NCSC One: IoT Honeypot Pieter Jansen & Jurriaan Bremer
On the agenda: 1. Introduction 2. SBIR 3. Cuckoo Sandbox 4. Project 5. Architecture 6. Offline demo 7. Roadmap
Introduction
Pieter Jansen - CEO @ Cybersprint - https://cybersprint.com - Team of 25 enthusiasts - Since 2015 - 100% Dutch - Digital Risk Protection services
Jurriaan Bremer - CEO, Hatching - https://hatching.io/ - Lead Developer, Cuckoo Sandbox - https://cuckoosandbox.org/ - 6+ years development on Cuckoo - Growing R&D team
Balancing Security and Mobility SBIR This SBIR project is co-funded by the Internal Security Fund of the European Union
SBIR - EU co-funded Project - SBIR stage 1 (feasibility) You are here - SBIR stage 2 (realisation) - SBIR stage 3 (valorisation) - https://www.rvo.nl/subsidies-regelingen/sbir
Cuckoo Sandbox
Cuckoo Sandbox - Leading open source automated malware analysis project - https://cuckoosandbox.org/ - Widely used throughout the security community - Hatching is the driving force behind the majority of Cuckoo innovations - Cuckoo forms basis of the IoT Honeypot project
Project
Project [1/2] - Goal: develop a firmware-based, open source Internet of Things (IoT) honeypot framework - Consumer network devices, e.g., those used by NCSC.NL personnel at home - IP camera’s, smart devices, etc - Reason: Mirai, Haijime, etc..
Hajime Botnet Makes a Comeback With Massive Scan for MikroTik Routers
Project overview - replication vs emulation
Replication-approach 1. Connect to an IoT device 2. Store the conversation (example: HTML files) 3. Spin up a service on the same port/protocol 4. Playback the earlier captured conversation
Replication-approach - conclusions Easy to set up fake environments Did not go past login screen Was not convincing enough for attackers Would only capture attempts, not infections
Project [2/2] - Replication alternative did not work - Goal: create open source IoT Honeypotting framework - Goal: detect large-scale IoT compromise campaigns - Goal: detect new threats, generate new IoCs - Default credentials, exploits, etc - Scales: run dozens of IoT devices using a single server - Without requiring the original hardware - Relatively low cost & maintenance effort
Existing projects - pyREbox, PANDA, DECAF, ISP RAS. - x86-only (pyREbox) and x86/ARM (PANDA, different use-case) - IoT firmware often ARM/MIPS/etc
High-level project overview - Emulate IoT firmware using QEMU - Expose listening network services - Either to internal networks or public IPv4 / IPv6 addresses - Instrument behavioral aspects of running firmware - … - Wait for device to be compromised!
Goal of the project? - Once a device is compromised, investigate :-) - Got system call traces and PCAPs - Reconstruct traffic to isolate exploit and/or payload - Alternative use-case: honey tokens - Intentionally vulnerable devices with interesting names (eg FREDERIKSKAZERNE CAM51 ) - Notifies owners if attackers abuse it
Architecture
IoT Honeypot Architecture
QEMU Loading of firmware non-trivial: - In practice most firmware is non-x86: ARM & MIPS - Needs specific QEMU command-line parameters etc Instrumentation of QEMU interesting: - Not so much existing research on non-x86 QEMU VMI - Virtual Machine Introspection - Instrumentation required to learn what device is doing - E.g., logging system calls such as execve(2)
Gathering results - We obtain network traffic from the outside - We obtain system calls from the device - Realtime data processing - Results stored for later research - Alerts emitted to custom Dashboard - Known vulnerability was used - ...
QEMU Command-line usage MIPS image /home/jbr/git/quailbox-qemu/build/mips-softmmu/ qemu-system-mips -kernel /home/jbr/.quailbox/kernels/ vmlinux-3.18.120-4kc-malta-cuckoo -nographic -netdev tap,id= net0 ,ifname= tap_qemu ,script=no,downscript=no -M malta -m 512 -hda /home/jbr/.quailbox/images/ ext2fs-for-netgear-wnap210.image -device e1000,netdev=net0 -display none -append console=ttyS0 rw root=/dev/sda init=/sbin/init
QEMU Tiny Code Generator (“TCG”) - Efficient engine for translating ARM/MIPS/etc into an IL - Intermediate Language - IL translated into the native Host code, e.g., x86 - Needs customization to add our VMI - Syscall capturing for ARM+MIPS - Linux Kernel modifications & tracing WIP - Memory tracking & dumping logic - Additional changes required for new bug classes - Instrumentation for specific applications etc
Realtime tcpdump processing - Log & process HTTP(s) requests from the outside - Present network traffic to ruling engines - Suricata / Snort - Cuckoo / Proprietary Signatures
Offline Demo
X X
Roadmap
Roadmap - Create web interface for managing virtual IoT environments - “Load” support for many more firmware images - Tailored QEMU VMI support for: - Different CPU architectures - Different known versions of Linux kernel for allowing in-depth VMI - E.g., through Volatility / Rekall integration - Documentation of more relevant bug classes - Capability for identifying said bug classes - Protection against QEMU breakouts.. - Interaction through simulation of peripherals like camera/files/sensors - OT/SCADA/ICS applications (virtual Borssele) - So much more.. ;-)
Valorization
Valorization: Commercial Applications - Fuzzing as a Service - Provide security testing services for hardware providers, allowing large scale/automated testing for any firmware - Commercial / open source bespoke additions for specific use-cases - OT-applications, applications for non-standard firmware - Hosting of virtual IoT Environments - Creating virtual 'digital twin' of sensitive IoT environments for research purposes - Collect threat intelligence to support adversary attribution research
How you can help 1. Share your firmware 2. Provide testing grounds 3. Spread the word!
Credits The HoneyNED project team Andrei Costin (ancostin@jyu.fi) Assistant Professor in Cybersecurity/IoT - welcomes research and collaboration opportunities
Questions? Want to know more? Get in touch! pj@cybersprint.com | jbr@hatching.io
Recommend
More recommend
