Abstract
We present a honeypot technique based on an emulated environment of the Minos architecture [1] and describe our experiences and observations capturing and analyzing attacks. The main advantage of a Minos-enabled honeypot is that exploits based on corrupting control data can be stopped at the critical point where control flow is hijacked from the legitimate program, facilitating a detailed analysis of the exploit. Although Minos hardware has not yet been implemented, we are able to deploy Minos systems with the Bochs full system Pentium emulator. We discuss complexities of the exploits Minos has caught that are not accounted for in the simple model of "buffer overflow exploits" prevalent in the literature. We then propose the Epsilon-Gamma-Pi model to describe control data attacks in a way that is useful towards understanding polymorphic techniques. This model can not only aim at the centers of the concepts of exploit vector (ε), bogus control data (γ), and payload (π) but also give them shape. This paper will quantify the polymorphism available to an attacker for γ and π, while so characterizing ε is left for future work.
| Original language | English (US) |
|---|---|
| Pages (from-to) | 32-50 |
| Number of pages | 19 |
| Journal | Lecture Notes in Computer Science |
| Volume | 3548 |
| Issue number | Detection of Intrusions and Malware, and Vulnerability Assess... |
| DOIs | |
| State | Published - 2005 |
| Externally published | Yes |
| Event | 2nd International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2005 - Vienna, Austria Duration: Jul 7 2005 → Jul 8 2005 |
ASJC Scopus subject areas
- Theoretical Computer Science
- General Computer Science