capturing cpe and iot zero days
play

capturing CPE and IoT zero days Alexander Vetterl and Richard - PowerPoint PPT Presentation

Oct 06, 2023 •34 likes •224 views

Honware: A virtual honeypot framework for capturing CPE and IoT zero days Alexander Vetterl and Richard Clayton University of Cambridge eCrime 2019, APWG Symposium on Electronic Crime Research November 14, 2019 Introduction Honeypot: A

  1. Honware: A virtual honeypot framework for capturing CPE and IoT zero days Alexander Vetterl and Richard Clayton University of Cambridge eCrime 2019, APWG Symposium on Electronic Crime Research — November 14, 2019

  2. Introduction Honeypot: A resource whose value is being attacked or compromised — We are good in building software honeypots for specific Malware (e.g. Mirai) — Honeypots emulate a vulnerable device by sending appropriate strings back — Finding vulnerable devices never has been easier — Stateless scanning & Shodan, Censys, Thingful Problem: Slow, iterative process only suitable for well-understood attacks 2

  3. Honware: Virtualised honeypot framework — Virtualised, because deploying and monitoring physical devices does not scale — Aimed for Linux-based CPE and IoT devices Appli- Appli- Appli- Telnet, SSH, Web, cation cation cation SSDP etc. — We need access to the firmware image and Firmware Filesystem the firmwares filesystem SIGNAL Networking HANDLING Custom Kernel — We want to run the firmwares ‘ applications NVRAM Logging such as Telnet, SSH and Web servers QEMU — Lightweight Host OS Kernel — <64MB RAM, <128MB disk space — Fast: Honeypots can be set-up in minutes! 3

  4. SIGNAL Networking Customised pre-built kernel (1/2) HANDLING Custom Kernel Logging NVRAM We built kernels for ARM, MIPSEB and MIPSEL 1. Honeypot logging — do_execve 2. Signal interception — SIGABRT (abort) — SIGSEGV (seg fault) — SIGPFE (floating point errors) 3. Module loading — Ignoring vermagic strings (e.g. 2.6.22-xyz) 4

  5. SIGNAL Networking Customised pre-built kernel (2/2) HANDLING Custom Kernel Logging NVRAM 4. NVRAM (non-volatile memory) — Set LD_PRELOAD to the path of our own nvram implementation — Intercept nvram_get and nvram_set calls 5. Network configuration — Look for bridge configuration: br0 and ra0 — If that fails, the kernel will execute a default configuration (customisable by users!) — Necessary interfaces — Assign static IP addresses 5

  6. Step 1: Extracting firmware images Appli- Appli- Appli- cation cation cation Firmware Filesystem Binwalk — Looking for standard Linux filesystem structure (bin, usr, proc etc.) Creating an ext2 filesystem — Copying the firmwares ‘ structures and files — Typically very small (<128MB) Identifying the architecture based on ELF headers — e.g. Busybox binary — Used to select the appropriate kernel 6

  7. Step 2: Modifying filesystem & preparation Supports custom configurations — Modified do_execve to execute, if present, /sbin/boot.sh through the kernel function call_usermodehelper Appli- Appli- Appli- Telnet, SSH, Web, cation cation cation SSDP etc. NVRAM emulation Firmware Filesystem SIGNAL Networking HANDLING — Added as kernel module Custom Kernel NVRAM Logging Network configuration QEMU — Re-route incoming packets on the host ethernet Host OS Kernel interface to the QEMU tap interface and — Post-route the packets back to the host 7

  8. Evaluation — Extraction — 23,035 firmware images from Firmadyne (2016) — Network reachability — As of March 2019, 8,387 images can still be downloaded — Responding services — Firmadyne (2016) used 23,035 firmware images — Looked for self-identifying devices — As of March 2019, 8,387 images can still be — Timing attacks — Repeated measurements for three protocols: downloaded FTP , Telnet and HTTPS — Deployed multiple honeypots on the Internet — Case studies — Four case studies which show that devices can be rapidly emulated 8

  9. Eval. 1: Extraction and network reachability

  10. Evaluation 1: Responding services — Significantly more services respond on their listening ports — Telnet, HTTP , dhcp and UPnP are the most common services — Forcing network configuration is key (failed dhcp, missing nvram values etc.) 10

  11. Evaluation 2: Timing attack — Attackers can use timing differences to detect honeypots — Using Shodan, we looked for three self- identifying devices (“banner”) — We set up a total of 30 honeypots, ten for each device, on two cloud providers — We measure the time the applications take to respond to our requests — RTT is calculated and is subsequently used to adjust the timing information 11

