p andacap
play

P ANDAcap A Framework for Streamlining Collection of Full-System - PowerPoint PPT Presentation

Nov 28, 2023 •797 likes •1.17k views

P ANDAcap A Framework for Streamlining Collection of Full-System Traces Manolis Stamatogiannakis , Herbert Bos, and Paul Groth April 27, 2020 EuroSec 2020 PANDAcap 1 In this Talk Motivation for this work Overview of

  1. P ANDAcap A Framework for Streamlining Collection of Full-System Traces Manolis Stamatogiannakis , Herbert Bos, and Paul Groth † † April 27, 2020 EuroSec 2020 – PANDAcap 1

  2. In this Talk ■ Motivation for this work ■ Overview of PANDAcap ■ Case study: SSH honeypot and dataset ■ Conclusion April 27, 2020 EuroSec 2020 – PANDAcap 2

  3. Motivation April 27, 2020 EuroSec 2020 – PANDAcap 3

  4. Full-system trace recording ■ Log all i instructions executed ■ Time consuming to setup. data used. and all d ■ Very few full-system recording ■ Access to full system state – datasets available. deep analysis. ■ Decouples analysis from timing constraints. ■ Analysis flexibility. We aspire to lower the barrier for creating full-system recording datasets. April 27, 2020 EuroSec 2020 – PANDAcap 4

  5. P ANDA ■ Full System Record + Replay ■ Based on QEMU ■ Self-contained execution traces ■ Analyses implemented as plugins Initial RAM Snapshot Input CPU RAM Non- RAM determinism Interrupt log DMA PANDA PANDA Execution Trace April 27, 2020 EuroSec 2020 – PANDAcap 5

  6. (My) typical P ANDA workflow Prepare for recording Recording start VM start VM ssh ssh start recording from QEMU monitor make modifications interact shutdown stop recording from QEMU monitor backup VM backup traces / VM April 27, 2020 EuroSec 2020 – PANDAcap 6

  7. Let’s create a P ANDA dataset ■ The regular PANDA workflow won’t cut it. – a lot of manual steps – error prone (due to the human factor) ■ We need to automate things! April 27, 2020 EuroSec 2020 – PANDAcap 7

  8. Workflow Automation Bottlenecks ■ How can I start recording non-interactively? – Learn to work with QEMU Monitor Protocol. ■ How can I start/stop recording at the right moment? – No elegant solution. Bummer! ■ How do I move data in/out of the PANDA VM? – Deploy ssh keys + sftp? ■ How do I replicate the same experiment with different inputs x100? – DIY scripting. ■ How can I fully utilize my 12 core CPU? – …and more DIY scripting. April 27, 2020 EuroSec 2020 – PANDAcap 8

  9. Now let’s put everything together ■ Complicated! ■ What was it again that I was doing? ■ What do you mean I have to start over because I missed X? April 27, 2020 EuroSec 2020 – PANDAcap 9

  10. MalRec (DIMV A 2018) ■ Similar goal with us: create PANDA trace datasets ■ Similar approach: off-the-shelf tools ■ Purpose-built – not designed to be reusable. “This is not intended to work for anyone else out of the box, just to provide a starting point. You will undoubtedly have to make heavy local modifications.” ■ Last update in 2015 – tooling hasn’t been modernized since. April 27, 2020 EuroSec 2020 – PANDAcap 10

  11. Fast forward to 2020 ■ Containers are mainstream. – networking virtualization – storage virtualization – ease of deployment ■ Some containers available for PANDA – geared towards testing builds ■ Runtime customization of PANDA VMs still a DIY affair. We can improve on this. April 27, 2020 EuroSec 2020 – PANDAcap 11

  12. P ANDAcap Overview April 27, 2020 EuroSec 2020 – PANDAcap 12

  13. Enter P ANDAcap ■ Accurate start/stop of recording. ■ Supports Docker – lean image. ■ Streamlined VM bootstrapping. – rc.d-like initialization process – Jinja2 templating support ■ Command line wrapper providing access to most commonly used features of Docker/PANDA. April 27, 2020 EuroSec 2020 – PANDAcap 13

  14. The recctrl plugin ■ Accurate start/stop of recording. ■ Building block: PANDA_CB_GUEST_HYPERCALL. ■ Support for sessions (semaphore-like). ■ Support to specify the PANDA recording name from the guest. ■ A timeout can be specified for limiting the length of the recording. ■ Batteries included: recctrlu guest utility April 27, 2020 EuroSec 2020 – PANDAcap 14

