Experiences using minos as a tool for capturing and analyzing novel worms for unknown vulnerabilities

Authors:
Jedidiah R. Crandall;S. Felix Wu;Frederic T. Chong
Affiliations:
Computer Science Department, University of California at Davis;Computer Science Department, University of California at Davis;Computer Science Department, University of California at Davis
Venue:
DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Year:
2005

Citing 8
Cited 15

How to Own the Internet in Your Spare Time

Proceedings of the 11th USENIX Security Symposium
The Honeynet Project: Trapping the Hackers

IEEE Security and Privacy
Shield: vulnerability-driven network filters for preventing known vulnerability exploits

Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Secure program execution via dynamic information flow tracking

ASPLOS XI Proceedings of the 11th international conference on Architectural support for programming languages and operating systems
WORM vs. WORM: preliminary study of an active counter-attack mechanism

Proceedings of the 2004 ACM workshop on Rapid malcode
Minos: Control Data Attack Prevention Orthogonal to Memory Model

Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture
Automated worm fingerprinting

OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Accurate buffer overflow detection via abstract payload execution

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection

On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits

Proceedings of the 12th ACM conference on Computer and communications security
Temporal search: detecting hidden malware timebombs with virtual machines

Proceedings of the 12th international conference on Architectural support for programming languages and operating systems
Finding diversity in remote code injection exploits

Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Minos: Architectural support for protecting control data

ACM Transactions on Architecture and Code Optimization (TACO)
Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation

Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006
Where's the FEEB? the effectiveness of instruction set randomization

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)

Proceedings of the 14th ACM conference on Computer and communications security
A polymorphic shellcode detection mechanism in the network

Proceedings of the 2nd international conference on Scalable information systems
Fast and Black-box Exploit Detection and Signature Generation for Commodity Software

ACM Transactions on Information and System Security (TISSEC)
Lightweight static analysis to detect polymorphic exploit code with static analysis resistant technique

ICC'09 Proceedings of the 2009 IEEE international conference on Communications
Return-oriented programming without returns

Proceedings of the 17th ACM conference on Computer and communications security
On information flow for intrusion detection: what if accurate full-system dynamic information flow tracking was possible?

Proceedings of the 2010 workshop on New security paradigms
Network–Level polymorphic shellcode detection using emulation

DIMVA'06 Proceedings of the Third international conference on Detection of Intrusions and Malware & Vulnerability Assessment
Allergy attack against automatic signature generation

RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Holographic vulnerability studies: vulnerabilities as fractures in interpretation as information flows across abstraction boundaries

Proceedings of the 2012 workshop on New security paradigms

Quantified Score

Hi-index	0.00

Visualization

Abstract

We present a honeypot technique based on an emulated environment of the Minos architecture [1] and describe our experiences and observations capturing and analyzing attacks. The main advantage of a Minos-enabled honeypot is that exploits based on corrupting control data can be stopped at the critical point where control flow is hijacked from the legitimate program, facilitating a detailed analysis of the exploit. Although Minos hardware has not yet been implemented, we are able to deploy Minos systems with the Bochs full system Pentium emulator. We discuss complexities of the exploits Minos has caught that are not accounted for in the simple model of “buffer overflow exploits” prevalent in the literature. We then propose the Epsilon-Gamma-Pi model to describe control data attacks in a way that is useful towards understanding polymorphic techniques. This model can not only aim at the centers of the concepts of exploit vector (ε), bogus control data (γ), and payload (π) but also give them shape. This paper will quantify the polymorphism available to an attacker for γ and π, while so characterizing ε is left for future work.