  12. Evaluation 2: Timing attack (FTP and Telnet) ASUS RT-AC52U (FTP) Zyxel VMG1312-B10A (Telnet) Time between resource request Time to Login message (carriage return) and login message 12

  13. Evaluation 2: Timing attack (HTTPS) D-Link DIR 825 (HTTPS) D-Link DIR 825 (HTTPS) Time between ClientHello and Time to complete the TLS resource received (web page) handshake 13

  14. Evaluation 2: Timing attack conclusion — Emulation does not generally slow down applications — Low-cost cloud instances > CPE/IoT devices — Where emulation is faster, it would be possible to artificially slow responses — Internet inherently introduces jitter, network delays and artefacts — Increases time and effort to mount such attacks Attackers need to perform a significant amount of measurements to identify the discrepancies and fingerprint the honeypot 14

  15. Case Study 1 - DNS hijacking attack Whilst emulating a router from ipTIME, we observed a DNS hijacking attack GET /cgi- bin/timepro.cgi?tmenu=netconf&smenu=wansetup&act=save& /sbin/iptables -t nat -A wan=wan1&ifname=eth1&sel=dynamic&wan_type=dynamic&al PREROUTING -i br0 -d low_private=on&dns_dynamic_chk=on&userid=&passwd=&mtu 192.168.0.1 -p udp --dport .pppoe.eth1=1454&lcp_flag=1&lcp_echo_interval=30&lcp_echo 53 -j DNAT --to-destination _failure=10&mtu.static.eth1=1500&fdns_dynamic1=185&fdns_ 185.117.74.100 dynamic2=117&fdns_dynamic3=74&fdns_dynamic4=100&sdns _dynamic1=185&sdns_dynamic2=117&sdns_dynamic3=74&sdn s_dynamic4=101 HTTP/1.1 >40 IPs with 118.30.28.10 the same AS41718: China Great Firewall certificate Network Limited Company 15

  16. 16

  17. Case Study 2: ThinkPhP Malware — Emulating an ADSL modem router from TP-Link — Non-validated input allows attackers to run arbitrary code — >50k devices affected — We make malware available to the defender community considerably faster than traditional honeypots 17

  18. Conclusion Framework to deploy honeypots for CPE/IoT devices — We use the real services/applications which are shipped with the device — Avoids misconfigurations, missing features/commands Better than existing emulation strategies in all areas — Extraction, network reachability, listening services Capable of detecting vulnerabilities at scale — Four cases which show that devices can be rapidly emulated — Rebalancing the economics of attackers by cutting the attackers’ ability to exploit vulnerabilities for considerable time 18

  19. Q & A Alexander Vetterl alexander.vetterl@cl.cam.ac.uk 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Capturing data and use of GPS Capturing data GIS GPS Paper maps Coordinates Satellite images

Capturing data and use of GPS Capturing data GIS GPS Paper maps Coordinates Satellite images

Capturing data and use of GPS Capturing data GIS GPS Paper maps Coordinates Satellite images What is a GPS? Global Positioning System A network of satellites that continuosly transmit informations Making possible to identify locations How

579 views • 26 slides
for Flux Reconstruction Will Trojak Scope Why Shock Capturing? Invariance Preserving

for Flux Reconstruction Will Trojak Scope Why Shock Capturing? Invariance Preserving

Shock Capturing Methods for Flux Reconstruction Will Trojak Scope Why Shock Capturing? Invariance Preserving Methodology Preliminary Results Summary and Future Developments Why Shock Capturing? More Physics Currently

774 views • 17 slides
Capturing Realistic HDR Images Topics : Post-Processing. Sample Workflow. Q &amp;

Capturing Realistic HDR Images Topics : Post-Processing. Sample Workflow. Q &amp;

Capturing Realistic HDR Images (Part II) Dave Curtin Nassau County Camera Club April 4 th , 2016 Capturing Realistic HDR Images Topics : Post-Processing. Sample Workflow. Q &amp; A. Capturing Realistic HDR Images

298 views • 28 slides
Eye-tracking for capturing human visual attention Eye-tracking for capturing human visual

Eye-tracking for capturing human visual attention Eye-tracking for capturing human visual

BubbleView : an interface for crowdsourcing image importance maps and tracking visual attention Nam Wook Zoya Michelle Krzysztof Aude Fredo Hanspeter Kim* Bylinskii* Borkin Gajos Oliva Durand Pfister Eye-tracking for capturing human

830 views • 69 slides
#100DAYSOFQS: MAKING DATA ART FOR 100 DAYS 100 days is a lot of days HI, IM LILLIAN! Ive

