[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] Argos: qemu-based honeypot
From: |
Herbert Bos |
Subject: |
[Qemu-devel] Argos: qemu-based honeypot |
Date: |
Tue, 20 Dec 2005 21:47:50 +0100 |
User-agent: |
Mozilla Thunderbird 1.0 (Windows/20041206) |
All,
I am happy to announce the first release of Argos: a full system
emulator (based on Qemu) that detects attempts to compromise the system.
It is meant to be used in a honeypot and offers full-system protection,
i.e., it protects the kernel and all applications running on top.
Argos is hosted at: http://www.few.vu.nl/~porto/argos
Note: while there is a full installation guide and info on how to run
Argos, there is currently little additional documentation. We will add
this as soon as possible. People interested in details should contact us
for a technical report (the paper is currently under submission, so we
cannot stick it on the website yet).
Cheers,
HJB
Here is the blurb from the website.
Argos is a /full/ and /secure/ system emulator designed for use in
Honeypots. It is based on QEMU <http://fabrice.bellard.free.fr/qemu/>,
an open source processor emulator that uses dynamic translation to
achieve a fairly good emulation speed.
We have extended QEMU to enable it to detect remote attempts to
compromise the emulated guest operating system. Using dynamic taint
analysis Argos tracks network data throughout the processor's execution
and detects any attempts to use them in a malicious way. When an attack
is detected the memory footprint of the attack is logged and the
emulators exits.
Argos is the first step to create a framework that will use /next
generation honeypots/ to automatically identify and produce remedies for
zero-day worms, and other similar attacks. /Next generation honeypots/
should not require that the honeypot's IP address remains un-advertised.
On the contrary, it should attempt to publicise its services and even
actively generate traffic. In former honeypots this was often
impossible, because malevolent and benevolent traffic could not be
distinguished. Since Argos is explicitly signaling each possibly
successful exploit attempt, we are now able to differentiate malicious
attacks and innocuous traffic.
-------
Dr. Herbert Bos
Vrije Universiteit Amsterdam
www.cs.vu.nl/~herbertb
- [Qemu-devel] Argos: qemu-based honeypot,
Herbert Bos <=