manuka project

IEEE IA WorkshopJune 10, 2004

Agenda

• Introduction• Inspiration to Solution • Manuka Use• SE Approach• Conclusion

Team Members

• Seattle University Masters in Computer Science & Software Engineering

– Amy Shephard– Christian Seifert– Don Nguyen – Jenks Gibbons– Jose Chavez

Sponsors

– University of Washington• Customer: Dave Dittrich

– Seattle University• Advisor: Barbara Endicott-Popovsky

Inspiration to Solution

Inspiration

• Honeynet Project “Forensic Challenge”– January 15, 2001

– Linux Red Hat 6.2

– Six partitions (1.8GB raw / 170MB gzip)

– Time to:• Root the box and rootkit (30 minutes)

• Analyze intrusion and report (30+ hours)

– Downloaded thousands of times

– Used in first SANS FIRE (Forensics course)

http://www.honeynet.org/challenge/index.html

Application #1

• 2004 NSF CCLI grant

– Highline Community College

– Seattle University

– University of Washington

• Computer and Network Forensics Courses

• Using real compromised honeypot images for

labs

Use in Forensic Course Lab

• Student boots lab system w/custom Linux bootable CD

• Chooses which compromised system to analyze

• Bits loaded to disk, verified

• Student performs analysis, answers specific questions (which are compared with analysis in database)

• Lather, rinse, repeat…

Application #2

• DistributedHoneynetusing Honeywalls

– “Clone” cleanhoneypot images

– Archive compromised honeypot images

– Automated honeypot forensics (future)

Application #3 (future)

• Distributed Incident Response Toolkit– Customizable (unique) ISO images

– Centralized control of analysis

– Remote drive acquisition

– Asynchronous and semi-automatic operation

Proposed Solution• Use standard x86 hardware (Knoppix)

• Bit-image copy of clean/compromised systems

• Provide integrity checking (MD5 hashes) and secure file transfer (SSH)

• Database storage (compressed)

• Database search by attribute (e.g., ID#, OS version, CVE #, etc.)

• Remotely retrieve/install bootable systems

• Customizable ISO (ala Honeywall)“Customizing ISOs and the Honeynet Project’s Honeywall,”http://staff.washington.edu/dittrich/misc/honeywall/

Manuka

Components

– Server• Linux, MySQL, Java

• Automated Manuka database server installation

– Client• Customized Knoppix CD-ROM (similar to

Honeywall)– Password protected– Secure login to database– Secure data transfer

Manuka Use

Typical Use

• Upload clean1) Install new honeypot

2) Configure vulnerability profile (CVE #N)

3) Reboot w/Manuka CD, ID system, upload

• Download clean1) Boot w/Manuka CD

2) Select image and download

• Upload compromised1) Boot w/Manuka CD

2) Associate w/original, annotate, upload

Accessing Manuka

– Authentication required for all functionality

– Multiple access levels supported

Upload Installation

– Stores an installation in the Manuka database

– Clean Image• Specify system details• Specify installation details• Specify vulnerabilities

– Compromised Image• Associate with existing

system• Specify installation details

GZipCompressor

EncryptedSSH Tunnel

Manuka Database

Clean or Compromised SystemBooted with Knoppix CD

File Server : 9999

System ImageMetadata

System A, BA6512345AFAED2A3D4E11

System B, BA6512345AFAED2A3D4E11

Upload Component

MD5 Hash

CD33456765673FE23AD4F13

System C, CD33456765673FE23AD4F13

Download Installation

– Writes an installation to the specified drive

– Download Installation• Specify target, system,

and installation details• Wait…

GZipUnCompressor

EncryptedSSH Tunnel

Manuka Database

System to restore (Booted with Knoppix CD)

File Server : 9999

Binary FilesLocation

System A, BA651EF45AFAED2A3D4E11

System B, BA6512345AFAED2A3D4E11

Download Component

Image 3, CD33456765673FE23AD4F13

Request Binary Images Files

MD5 Hash

CD33456765673FE23AD4F13

System C, CD33456765673FE23AD4F13

System Search– Allows targeted

access to system information

– Search by system metadata

– Retrieves all matching systems

System and Installation Details– Allows access

to system data• general

information• vulnerabilities• installation

details

Stored Data Management

– User updates• Operating Systems• Operating System

Versions

– Automatic updates• Vulnerabilities

Software Engineering Approach

Approach

• Extreme Programming– Pair programming

• Methodology– Development of user stories

– Estimation/prioritization of user stories

– Weekly iteration status meetings

– Monthly iteration planning meeting

– Working code

– Metrics collection

Methodology

• Development of user stories

• Estimation/prioritization of user stories

• Weekly iteration status meetings

• Monthly iteration planning meeting

• Working code

• Metrics collection

Project Plan

The Manuka Times

• Tasks due• Current risks• User story status• Delayed tasks• Acceptance tests results

Project Website

• Customer communication

• Release dissemination• Access to

– source control– bug tracking– standards– current iteration

information

Conclusion

• Support tool for setup/imaging of distributed honeypots

• Support for Hands-on Forensics Lab Exercises• Base for Future Honeypot Analysis and IRT

toolkit• Example of Extreme Programming Concepts in

action

Questions?

http://staff.washington.edu/dittrich/misc/honeywall/