worm blog: Experiences Using Minos as A Tool for Capturing and Analyzing Novel Worms for Unknown Vulnerabilities

« A FastWorm Scan Detection Tool for VPN Congestion Avoidance | Main | Experiences With Internet Traffic Measurement and Analysis »

Experiences Using Minos as A Tool for Capturing and Analyzing Novel Worms for Unknown Vulnerabilities

Time got away from me the past few days, better late than never. This is an interesting paper mixing host-level behaviors with detecting new worm activity.

We present a honeypot technique based on an emulated environment of the Minos architecture and describe our experiences and observations capturing and analyzing attacks. The main advantage of a Minos-enabled honeypot is that exploits based on corrupting control data can be stopped at the critical point where control ow is hijacked from the legitimate program, facilitating a detailed analysis of the exploit. Although Minos hardware has not yet been implemented, we are able to deploy Minos systems with the Bochs full system Pentium emulator. We discuss complexities of the exploits Minos has caught that are not accounted for in the simple model of "buffer overflow exploits" prevalent in the literature. We then propose the Epsilon-Gamma-Pi model to describe control data attacks in a way that is useful towards understanding polymorphic techniques. This model can not only aim at the centers of the concepts of exploit vector (ε), bogus control data (γ), and payload (π); but also give them shape. This paper will quantify the polymorphism available to an attacker for γ and π, while so characterizing ε is left for future work.

Source: Experiences Using Minos as A Tool for Capturing and Analyzing Novel Worms for Unknown Vulnerabilities, Jedidiah R. Crandall, S. Felix Wu, and Frederic T. Chong.

September 26, 2006 in detection, papers | Permalink
Tell others: digg submit | del.icio.us this | Reddit