Skip to main content
View expanded cover

Cyber Deception pp 201–231Cite as

Embedded Honeypotting

Abstract

Language-based software cyber deception leverages the science of compiler and programming language theory to equip software products with deceptive capabilities that misdirect and disinform attackers. A flagship example of software cyber deception is embedded honeypots, which arm live, commodity server software with deceptive attack-response and disinformation capabilities. This chapter presents a language-based approach to embedded honeypot design and implementation. Implications related to software architecture, compiler design, program analysis, and programming language semantics are discussed.

Keywords

  • Virtual Machine
  • Secret Data
  • Legitimate User
  • Attack Session
  • Threat Intelligence

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This research was supported in part by AFOSR award FA9550-14-1-0173, NSF awards #1054629 and #1027520, ONR award N00014-14-1-0030, and NSA award H98230-15-1-0271. Any opinions, recommendations, or conclusions expressed are those of the authors and not necessarily of the AFOSR, NSF, ONR, or NSA.

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-32699-3_9
  • Chapter length: 31 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   109.00
Price excludes VAT (USA)
  • ISBN: 978-3-319-32699-3
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   139.99
Price excludes VAT (USA)
Hardcover Book
USD   199.99
Price excludes VAT (USA)
Learn about institutional subscriptions
Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14

Notes

  1. 1.

    The functions are polymorphic in the sense that some of their arguments are types τ.

  2. 2.

    Named after pointillism co-founder Paul Signac.

  3. 3.

    Araujo et al. [5] present a more systematic study of honey-patchable patches for all official security patches released for the Apache web server from 2005 to 2013. Overall, the analysis shows that roughly 65 % of the patches analyzed are easily transformable into honey-patches.

References

  1. Anderson, R. Why information security is hard – an economic perspective. In Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC) (2001), pp. 358–365.

    Google Scholar 

  2. Ansel, J., Arya, K., and Cooperman, G. DMTCP: Transparent checkpointing for cluster computations and the desktop. In Proceedings of the 23rd IEEE International Parallel and Distributed Processing Symposium (IPDPS) (2009), pp. 1–12.

    Google Scholar 

  3. Apache. Apache HTTP server project. http://httpd.apache.org, 2014.

  4. Araujo, F., and Hamlen, K. W. Compiler-instrumented, dynamic secret-redaction of legacy processes for attacker deception. In Proceedings of the 24th USENIX Security Symposium (2015).

    Google Scholar 

  5. Araujo, F., Hamlen, K. W., Biedermann, S., and Katzenbeisser, S. From patches to honey-patches: Lightweight attacker misdirection, deception, and disinformation. In Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS) (2014), pp. 942–953.

    Google Scholar 

  6. Araujo, F., Shapouri, M., Pandey, S., and Hamlen, K. Experiences with honey-patching in active cyber security education. In Proceedings of the 8th Workshop on Cyber Security Experimentation and Test (CSET) (2015).

    Google Scholar 

  7. Bringer, M. L., Chelmecki, C. A., and Fujinoki, H. A survey: Recent advances and future trends in honeypot research. International Journal of Computer Network and Information Security 4, 10 (2012).

    CrossRef  Google Scholar 

  8. Clang. clang.llvm.org. http://clang.llvm.org.

  9. Clark, C., Fraser, K., Hand, S., Hansen, J. G., Jul, E., Limpach, C., Pratt, I., and Warfield, A. Live migration of virtual machines. In Proceedings of the 2nd Symposium on Networked Systems Design & Implementation (NSDI) (2005), vol. 2, pp. 273–286.

    Google Scholar 

  10. Corbet, J. TCP Connection Repair. http://lwn.net/Articles/495304, 2012.

  11. CRIU. Checkpoint/Restore In Userspace. http://criu.org, 2014.

  12. Dalton, M., Kannan, H., and Kozyrakis, C. Tainting is not pointless. ACM/SIGOPS Operating Systems Review (OSR) 44, 2 (2010), 88–92.

    CrossRef  Google Scholar 

  13. DFSan. Clang DataFlowSanitizer. http://clang.llvm.org/docs/DataFlowSanitizer.html.

  14. Duell, J. The design and implementation of Berkeley Lab’s Linux checkpoint/restart. Tech. Rep. LBNL-54941, U. California at Berkeley, 2002.

    Google Scholar 

  15. Gerofi, B., Fujita, H., and Ishikawa, Y. An efficient process live migration mechanism for load balanced distributed virtual environments. In Proceedings of the IEEE International Conference on Cluster Computing (CLUSTER) (2010), pp. 197–206.

    Google Scholar 

  16. Google. Protocol Buffers. https://code.google.com/p/protobuf, 2014.

  17. Google. Web metrics. https://developers.google.com/speed/articles/web-metrics, 2014.

  18. Juels, A. A bodyguard of lies: the use of honey objects in information security. In Proceedings of the 19th ACM Symposium on Access Control Models and Technologies (2014), ACM, pp. 1–4.

    Google Scholar 

  19. Kang, M. G., McCamant, S., Poosankam, P., and Song, D. DTA++: Dynamic taint analysis with targeted control-flow propagation. In Proceedings of the 18th Annual Network & Distributed System Security Symposium (NDSS) (2011).

