nss 2013: towards hybrid honeynets via virtual machine introspection and cloning
TRANSCRIPT
Towards Hybrid Honeynets via Virtual Machine Introspection and CloningTamas K Lengyel
University of Connecticut
The limitationsLow-interaction honeypots:
● "Artificial" attack surface● Limited information about the attacks● Easily identified
High-interaction honeypots:● Complexity● Maintenance● High risk
Hybrid honeypot
Robin Berthier, 2006: Advanced honeypot architecture for network threats quantification
Primarily use the Low interaction honeypot and utilize a High interaction honeypot when something "interesting" is happening.
How do you define "interesting"?
VMI-Honeymon http://vmi-honeymon.sf.net
● Fidelity via Virtual Machine Introspection
○ LibVMI
○ Volatility
○ LibGuestFS
● Scalability via Virtual Machine Cloning
○ QEMU copy-on-write disk
○ Xen copy-on-write RAM
Issues: clone routingClones share IP and MAC address!
○ Post-cloning in-guest network reconfiguration should be avoided
○ Separate bridge/VLAN required for each clone to avoid collision
○ Honeybrid requires extra setup (iptables rules, routing tables & ip marks) to be able to route clones
Memsharing results6207 attack sessions on clone HIHs in two weeks (single IP address)
Windows XP SP3 x86 (128MB RAM) Windows 7 SP1 x86 (1GB RAM)
Future work● Clone routing using Open vSwitch &
OpenFlow
● Auto-balloon number of HIHs
● Mix Linux and Windows HIHs with additional
software packages installed
● Test large-scale deployment (/24)
● Zazen IDS!