Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm

1
Scalability, Fidelity and Containment in the
Potemkin Virtual Honeyfarm

• Authors
• Michael Vrable, Justin Ma, Jay chen, David Moore,
  Erik Vandekieft, Alex C. Snoeren, Geoffrey M.
  Voelker and Stefan Savage
• University of California, San Diego

Proceedings of the ACM Symposium on Operating
System Principles (SOSP), Brighton, UK, October
2005
Presented By Dan DeBlasio for CAP 6133, Spring
2008
2
Outline

• Architectural Overview
• Implementation
• Results
• Commentary/Conclusion

3
Overview

• when a packet comes in, routed it to an existing
  VM, else makes a new one with that address
• makes a copy of a template system to cary out
  interaction
• only keeps track of differences from template
• contains infection data to keep it from infecting
  others

4
Honeyfarm Architecture
Packet Comes In
5
Honeyfarm Architecture
6
Containment

• until now only seen low interaction honeyfarms
• how to keep honeyfarm from becoming worm
  incubator
• relies on gateway router to scrub the outgoing
  traffic
• emulates destination addresses if needed on
  internal network

7
Gateway Router

• incoming packets to inactive IP are sent to a
  non-overloaded physical server so it can be
  emulated
• choice is random, or calculated
• packets directed to an active IP pass to the
  machine where a VM has been created
• filters out known attacks so they dont
  over-emulate the same worm

8
Gateway Router

• must prevent a worm or outbreak from starving
  honeyfarm of resources due to reflection
• decides when a VM should be reclaimed due to
  inactivity and not being successfully compromised
• also decides when a compromised machine should be
  reclaimed to reallocate resources

9
Virtual Machine Monitor

• at startup the system boots guest OS, and lets it
  warm up and start server services
• takes snapshot if system (like hibernate)
• use this snapshot to create new VMs on the fly
• leaves it running so it will update memory

10
VMM - Flash Cloning
Domain Network Stack
Xen Management Daemon
Clone Manager
queues packets until clone is ready
Cloned VM
time
11
Delta Virtualization

• At copy, each VM maps all it memory to the
  reference VM
• on write a private copy is stored in its own
  memory
• memory sharing to further reduce the amount of
  memory needed

12
Delta Virtualization
13
Delta Virtualization
14
Delta Virtualization
15
Results
216
/16 Class B 65,536 addresses
16
Results
17
Results
18
Contributions

• Show that you can make a large scale high
  interaction honeyfarm
• gives proof (in simulation) that it can improve
  efficiency of a honeyfarm

19
Weaknesses

• only tested in simulation
• only used linux based server VMs
• only tried at a /16 level

20
Improvements

• use windows PC as well as Linux Servers
• use honeyd type first response so that you dont
  have to clone for scanning packets