#100DAYSOFQS: MAKING DATA ART FOR 100 DAYS 100 days is a lot of days HI, IM LILLIAN! Ive

#100DAYSOFQS: MAKING DATA ART FOR 100 DAYS 100 days is a lot of days HI, IM LILLIAN! Ive been tracking data about myself for 11 years. Find what I use at anomalily.net/life-stack#qs (almost) Each year* I compile an annual report

484 views • 29 slides
No disclosures Scholarship Presentation 2 days Radiation Oncology 2 days Wellness Beyond Cancer

No disclosures Scholarship Presentation 2 days Radiation Oncology 2 days Wellness Beyond Cancer

No disclosures Scholarship Presentation 2 days Radiation Oncology 2 days Wellness Beyond Cancer Care Program 1 day PICC line and Port-a-cath 4 days Lymphedema clinic , Montreal 3 days MAID program assessment 2 days Marijuana clinic 2 days

1.07k views • 39 slides
Capturing Kids Hearts To capture a kids mind, you first have to capture their hearts. Why

Capturing Kids Hearts To capture a kids mind, you first have to capture their hearts. Why

Capturing Kids Hearts To capture a kids mind, you first have to capture their hearts. Why Capturing Kids Hearts? What makes CKH different? Process not a program Goals: High performing team - staff and students Group

348 views • 17 slides
What are the right abstractions for capturing programming and intent Discussion section Thursday

What are the right abstractions for capturing programming and intent Discussion section Thursday

What are the right abstractions for capturing programming and intent Discussion section Thursday Feb 12, 11:25-12:15 Capturing Intent Aaron Gember: Infer intent. Can you simply look at configurations or dataplane to extract intent. What

310 views • 8 slides
Capturing Traffic Traces with Ground- Capturing Traffic Traces with Ground- Truth Information

Capturing Traffic Traces with Ground- Capturing Traffic Traces with Ground- Truth Information

Politecnico di Torino Seminario su Traffic Classification - 10/2009 Capturing Traffic Traces with Ground- Capturing Traffic Traces with Ground- Truth Information Truth Information Niccolo' Cascarano, Politecnico di Torino Joint work with

479 views • 16 slides
CAPTURING HOLINESS: PHOTOGRAPHY AND TORAH TEXT Photography of Stewart Cherlin Temple Sholom of

CAPTURING HOLINESS: PHOTOGRAPHY AND TORAH TEXT Photography of Stewart Cherlin Temple Sholom of

CAPTURING HOLINESS: PHOTOGRAPHY AND TORAH TEXT Photography of Stewart Cherlin Temple Sholom of Chicago Mendelson Gallery Exhibit October 29-December 17, 2010 Capturing Holiness is dedicated to my wife and life partner, Marilyn. Thank you

684 views • 31 slides
DAYS OF REMEMBRANCE May 1-8, 2016 DAYS OF REMEMBRANCE Each year, the United States Holocaust

DAYS OF REMEMBRANCE May 1-8, 2016 DAYS OF REMEMBRANCE Each year, the United States Holocaust

DAYS OF REMEMBRANCE May 1-8, 2016 DAYS OF REMEMBRANCE Each year, the United States Holocaust Memorial Museum leads the nation in commemorating Days of Remembrance. 2 DAYS OF REMEMBRANCE Days of Remembrance was established by the U.S.

816 views • 33 slides
ALAMEDA HEALTH SYSTEM HB STABILIZATION HB KEY METRICS Metric Status As of 2/28 As of 2/21

ALAMEDA HEALTH SYSTEM HB STABILIZATION HB KEY METRICS Metric Status As of 2/28 As of 2/21

ALAMEDA HEALTH SYSTEM HB STABILIZATION HB KEY METRICS Metric Status As of 2/28 As of 2/21 13wk Bottom Median Top 75.1 Days $667.8M 76.2 Days $667.8M 76.1 Days 72.4 Days 65.8 Days Epic AR Days s Charging Variance r 101.7% $22.3M

469 views • 16 slides
MYANMAR DOING BUSINESS 2020 REFORMS Registering Property No. Procedure Days Comments Days

MYANMAR DOING BUSINESS 2020 REFORMS Registering Property No. Procedure Days Comments Days

MYANMAR DOING BUSINESS 2020 REFORMS Registering Property No. Procedure Days Comments Days Required Required (DB2019) (Present) 1 Request and obtain a land 31 Time reduced from 31 days 19 clearance certificate and map to 19 days at

