Scalability, Fidelity and Containment in the Potemkin

Virtual HoneyfarmAuthors:

Michael Vrable, Justin Ma, Jay chen, David Moore, Erik Vandekieft, Alex C. Snoeren, Geoffrey M. Voelker and Stefan Savage

University of California, San Diego

Proceedings of the ACM Symposium on Operating System Principles (SOSP), Brighton, UK, October

2005

Presented By: Dan DeBlasio for CAP 6133, Spring 2008

Outline

•Architectural Overview

•Implementation

•Results

•Commentary/Conclusion

Overview•when a packet comes in, routed

it to an existing VM, else makes a new one with that address

•makes a copy of a template system to cary out interaction

•only keeps track of differences from template

•contains infection data to keep it from infecting others

Honeyfarm Architecture

Packet Packet Comes Comes

InIn

IP IP AlreadAlready A VMy A VM

OutbounOutbound Packet d Packet

SafeSafe

To To InternIntern

etet

YesVMVM

CreatCreate VMe VM

No

ForwarForward d

PacketPacket

Yes

No

Honeyfarm Architecture

Containment

•until now only seen low interaction honeyfarms

•how to keep honeyfarm from becoming worm incubator

• relies on gateway router to “scrub” the outgoing traffic

•emulates destination addresses if needed on internal network

Gateway Router• incoming packets to inactive IP are

sent to a non-overloaded physical server so it can be emulated

• choice is random, or calculated

•packets directed to an active IP pass to the machine where a VM has been created

•filters out “known” attacks so they don’t over-emulate the same worm

Gateway Router•must prevent a worm or outbreak from

starving honeyfarm of resources due to reflection

•decides when a VM should be reclaimed due to inactivity and not being successfully compromised

•also decides when a compromised machine should be reclaimed to reallocate resources

Virtual Machine Monitor

•at startup the system boots guest OS, and lets it warm up and start server services

•takes snapshot if system (like hibernate)

•use this snapshot to create new VMs on the fly

•leaves it running so it will update memory

passed to clone manager’s queue “ clone VM”

cloned VM’s response

forward to cloned VM

packets flushed from queue “ okay”

“ change to IP A”

“ okay”

VMM - Flash Cloning

tim

e

Domain Network Stack Xen Management Daemon

Cloned VM

Clone Manager

New packet for address A

queues packets until clone is ready

Delta Virtualization

•At copy, each VM maps all it memory to the reference VM

•on write a private copy is stored in its own memory

•memory sharing to further reduce the amount of memory needed

Delta Virtualization

Delta Virtualization

Delta Virtualization

Results

/16 == Class B~65,536

addresses

~216

Results

Results

Contributions

•Show that you can make a large scale high interaction honeyfarm

•gives proof (in simulation) that it can improve efficiency of a honeyfarm

Weaknesses

•only tested in simulation

•only used linux based server VMs

•only tried at a /16 level

Improvements

•use windows PC as well as Linux Servers

•use honeyd type first response so that you don’t have to clone for scanning packets