  15. Lean Docker Image ■ Contains only runtime dependencies. Docker Makefile.vars bootstrap scripts PANDA source templates ■ Bootstrapping mechanism for Docker runtime environment. gcc / make Jinja2 ■ Shared configuration with VM runtime bootstrapping. panda.tar Dockerfile bootstrap.tar ■ Mountpoints affecting a run: – Docker runtime bootstrap directory baseimage-docker docker build PANDA runtime dependencies – QCOW image for PANDA – Recording output directory PANDAcap Docker Image – X11 server path April 27, 2020 EuroSec 2020 – PANDAcap 15

  16. Runtime bootstrapping – layout bootstrapping scripts files used by the scripts environment template / Makefile Makefile targets April 27, 2020 EuroSec 2020 – PANDAcap 16

  17. Runtime bootstrapping – output VM runtime bootstrapping Docker runtime bootstrapping April 27, 2020 EuroSec 2020 – PANDAcap 17

  18. pandacap.py wrapper April 27, 2020 EuroSec 2020 – PANDAcap 18

  19. Most common P ANDA/Docker options PANDA Docker ■ Disk configuration. ■ Mount configuration. ■ Network configuration and port ■ Network configuration and port forwarding. forwarding. ■ Creation of delta image. * ■ Creation of bootstrap disk. * ■ Memory/Arch configuration. ■ Display configuration. * Involves additional tools. April 27, 2020 EuroSec 2020 – PANDAcap 19

  20. pandacap.py wrapper April 27, 2020 EuroSec 2020 – PANDAcap 20

  21. pandacap.py wrapper ■ All common options in one place. ■ Takes care of: – Creation of bootstrap disk for the VM. – Initialization of a new delta image for the VM. – Proper escaping of commands. ■ Output files/images are labeled so concurrent runs can be told apart. ■ Does not mandate the use of Docker. – Can be used as a simple wrapper around PANDA. April 27, 2020 EuroSec 2020 – PANDAcap 21

  22. P ANDAcap source code github.com/vusec/pandacap April 27, 2020 EuroSec 2020 – PANDAcap 22

  23. Case Study: SSH Honeypot and dataset April 27, 2020 EuroSec 2020 – PANDAcap 23

  24. P ANDAcap Case Study: ssh honeypot ■ Brute-force ssh attacks are still popular. ■ In their 2016 survey of existing honeypot software, Nawrocki et al. mention no honeypot based on full system Record and Replay. https://arxiv.org/abs/1608.06249 ■ Full system Record and Replay offers significant advantages: – Flexibility of analysis. – Captures all transient effects on the system. ■ Common misconception: Analyzing an ssh intrusion is trivial. April 27, 2020 EuroSec 2020 – PANDAcap 24

  25. In a Slack channel somewhere… April 27, 2020 EuroSec 2020 – PANDAcap 25

  26. In a Slack channel somewhere… April 27, 2020 EuroSec 2020 – PANDAcap 26

  27. In a Slack channel somewhere… April 27, 2020 EuroSec 2020 – PANDAcap 27

  28. Aftermath ■ No point of entry was determined. ■ Unsure how privilege escalation was achieved. ■ Partial recovery of the hacker’s tools. ■ Partial log of communications. ■ Failed to cleanup the machine properly. ■ Po Post-mortem a analysis i is h hard, e even f for e experts. ■ PANDA system-tracing can provide answers! April 27, 2020 EuroSec 2020 – PANDAcap 28

  29. Honeypot analysis with P ANDA ■ Privilege escalation → exact trace of system calls that led e.g. to a privileged execve ■ Hacker tools → ability to fully reconstruct them from the non- determinism log, even if they have been “shredded” ■ Communication logs → pcap files + access to unencrypted network stack buffers ■ Cleaning up the system → produce a detailed provenance log for all the files that were modified, identify potentially malicious modifications April 27, 2020 EuroSec 2020 – PANDAcap 29

  30. P ANDAcap honeypot dataset ■ Ran the experiment for ~3 days on a single IP address. Table 1: Collected samples per ssh port. No attempts to gain access to the VM listening on port 2200 were made. ■ Traces limited to 30’. port samples nondet nondet-gz disk-delta ■ Out of 3 ports used, only 2 were 22 50 9.61 GiB 2.75 GiB 11.49 GiB 2222 13 0.99 GiB 0.28 GiB 3.00 GiB visited. ■ Collected 63 traces in total. ■ Compressed size (including disk deltas) ~23Gb. Figure 2: Trace size and instruction count distributions. April 27, 2020 EuroSec 2020 – PANDAcap 30

