Honware: a Virtual Honeypot Framework for Capturing CPE and Iot Zero Days

Honware: a Virtual Honeypot Framework for Capturing CPE and Iot Zero Days

Honware: A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days Alexander Vetterl Richard Clayton Computer Laboratory, University of Cambridge Computer Laboratory, University of Cambridge Cambridge, UK Cambridge, UK [email protected] [email protected] Abstract—Existing solutions are ineffective in detecting zero large botnet to recruit a wide variety of IoT devices, used an day exploits targeting Customer Premise Equipment (CPE) and automated pseudo-random scanning process to find and infect Internet of Things (IoT) devices. We present honware, a high- new devices. As the Mirai source code has been leaked and interaction honeypot framework which can emulate a wide range of devices without any access to the manufacturers’ hardware. is well-understood, it is straightforward to build a honeypot Honware automatically processes a standard firmware image (as that emulates a vulnerable device by sending appropriate is commonly provided for updates), customises the filesystem strings back to scanners. But, without source code, or reverse and runs the system with a special pre-built Linux kernel. It engineering the malware binaries, this type of honeypot is then logs attacker traffic and records which of their actions hard to construct. It is a significant challenge to monitor large led to a compromise. We provide an extensive evaluation and show that our framework improves upon existing emulation numbers of attackers who are going after a wide range of strategies which are limited in their scalability, and that it devices using different attack techniques, some of which may is significantly better both in providing network functionality be previously unknown ‘zero days’. and in emulating the devices’ firmware applications – a crucial Meanwhile, it has become feasible to scan the whole IPv4 aspect as vulnerabilities are frequently exploited by attackers address space for vulnerable devices with modest investment. in ‘front-end’ functionalities such as web interfaces. Honware’s design precludes most honeypot fingerprinting attacks, and as its Tools such as Shodan or ZMap [9] give attackers a crucial ad- performance is comparable to that of real devices, fingerprinting vantage. Once an exploit is found for one technology, device, with timing attacks can be made far from trivial. We provide four or specific implementation, attackers can easily find devices case studies in which we demonstrate that honware is capable of with that vulnerability embedded – and instantly benefit from rapid deployment to capture the exact details of attacks along that exploit. In 2003 Spitzner argued that honeypots “get little with malware samples. In particular we identified a previously unknown attack in which the default DNS for an ipTIME N604R traffic” and “collect small amounts of high-value data” [10]. wireless router was changed. We believe that honware is a major However, this observation was from a time when attacks contribution towards re-balancing the economics of attackers and were generally performed by humans, whereas since the rise defenders by reducing the period in which attackers can exploit of botnets almost all activities that honeypots observe are zero days at Internet scale. performed by automated scripts. I. INTRODUCTION Previous research includes Firmadyne [11], an analysis sys- tem that runs embedded firmware and subsequently provides The Internet is transforming from an Internet of computers dynamic analysis capabilities, and IoTPOT [12], one of the to a global network connecting everyday devices (‘things’). first generic high-interaction honeypot tailored to impersonate The emphasis on automation and the nature of the devices IoT devices. IoTPOT supports eight architectures including themselves together mean that vulnerabilities and exploits not ARM, MIPS and X86 and aims to return appropriate strings to affecting device functionality are likely to remain unnoticed connections on port 23 (Telnet). If the command is unknown, by their owners. Recent Distributed Denial of Service (DDoS) it tries to run it within a generic sandboxed environment to attacks which used inadequately secured Customer Premise infer the appropriate return string(s). In 2017, Guarnizo et al. Equipment (CPE) and Internet of Things (IoT) devices [1], [13] presented a “scalable high-interaction” honeypot platform [2], [3] further highlight that existing defenses are slow to called SIPHON which is based on physical devices. They detect zero day exploits and capture attack traffic. This means exposed six security cameras, one networked video recorder that attackers have considerable periods of time to find and and one networked printer through a distributed architecture compromise vulnerable devices before the attack vectors are on a range