NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning

Towards Hybrid Honeynets via Virtual Machine Introspection and CloningTamas K Lengyel

University of Connecticut

The role of the honeypot

The limitationsLow-interaction honeypots:

● "Artificial" attack surface● Limited information about the attacks● Easily identified

High-interaction honeypots:● Complexity● Maintenance● High risk

Hybrid honeypot

Robin Berthier, 2006: Advanced honeypot architecture for network threats quantification

Primarily use the Low interaction honeypot and utilize a High interaction honeypot when something "interesting" is happening.

How do you define "interesting"?

Hybrid honeynet

VMI-Honeymon http://vmi-honeymon.sf.net

● Fidelity via Virtual Machine Introspection

○ LibVMI

○ Volatility

○ LibGuestFS

● Scalability via Virtual Machine Cloning

○ QEMU copy-on-write disk

○ Xen copy-on-write RAM

Issues: clone routingClones share IP and MAC address!

○ Post-cloning in-guest network reconfiguration should be avoided

○ Separate bridge/VLAN required for each clone to avoid collision

○ Honeybrid requires extra setup (iptables rules, routing tables & ip marks) to be able to route clones

Network overview

Clone initiated routing

Memsharing results6207 attack sessions on clone HIHs in two weeks (single IP address)

Windows XP SP3 x86 (128MB RAM) Windows 7 SP1 x86 (1GB RAM)

Memsharing resultsProjected memory savings via CoW RAM

Windows XP SP3 x86 Windows 7 SP1 x86

Future work● Clone routing using Open vSwitch &

OpenFlow

● Auto-balloon number of HIHs

● Mix Linux and Windows HIHs with additional

software packages installed

● Test large-scale deployment (/24)

● Zazen IDS!

Thank you!Questions?