  31. P ANDAcap honeypot dataset ■ Quick qualitative analysis revealed a variance of behaviours. ■ Different roles: SSH scanning vs. HTTP/S communication – ■ Different “return” patterns: Figure 3: Top target ports for outgoing connections. In one trace, there were no outgoing connections. 2 logins was the most common case – 68 logins was the most common – only 2 instances of full log wiping – Figure 4: Succesful logins attempts in auth.log. April 27, 2020 EuroSec 2020 – PANDAcap 31

  32. P ANDAcap honeypot dataset availability zenodo.org (CERN) academictorrents.com April 27, 2020 EuroSec 2020 – PANDAcap 32

  33. Conclusion April 27, 2020 EuroSec 2020 – PANDAcap 33

  34. Conclusion ■ PANDAcap: – easier creation of PANDA trace datasets – Docker support – streamlined bootstrapping – Apache 2.0 license ■ PANDAcap SSH honeypot dataset: – 63 samples – CC 4.0 license April 27, 2020 EuroSec 2020 – PANDAcap 34

  35. More Information Code & dataset Twitter #PANDAcap #eurosec2020 @vusec @inde_lab_ams github.com/vusec/pandacap April 27, 2020 EuroSec 2020 – PANDAcap 35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lecture #5: IoT Honeypots Cristian Hesselman, Elmer Lastdrager, Ramin Yazdani, and Etienne Khan

Lecture #5: IoT Honeypots Cristian Hesselman, Elmer Lastdrager, Ramin Yazdani, and Etienne Khan

Lecture #5: IoT Honeypots Cristian Hesselman, Elmer Lastdrager, Ramin Yazdani, and Etienne Khan University of Twente | May 20, 2020 Lab assignment MUD descriptions: youll need to generate them yourselves, tools are available IoT

926 views • 38 slides
Active 802.11 Fingerprinting: gibberish and secret handshakes to know your AP Sergey

Active 802.11 Fingerprinting: gibberish and secret handshakes to know your AP Sergey

Active 802.11 Fingerprinting: gibberish and secret handshakes to know your AP Sergey Bratus, Cory Cornelius, Daniel Peebles Dartmouth College Shmoocon 2008 This talk in 5 minutes (1) How it started? TC7, Johnny Cache:

426 views • 23 slides
Hot or Not: Fingerprinting hosts through clock skew ^ c = 95, min s ^ ( t ) = 0.11, max s ^ ( t

Hot or Not: Fingerprinting hosts through clock skew ^ c = 95, min s ^ ( t ) = 0.11, max s ^ ( t

Hot or Not: Fingerprinting hosts through clock skew ^ c = 95, min s ^ ( t ) = 0.11, max s ^ ( t ) = 0.22 ppm s 0 39.0

699 views • 38 slides
Scrutinizing a Country using Passive DNS and Picviz or how to analyze big dataset without loosing

Scrutinizing a Country using Passive DNS and Picviz or how to analyze big dataset without loosing

Scrutinizing a Country using Passive DNS and Picviz or how to analyze big dataset without loosing your mind Sebastien Tricaud, Alexandre Dulaunoy March 10, 2012 Disclaimer Passive DNS is a technique to collect only valid answers from

772 views • 38 slides
Neofelis High-Interaction Honeypot Framework for Mac OS X Joo Miguel Franco Francisco Nina

Neofelis High-Interaction Honeypot Framework for Mac OS X Joo Miguel Franco Francisco Nina

Neofelis High-Interaction Honeypot Framework for Mac OS X Joo Miguel Franco Francisco Nina Rente { jmfranco, frente } at dei.uc.pt Software and System Engineering Research Group FCT University of Coimbra Agenda Agenda

378 views • 16 slides
Secure and Private Smart Grid: The SPEAR Architecture Panagiotis Radoglou-Grammatikis

Secure and Private Smart Grid: The SPEAR Architecture Panagiotis Radoglou-Grammatikis

Secure and Private Smart Grid: The SPEAR Architecture Panagiotis Radoglou-Grammatikis University of Western Macedonia pradoglou@uowm.gr Nets Netsoft 2020 2020 Under SPEAR Project A u t h o r s UOWM TECNALIA TE SID SIDROCO CERTH

