Scalability, Fidelity and Containment in the Potemkin
Virtual HoneyfarmAuthors:
Michael Vrable, Justin Ma, Jay chen, David Moore, Erik Vandekieft, Alex C. Snoeren, Geoffrey M. Voelker and Stefan Savage
University of California, San Diego
Proceedings of the ACM Symposium on Operating System Principles (SOSP), Brighton, UK, October
2005
Presented By: Dan DeBlasio for CAP 6133, Spring 2008
Outline
•Architectural Overview
•Implementation
•Results
•Commentary/Conclusion
Overview•when a packet comes in, routed
it to an existing VM, else makes a new one with that address
•makes a copy of a template system to cary out interaction
•only keeps track of differences from template
•contains infection data to keep it from infecting others
Honeyfarm Architecture
Packet Packet Comes Comes
InIn
IP IP AlreadAlready A VMy A VM
OutbounOutbound Packet d Packet
SafeSafe
To To InternIntern
etet
YesVMVM
CreatCreate VMe VM
No
ForwarForward d
PacketPacket
Yes
No
Honeyfarm Architecture
Containment
•until now only seen low interaction honeyfarms
•how to keep honeyfarm from becoming worm incubator
• relies on gateway router to “scrub” the outgoing traffic
•emulates destination addresses if needed on internal network
Gateway Router• incoming packets to inactive IP are
sent to a non-overloaded physical server so it can be emulated
• choice is random, or calculated
•packets directed to an active IP pass to the machine where a VM has been created
•filters out “known” attacks so they don’t over-emulate the same worm
Gateway Router•must prevent a worm or outbreak from
starving honeyfarm of resources due to reflection
•decides when a VM should be reclaimed due to inactivity and not being successfully compromised
•also decides when a compromised machine should be reclaimed to reallocate resources
Virtual Machine Monitor
•at startup the system boots guest OS, and lets it warm up and start server services
•takes snapshot if system (like hibernate)
•use this snapshot to create new VMs on the fly
•leaves it running so it will update memory
passed to clone manager’s queue “ clone VM”
cloned VM’s response
forward to cloned VM
packets flushed from queue “ okay”
“ change to IP A”
“ okay”
VMM - Flash Cloning
tim
e
Domain Network Stack Xen Management Daemon
Cloned VM
Clone Manager
New packet for address A
queues packets until clone is ready
Delta Virtualization
•At copy, each VM maps all it memory to the reference VM
•on write a private copy is stored in its own memory
•memory sharing to further reduce the amount of memory needed
Delta Virtualization
Delta Virtualization
Delta Virtualization
Results
/16 == Class B~65,536
addresses
~216
Results
Results
Contributions
•Show that you can make a large scale high interaction honeyfarm
•gives proof (in simulation) that it can improve efficiency of a honeyfarm
Weaknesses
•only tested in simulation
•only used linux based server VMs
•only tried at a /16 level
Improvements
•use windows PC as well as Linux Servers
•use honeyd type first response so that you don’t have to clone for scanning packets
Top Related