of IPv4 addresses. well understood and subsequent mitigation is in place [4]. All these approaches have critical shortcomings: Firmadyne Honeypots, resources that appear to be legitimate systems, is built for dynamic analysis, but not to monitor a large number have long proven effective in capturing malware, helping of attackers and thus not to be connected to the Internet. to counter spam and providing early warning signals about IoTPOT does not use firmware images of real devices and upcoming threats [5], [6], [7], [8]. The Mirai botnet, the first thus it is a generic representation of a vulnerable platform 978-1-7281-6383-3/19/$31.00 c 2019 IEEE which will fail to detect new attack patterns; SIPHON needs physical devices connected to the Internet to capture attack functionality. Firmware for CPEs is almost invariably available traffic – an expensive endeavour limited in its scalability. for download and Netgear [14], Link-TP [15] and Linksys [16] We present honware, the first flexible and generic frame- provide online GUI emulators for various types of modems and work to efficiently and effectively deploy honeypots for net- routers. An increasing number of manufacturers also publish worked devices on the Internet to log attacker traffic and their the source code of their firmware as GPL-Code, in particular actions. Instead of buying CPE or IoT devices and running to support ongoing projects such as OpenWrt [17]. them as honeypots, honware utilises device firmware images In the arms race with the criminals, honeypot ‘fingerprint- (which are widely available for download) and a special pre- ing’ is an ongoing concern. Morishita et al. [18] showed built Linux kernel to emulate device behaviour within a virtual that many honeypots do not blend into the type of service environment. In particular, it is easy to deploy all the available they emulate and reveal themselves based on their unique firmware versions for a particular device so as to understand configuration. Vetterl and Clayton [19] developed an auto- which are vulnerable to a particular attack. mated technique to fingerprint honeypots based on packet Overall, we make four main contributions: level protocol interactions, identifying honeypots with trivial • We present new techniques (and improve upon existing probes. Sophisticated attackers who use fingerprinting to avoid work) to allow honware to run standard firmware images interacting with honeypots could avoid detection for long without needing custom hardware. periods, but honware sidesteps all these issues by running • We show that honware is superior to existing emulation exactly the same applications and protocol stack as a real strategies, making significant improvements in scalability, device. in the provision of network functionality, and in emulat- It was shown by Garfinkel et al. [20] that virtualisation ing firmware applications. induces anomalies such as timing discrepancies and that these • We perform extensive measurements to show that the anomalies can be used to detect virtualised environments. performance of honware is comparable to real devices and Kedrowitsch et al. [21] compared the deception capabilities that honware is not susceptible to trivial fingerprinting of Linux containers with different virtualisation environments based on timing attacks. such as QEMU, Kernel-based Virtual Machine (KVM) and • We present four examples to show the success of honware VMWare, and found that QEMU can be best fingerprinted by in identifying real-world attacks which had been hard to its slow performance. Similarly, Holz and Raynal [22] showed capture with the traditional approach of low-/medium- that the execution time of commands provides an efficient /high- interaction honeypots. way to detect honeypots because emulation will typically result in longer execution and response time. In the same II. BACKGROUND vein, Mukkamala et al. [23] found that honeypots running Honeypots are classified by the type of system they emulate, in virtualised environments typically respond slower than real such as SSH, web or email servers. They are further classified services. However, they also demonstrated that for Internet- as low interaction (in the context of SSH merely collecting connected honeypots this metric may not be useful because it credential guesses), medium interaction (emulating a limited depends on network load, routing and emulation technology. number of shell commands) or high interaction (allowing attackers full control of a machine). Low- and medium- III. VIRTUAL HONEYPOT FRAMEWORK interaction honeypots are easy to deploy and maintain but Honware uses the firmware images provided by CPE and typically only implement a small subset of system features. In IoT manufacturers, employing Quick Emulator (QEMU) to contrast,

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    13 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us