Argos: An Emulator for Capturing Zero-Day Attacks
Thursday, March 9. 2006
Earlier I posted about the NoAH project. Besides the papers, they have already developed an interesting software: Argos is a system designed to detect new attacks. They use dynamic taint analysis (think of Perl's Taint module) to trace the usage of incoming data. All data coming from the outside is marked and the execution flow is monitored to also dynamically trace the usage of this data. If such marked data is used in a malicious way (e.g., as argument for a call or jmp), Argos stops the execution a gives a stack trace.
A very similar approach is described in the paper "Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software" by James Newsome and Dawn Song from CMU. In the paper, the author also describe ways to use the system in combination with other approaches and how to automatically generate signatures based on the collected information.
This kind of systems is pretty interesting since it can also enable a way to detect 0day attacks. It would be interesting to combine this approach with nepenthes to build a system that can also "learn" new vulnerability modules. But such a system is perhaps only a dream...
There is a howto for setting up Argos available at the nepenthes site.
A very similar approach is described in the paper "Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software" by James Newsome and Dawn Song from CMU. In the paper, the author also describe ways to use the system in combination with other approaches and how to automatically generate signatures based on the collected information.
This kind of systems is pretty interesting since it can also enable a way to detect 0day attacks. It would be interesting to combine this approach with nepenthes to build a system that can also "learn" new vulnerability modules. But such a system is perhaps only a dream...
There is a howto for setting up Argos available at the nepenthes site.
".