    Google Scholar 

  20. Kerckhoffs, A. La cryptographie militaire. Journal Sciences Militaires IX (1883), 5–38.

    Google Scholar 

  21. Lattner, C., and Adve, V. S. LLVM: A compilation framework for lifelong program analysis & transformation. In Proceedings of the 2nd IEEE/ACM International Symposium on Code Generation and Optimization: Feedback-directed and Runtime Optimization (CGO) (2004), pp. 75–88.

    Google Scholar 

  22. Lighttpd. Lighttpd server project. http://www.lighttpd.net, 2014.

  23. LXC. Linux containers. http://linuxcontainers.org, 2014.

  24. Merkow, M. S., and Breithaupt, J. Information Security: Principles and Practices. Pearson Education, 2014.

    Google Scholar 

  25. Miloi \( \rm\acute{J} \) čić, D. S., Douglis, F., Paindaveine, Y., Wheeler, R., and Zhou, S. Process migration. ACM Computing Surveys 32, 3 (2000), 241–299.

    Google Scholar 

  26. Netcraft. Are there really lots of vulnerable Apache web servers? http://news.netcraft.com/archives/2014/02/07, 2014.

  27. Nginx. Nginx server project. http://nginx.org, 2014.

  28. NIST. The Shellshock Bash Vulnerability. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271, Sep. 2014.

  29. Ohloh. Apache HTTP server statistics. http://www.ohloh.net/p/apache, 2014.

  30. Pai, V. S., Druschel, P., and Zwaenepoel, W. Flash: An efficient and portable web server. In Proceedings of the USENIX Annual Technical Conference (ATEC) (1999), pp. 15–15.

    Google Scholar 

  31. Pingree, L. Emerging Technology Analysis: Deception Techniques and Technologies Create Security Technology Business Opportunities. Gartner, Inc. (July 2015). ID:G00278434.

    Google Scholar 

  32. Provos, N. A virtual honeypot framework. In Proceedings of the 13th USENIX Security Symposium (2004), vol. 173.

    Google Scholar 

  33. Schwartz, E. J., Avgerinos, T., and Brumley, D. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In Proceedings of the 31st IEEE Symposium on Security & Privacy (S&P) (2010), pp. 317–331.

    Google Scholar 

  34. Slowinska, A., and Bos, H. Pointless tainting?: Evaluating the practicality of pointer tainting. In Proceedings of the 4th ACM SIGOPS/EuroSys European Conference on Computer Systems (EuroSys) (2009), pp. 61–74.

    Google Scholar 

  35. Spitzner, L. Honeypots: Tracking Hackers. Addison-Wesley Longman, 2002.

    Google Scholar 

  36. Spitzner, L. The honeynet project: Trapping the hackers. IEEE Security & Privacy, 2 (2003), 15–23.

    CrossRef  Google Scholar 

  37. Thonnard, O., and Dacier, M. A framework for attack patterns’ discovery in honeynet data. Digital Investigation 5, Supplement (2008), S128 – S139. The Proceedings of the 8th Annual DFRWS Conference.

    Google Scholar 

  38. Voris, J., Jermyn, J., Boggs, N., and Stolfo, S. Fox in the trap: thwarting masqueraders via automated decoy document deployment. In Proceedings of the 8th ACM European Workshop on System Security (2015), p. 3.

    Google Scholar 

  39. Wang, C., Mueller, F., Engelmann, C., and Scott, S. L. Proactive process-level live migration in HPC environments. In Proceedings of the ACM/IEEE Conference on Supercomputing (2008).

    Google Scholar 

  40. Whitaker, A., Cox, R. S., Shaw, M., and Gribble, S. D. Constructing services with interposable virtual hardware. In Proceedings of the 1st Symposium on Networked Systems Design and Implementation (NSDI) (2004), pp. 169–182.

    Google Scholar 

  41. Yuill, J., Zappe, M., Denning, D., and Feer, F. Honeyfiles: Deceptive files for intrusion detection. In Proceedings of the 5th IEEE International Workshop on Information Assurance (2004), pp. 116–122.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. The University of Texas at Dallas, 800 W. Campbell Rd., EC31, Richardson, TX, 75080-3021, USA

    Frederico Araujo & Kevin W. Hamlen

Authors
  1. Frederico Araujo
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kevin W. Hamlen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Frederico Araujo .

Editor information

Editors and Affiliations

  1. Center for Secure Information Systems, George Mason University, Fairfax, Virginia, USA

    Sushil Jajodia

  2. Department of Computer Science, University of Maryland, College Park, Maryland, USA

    V.S. Subrahmanian

  3. The MITRE Corporation, McLean, Virginia, USA

    Vipin Swarup

  4. Computing & Information Science Division, Information Sciences Directorate Computing & Information Science Division, Triangle Park, North Carolina, USA

    Cliff Wang

Rights and permissions

Reprints and Permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this chapter

Cite this chapter

Araujo, F., Hamlen, K.W. (2016). Embedded Honeypotting. In: Jajodia, S., Subrahmanian, V., Swarup, V., Wang, C. (eds) Cyber Deception. Springer, Cham. https://doi.org/10.1007/978-3-319-32699-3_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-32699-3_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-32697-9

  • Online ISBN: 978-3-319-32699-3

  • eBook Packages: Computer ScienceComputer Science (R0)