550 views • 20 slides
Beyond Telnet: Prevalence of IoT Protocols in Telescope and Honeypot Measurements Lionel Metongnon

Beyond Telnet: Prevalence of IoT Protocols in Telescope and Honeypot Measurements Lionel Metongnon

Beyond Telnet: Prevalence of IoT Protocols in Telescope and Honeypot Measurements Lionel Metongnon 12 Ramin Sadre 1 SIGCOMM-WTMC, 20th August 2018 1 Institute of Information and Communication Technologies, Electronics and Applied Mathematics

561 views • 17 slides
Project 4 Multi-Core Network Honeypot LL/SC - Important for mutex locking/unlocking - Crucial

Project 4 Multi-Core Network Honeypot LL/SC - Important for mutex locking/unlocking - Crucial

Project 4 Multi-Core Network Honeypot LL/SC - Important for mutex locking/unlocking - Crucial for synchronized data-structures - Up to 32 cores in PA4 LL/SC Syntax LL a, off(b): loads M[b + off] into register a SC c, off(d):

289 views • 18 slides
Information warfare The term information warfare refers to peace time activities

Information warfare The term information warfare refers to peace time activities

Information warfare The term information warfare refers to peace time activities psychological operations (psyop) cyber war/net war In wartime the term is Command, Control, Communications, Intelligence, Sensors Warfare(C3ISW)

287 views • 13 slides
FDM curriculum group moderated by Frank Neven Questions / issues FDM topics for non-DB

FDM curriculum group moderated by Frank Neven Questions / issues FDM topics for non-DB

FDM curriculum group moderated by Frank Neven Questions / issues FDM topics for non-DB courses intro DB course graduate FDM course FDM book educate & attract FDM in non-DB course TCS: from reg exps to RPQs DBs

452 views • 9 slides
DIY Blue Teaming DIY Blue Teaming (Keeping attackers out, with duct tape and chewing gum!) DIY

DIY Blue Teaming DIY Blue Teaming (Keeping attackers out, with duct tape and chewing gum!) DIY

DIY Blue Teaming DIY Blue Teaming (Keeping attackers out, with duct tape and chewing gum!) DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Security by obscurity (because sucker punches work, even though nobody wants to admit

1.11k views • 78 slides
Internet measurements at complexnetworks.fr Guillaume Valadon - http://valadon.complexnetworks.fr

Internet measurements at complexnetworks.fr Guillaume Valadon - http://valadon.complexnetworks.fr

Internet measurements at complexnetworks.fr Guillaume Valadon - http://valadon.complexnetworks.fr LIP6 (CNRS - UPMC) Complex Networks team http://complexnetworks.fr The team http://complexnetworks.fr : plots & videos 4 permanent

899 views • 44 slides
Empirical Studies in Cybersecurity: Some Challenges Michel Cukier Adding Science to

Empirical Studies in Cybersecurity: Some Challenges Michel Cukier Adding Science to

Empirical Studies in Cybersecurity: Some Challenges Michel Cukier Adding Science to Cybersecurity Empirical studies are needed to add science to cybersecurity Challenges: Security metrics are lacking Security data are not

661 views • 37 slides
Big Data Analytics, Human Data Interaction, and the Databox Richard Mortier Cambridge

Big Data Analytics, Human Data Interaction, and the Databox Richard Mortier Cambridge

Big Data Analytics, Human Data Interaction, and the Databox Richard Mortier Cambridge University Computer Laboratory Networks & Operating Systems SRG, Computer Laboratory Outline Part I Part II We are all data subjects,

1.25k views • 46 slides
1 Models for Translucent Objects Models for Translucent Objects Models for Translucent Objects

1 Models for Translucent Objects Models for Translucent Objects Models for Translucent Objects

Translucent Objects Translucent Objects Realistic Materials Realistic Materials Translucent Materials light is scattered through the object incident illumination smoothed due to diffuse scattering inside media Inhomogeneous

524 views • 5 slides
Dating Patterns Aino Vonge Corry @apaipi Big Disclaimer How many times, have you thought 'Boy,

Dating Patterns Aino Vonge Corry @apaipi Big Disclaimer How many times, have you thought 'Boy,

Dating Patterns Aino Vonge Corry @apaipi Big Disclaimer How many times, have you thought 'Boy, I sure wish there was an easier way to pick up women, like published API with code samples?' What would you say if such documentation was not only

