manuka project ieee ia workshop june 10, 2004. agenda introduction inspiration to solution manuka...
Post on 21-Dec-2015
216 views
TRANSCRIPT
Team Members
• Seattle University Masters in Computer Science & Software Engineering
– Amy Shephard– Christian Seifert– Don Nguyen – Jenks Gibbons– Jose Chavez
Sponsors
– University of Washington• Customer: Dave Dittrich
– Seattle University• Advisor: Barbara Endicott-Popovsky
Inspiration
• Honeynet Project “Forensic Challenge”– January 15, 2001
– Linux Red Hat 6.2
– Six partitions (1.8GB raw / 170MB gzip)
– Time to:• Root the box and rootkit (30 minutes)
• Analyze intrusion and report (30+ hours)
– Downloaded thousands of times
– Used in first SANS FIRE (Forensics course)
http://www.honeynet.org/challenge/index.html
Application #1
• 2004 NSF CCLI grant
– Highline Community College
– Seattle University
– University of Washington
• Computer and Network Forensics Courses
• Using real compromised honeypot images for
labs
Use in Forensic Course Lab
• Student boots lab system w/custom Linux bootable CD
• Chooses which compromised system to analyze
• Bits loaded to disk, verified
• Student performs analysis, answers specific questions (which are compared with analysis in database)
• Lather, rinse, repeat…
Application #2
• DistributedHoneynetusing Honeywalls
– “Clone” cleanhoneypot images
– Archive compromised honeypot images
– Automated honeypot forensics (future)
Application #3 (future)
• Distributed Incident Response Toolkit– Customizable (unique) ISO images
– Centralized control of analysis
– Remote drive acquisition
– Asynchronous and semi-automatic operation
Proposed Solution• Use standard x86 hardware (Knoppix)
• Bit-image copy of clean/compromised systems
• Provide integrity checking (MD5 hashes) and secure file transfer (SSH)
• Database storage (compressed)
• Database search by attribute (e.g., ID#, OS version, CVE #, etc.)
• Remotely retrieve/install bootable systems
• Customizable ISO (ala Honeywall)“Customizing ISOs and the Honeynet Project’s Honeywall,”http://staff.washington.edu/dittrich/misc/honeywall/
Manuka
Components
– Server• Linux, MySQL, Java
• Automated Manuka database server installation
– Client• Customized Knoppix CD-ROM (similar to
Honeywall)– Password protected– Secure login to database– Secure data transfer
Typical Use
• Upload clean1) Install new honeypot
2) Configure vulnerability profile (CVE #N)
3) Reboot w/Manuka CD, ID system, upload
• Download clean1) Boot w/Manuka CD
2) Select image and download
• Upload compromised1) Boot w/Manuka CD
2) Associate w/original, annotate, upload
Upload Installation
– Stores an installation in the Manuka database
– Clean Image• Specify system details• Specify installation details• Specify vulnerabilities
– Compromised Image• Associate with existing
system• Specify installation details
GZipCompressor
EncryptedSSH Tunnel
Manuka Database
Clean or Compromised SystemBooted with Knoppix CD
File Server : 9999
System ImageMetadata
System A, BA6512345AFAED2A3D4E11
System B, BA6512345AFAED2A3D4E11
Upload Component
MD5 Hash
CD33456765673FE23AD4F13
System C, CD33456765673FE23AD4F13
Download Installation
– Writes an installation to the specified drive
– Download Installation• Specify target, system,
and installation details• Wait…
GZipUnCompressor
EncryptedSSH Tunnel
Manuka Database
System to restore (Booted with Knoppix CD)
File Server : 9999
Binary FilesLocation
System A, BA651EF45AFAED2A3D4E11
System B, BA6512345AFAED2A3D4E11
Download Component
Image 3, CD33456765673FE23AD4F13
Request Binary Images Files
MD5 Hash
CD33456765673FE23AD4F13
System C, CD33456765673FE23AD4F13
System Search– Allows targeted
access to system information
– Search by system metadata
– Retrieves all matching systems
System and Installation Details– Allows access
to system data• general
information• vulnerabilities• installation
details
Stored Data Management
– User updates• Operating Systems• Operating System
Versions
– Automatic updates• Vulnerabilities
Approach
• Extreme Programming– Pair programming
• Methodology– Development of user stories
– Estimation/prioritization of user stories
– Weekly iteration status meetings
– Monthly iteration planning meeting
– Working code
– Metrics collection
Methodology
• Development of user stories
• Estimation/prioritization of user stories
• Weekly iteration status meetings
• Monthly iteration planning meeting
• Working code
• Metrics collection
The Manuka Times
• Tasks due• Current risks• User story status• Delayed tasks• Acceptance tests results
Project Website
• Customer communication
• Release dissemination• Access to
– source control– bug tracking– standards– current iteration
information