530 views • 23 slides
Planning &amp; Development SPC June 2020 Capturing Public Value from Development Lands John

Planning &amp; Development SPC June 2020 Capturing Public Value from Development Lands John

Planning &amp; Development SPC June 2020 Capturing Public Value from Development Lands John OHara City Planning Officer Capturing Public Value from Development Lands : Underlying Principles/Assumptions: Urban Living is future, but

506 views • 12 slides
Capturing WPA2 Enterprise credentials with a Pi Richard Frovarp Principal Software Engineer

Capturing WPA2 Enterprise credentials with a Pi Richard Frovarp Principal Software Engineer

Capturing WPA2 Enterprise credentials with a Pi Capturing WPA2 Enterprise credentials with a Pi Richard Frovarp Principal Software Engineer North Dakota State University Standard disclaimer What I say is my own opinion and not that of my

196 views • 18 slides
Segmen&amp;ng a Market Segment: New Ideas for Capturing

Segmen&amp;ng a Market Segment: New Ideas for Capturing

Segmen&amp;ng a Market Segment: New Ideas for Capturing Mul&amp;-Family Energy Savings Linda Dethman and Eric Rambo BECC Conference, November 13,

472 views • 21 slides
Fuzzing JavaScript Engines with Aspect-preserving Mutation Soyeon Park, Wen Xu, Insu Yun, Daehee

Fuzzing JavaScript Engines with Aspect-preserving Mutation Soyeon Park, Wen Xu, Insu Yun, Daehee

Fuzzing JavaScript Engines with Aspect-preserving Mutation Soyeon Park, Wen Xu, Insu Yun, Daehee Jang, Taesoo Kim Everyone uses web browser (+ JS engine) 4,000,000,000 2 New Tab https://gts3.org/ Bank Private Password account data

461 views • 43 slides
strt r

strt r

r t Prs r strt r rtr Prtr

543 views • 41 slides
Dilute magnetic oxides J. M. D. Coey School of Physics and CRANN, Trinity College Dublin

Dilute magnetic oxides J. M. D. Coey School of Physics and CRANN, Trinity College Dublin

Dilute magnetic oxides J. M. D. Coey School of Physics and CRANN, Trinity College Dublin Ireland. 1. How should they behave? 2. How do they behave ? 3. What is the explanation ? 5 models Comments and corrections please: jcoey@tcd.ie

561 views • 33 slides
ukasiewicz logic is nullary Topology, Algebra, and Categories in Logic

ukasiewicz logic is nullary Topology, Algebra, and Categories in Logic

The unication type ukasiewicz logic is nullary Topology, Algebra, and Categories in Logic http://logica.dmi.unisa.it/lucaspada University of Salerno Department of Mathematics Luca Spada Based on a joint work with V. Marra The

1.24k views • 110 slides
John Engstrom, MD February 14, 2020 A 61 yo man with low back pain (LBP) presented to the

John Engstrom, MD February 14, 2020 A 61 yo man with low back pain (LBP) presented to the

John Engstrom, MD February 14, 2020 A 61 yo man with low back pain (LBP) presented to the neurology outpatient practice in December 2017 with bilateral (R &gt; L) leg pain, weakness, numbness since April 2017. His LBP was worse with sitting and

291 views • 12 slides
1 The spinal cord is protected by Vertebra viewed from above the vertebral column Vertebral

1 The spinal cord is protected by Vertebra viewed from above the vertebral column Vertebral

Outline of the Lecture Segmental nature of the vertebrate body The spinal cord is segmented Spinal Cord The spinal cord is protected by the vertebral column Spinal cord segments are named for their associated vertebrae P.A.

322 views • 6 slides
Management of children with spina bifida in the age of fetal intervention FRANCOIS I. LUKS PETRA

Management of children with spina bifida in the age of fetal intervention FRANCOIS I. LUKS PETRA

Management of children with spina bifida in the age of fetal intervention FRANCOIS I. LUKS PETRA KLINGE www.revolutionhealth.com Spina Bifida and Neural Tube Defects Epidemiology One of the most common birth defects: 1-2 cases/1,000

585 views • 56 slides
Management of children with spina bifida and hydrocephalus P E TR A K LI N GE A S S O CI A TE

Management of children with spina bifida and hydrocephalus P E TR A K LI N GE A S S O CI A TE

Management of children with spina bifida and hydrocephalus P E TR A K LI N GE A S S O CI A TE P R O F E S S O R O F N E U R O S U R GE R Y W A R R E N A LP E R T M E D I CA L S CH O O L B R O W N U N I V E R S I TY Management of children

827 views • 44 slides

More recommend