623 views • 24 slides
Understanding and Securing Device Vulnerabilities through Automated Bug Report Analysis Xuan Feng

Understanding and Securing Device Vulnerabilities through Automated Bug Report Analysis Xuan Feng

Understanding and Securing Device Vulnerabilities through Automated Bug Report Analysis Xuan Feng , Xiaojing Liao, XiaoFeng Wang, Haining Wang, Qiang Li, Kai Yang, Hongsong Zhu, Limin Sun USENIX Security 2019 Internet-of-Things (IoT) Devices IoT

422 views • 23 slides
Tedder Village www.tedderavenue.com.au ON THE AVENUE TEDDER VILLAGE WWW.TEDDERAVENUE.COM.AU

Tedder Village www.tedderavenue.com.au ON THE AVENUE TEDDER VILLAGE WWW.TEDDERAVENUE.COM.AU

Village Life Tedder Avenue Tedder Avenue Tedder Village www.tedderavenue.com.au ON THE AVENUE TEDDER VILLAGE WWW.TEDDERAVENUE.COM.AU Village Life TEDDER VILLAGE ON THE AVENUE WWW.TEDDERAVENUE.COM.AU ZONES 5 HOW IT WORKS 7 UNDER THE HOOD

321 views • 20 slides
Io IoT Ho T Hone neyBot yBot Haris emi and Saa Mrdovi Cryptacus: Workshop and MC

Io IoT Ho T Hone neyBot yBot Haris emi and Saa Mrdovi Cryptacus: Workshop and MC

Io IoT Ho T Hone neyBot yBot Haris emi and Saa Mrdovi Cryptacus: Workshop and MC meeting Nijmegen, Netherlands, 2017 Honeypots Honeypots Emulation of a network resource Built to be discovered, attacked and compromised

497 views • 18 slides
Nomadic Honeypots A Novel Concept for Smartphone Honeypots Steffen Liebergeld , Matthias Lange and

Nomadic Honeypots A Novel Concept for Smartphone Honeypots Steffen Liebergeld , Matthias Lange and

Nomadic Honeypots A Novel Concept for Smartphone Honeypots Steffen Liebergeld , Matthias Lange and Collin Mulliner Security in Telecommunications Technische Universit at Berlin, Germany { steffen,mlange } @sec.t-labs.tu-berlin.de Northeastern

713 views • 11 slides
Empirical study of the impact of Metasploit-related attacks in 4 years of attack traces E.

Empirical study of the impact of Metasploit-related attacks in 4 years of attack traces E.

Empirical study of the impact of Metasploit-related attacks in 4 years of attack traces E. Ramirez-Silva and M. Dacier Eurcom Institute - Sophia Antipolis, France ASIAN'07 December 11, 2007- Doha, Qatar Introduction Overview Introduction

584 views • 42 slides
Robot Attack! Repelling Bots, DDOS, and other Fiends Stanford Drupal Camp 2015 MEET YOUR GUIDES

Robot Attack! Repelling Bots, DDOS, and other Fiends Stanford Drupal Camp 2015 MEET YOUR GUIDES

Robot Attack! Repelling Bots, DDOS, and other Fiends Stanford Drupal Camp 2015 MEET YOUR GUIDES Suzanne Aldrich Martijn Gonlag Senior Customer Success Engineer - Pantheon Technical Support Engineer - CloudFlare AGENDA Surveying Robots

247 views • 13 slides
E-mail trends in 2010: How do spammers get your address? Using distributed poisoned addresses to

E-mail trends in 2010: How do spammers get your address? Using distributed poisoned addresses to

Motivation How E-mail works Conventional Wisdom Previous Work Implementation Results Conclusion E-mail trends in 2010: How do spammers get your address? Using distributed poisoned addresses to track harvesting behavior Robert Marmorstein

447 views • 17 slides
Empirical Analysis and Statistical Modelling of Attack Processes based on Honeypots M. Kaniche

Empirical Analysis and Statistical Modelling of Attack Processes based on Honeypots M. Kaniche

Empirical Analysis and Statistical Modelling of Attack Processes based on Honeypots M. Kaniche 1 , E. Alata 1 , V.Nicomette 1 , Y. Deswarte 1 , M. Dacier 2 LAAS-CNRS 1 , Eurecom 2 Mohamed.Kaaniche@laas.fr ACI Scurit &

409 views • 17 slides

More recommend