
> > / distinguished. Since Argos is explicitly signaling each possibly/
> > / successful exploit attempt, we are now able to differentiate malicious/
> > / attacks and innocuous traffic./
> >
> > / -------/
> >
> > / Dr. Herbert Bos/
> > / Vrije Universiteit Amsterdam/
> > / www.cs.vu.nl/~herbertb/
> >
> >
> >
> >
> > / _______________________________________________/
> > / Qemu-devel mailing list/
> > / address@hidden/
> > / http://lists.nongnu.org/mailman/listinfo/qemu-devel/