Help Perfect The Cracker Antfarm With honeyd

Help Perfect The Cracker Antfarm With honeyd 93

Posted by timothy on Tuesday February 18, 2003 @12:14PM from the where-are-the-red-ants dept.

Niels Provos would like you to help create the perfect lure for crackers. In the style of similar challenges presented by the Honeynet Project, Provos, a doctoral candidate at CITI (a research institute at the University of Michigan) has announced a public competition for contributions to his honeyd project, which the project page describes as "a small daemon that creates virtual hosts on a network." Honeyd does more than that terse description implies, though: read on to see how you can contribute to creative cracker snaring.

Behind door number three ...

Rather than wait for production systems to be cracked, honeypot makers arrange sting operations: they set up as traps intentionally tempting target machines loaded with tools to observe any break-ins.

Though the projects' names (and their rosters of hackers) are confusingly similar, honeyd is distinct from the Honeynet Project. Both are concerned with watching intruders' behavior for analysis and, in the long run, preventing their exploits, but the projects vary in their scope. Honeyd offers specific software tools to effect the appearance of a crackable box (and can simulate thousands of crackable machines at once); the Honeynet Project is broader, and uses honeyd within its larger framework of studying cracker attacks.

"Honeyd creates virtual honeypots that simulate operating system characteristics to such a degree that it fools fingerprinting tools like nmap or xprobe," says Provos. "As such it is a virtual honeypot that may be used for all kinds of purposes -- network sensors, decoys, et cetera. As the Honeynet project investigates interesting honeypot technologies, Honeyd got me involved with the [Honeynet Project] and is my contribution."

The competition Provos is organizing is in turn a chance for others to contribute to his honeypot tool; a variety of prizes (including a trip to CanSecWest/core03) will go to the programmers who provide the best improvements to the current version (0.5) of honeyd. He's hoping to field contributions to upgrade the user interface, better analyze information captured as intruders try to break in, provide simulated P2P programs, and more. Though there's a list of suggestions on the site, anything to more effectively mimic genuine target machines is welcome.

License requirements are friendly to open source programmers: "Source code features to be integrated into Honeyd need to be covered by a BSD-like license. Service emulations and graphical user interface [submissions] may be either BSD-like or GPL."

Though the honeynet.org page says that Provos is sponsoring the challenge, he says others (like Honeynet Project lead Lance Spitzer) have put up the prizes. "As I am still a poor student, I anticipate that my only financial expenses are going to be shipping costs."

What inspired the idea of a contest, rather than simply waiting for code to roll in from interested hackers? "The Honeynet project has held very successful challenges in the past," says Provos. "Additionally, Lance Spitzer and Marcus Ranum have been giving tutorials on honeypots and noticed that all the participants really enjoyed working with Honeyd. As a result, Lance encouraged me to hold this challenge."

What's in it for them?

Spitzer, one of the challenge judges, lists a few things he'd like to see come out of this contest. "All the plumbing and features are there for developing your own honeypots. I would love to see these capabilities extended and making it easier to use. For example, it would be great [to see] new emulated services added, a port to Windows, and a GUI to make it easier to use."

Spitzer has recently published a book about honeynets as well, so he has a good reason to want some attention focused on this sort of calculated intruder watching.

"I am most interested in the balance of getting realism with as little risk of abuse," says Job de Haas, another judge for the competition and CEO of security consulting firm ITSX. "The idea is to build simulated services, but you want to end the realism where it starts to undermine the security of the system beyond control." De Haas says that one of the system's weak points right now is that it's simply difficult for new users to know where to begin. "Hopefully lots of useful examples will come out of the challenge, to make it easier to get started."

I send you this file to ask your advice about breaking in.

Code submissions from hundreds of contributors (all of them savvy enough about cracking to contribute in the first place) raise the prospect of at least a few of them trying to sneak in their own malware to subvert the competition, but the organizers discount the possibility of a backdoor or other crack being submitted.

While it's unlikely that malicious code would make it far, Provos says that to be on the safe side (and make sure it doesn't hurt his working environment), "Personally, I run all new code under a systrace sandbox, and before new code gets integrated into the official honeyd source code it has to pass a source code audit."

Similarly, De Haas says that he's not worried about malicious code, but is "alert that someone might try. Generally we're quite used to dealing with untrusted code. On the other hand I don't consider myself unhackable, it can always happen. You mostly try to minimize the damage it can do."

"Generally the community is very good about this." says Spitzner. "While I doubt this would happen, you do have to be concerned about it. Fortunately, the judges we have (except for me :) are outstanding at code review."

Further reading: We've mentioned the Honeynet Project a few times before -- here's one story from July 2001 and other from July 2002; a search on "honeynet" will yield several more.

This discussion has been archived. No new comments can be posted.