A new approach to enforce the security properties of a clustered high-interaction honeypot

This paper enlarges previous works of the authors related to the security of a high-interaction honeypot. The challenge is to have a Security Property Language (SPL) for defining the required properties for controlling the activities between processes and resources. That language must authorize the definition of security properties related to confidentiality, integrity and availability. Moreover, that SPL must be able to enforce the security of target Operating Systems. It is an open problem not only regarding the security of Operating Systems but also regarding the security of high-interaction honeypots. That paper shows that existing approaches really fail to manage a large range of security properties. The first reason is that a SPL is really missing to express and enforce a large set of security properties. The second reason is that protection and detection approaches fail to manage a large set of security properties. Our paper proposes PIGA-Protect a new approach to control the system calls in order to guarantee the requested security properties.

[1]  Craig Valli,et al.  Honeypots: How do you know when you are inside one? , 2006 .

[2]  Riccardo Focardi,et al.  Information flow security in dynamic contexts , 2006, J. Comput. Secur..

[3]  Marco Giunti,et al.  Preventing Intrusions through Non-Interference , 2006 .

[4]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[5]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[6]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[7]  D. E. Bell,et al.  Secure Computer Systems : Mathematical Foundations , 2022 .

[8]  Marc Dacier,et al.  Lessons learned from the deployment of a high-interaction honeypot , 2006, 2006 Sixth European Dependable Computing Conference.

[9]  T. Holz,et al.  Detecting honeypots and other suspicious environments , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[10]  Ed Skoudis,et al.  Hiding Virtualization from Attackers and Malware , 2007, IEEE Security & Privacy.

[11]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[12]  H. Artail,et al.  A Dynamic Honeypot Design for Intrusion Detection , 2004, The IEEE/ACS International Conference on Pervasive Services.

[13]  Crispin Cowan,et al.  Linux security modules: general security support for the linux kernel , 2002, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[14]  T. Redmond,et al.  Noninterference and intrusion detection , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[15]  Wayne Salamon,et al.  Implementing SELinux as a Linux Security Module , 2003 .

[16]  Jérémy Briffaut,et al.  A proposal for securing a large-scale high-interaction honeypot , 2008, HiPC 2008.

[17]  R. Focardi,et al.  Information flow ecurity in dynamic contexts , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[18]  Jérémy Briffaut,et al.  Formalisation et garantie de propriétés de sécurité système : application à la détection d'intrusions. (Formalization and guaranty of system security properties : application to the detection of intrusions) , 2007 .

[19]  Bradley Spengler INCREASING PERFORMANCE AND GRANULARITY IN ROLE-BASED ACCESS CONTROL SYSTEMS A CASE STUDY IN GRSECURITY , 2004 .

[20]  Huy Quang Nguyen White paper: Integration of honeypot data into an alert correlation engine , 2005 .

[21]  Benjamin Morin,et al.  Monitoring both OS and program level information flows to detect intrusions against network servers , 2007 .

[22]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[23]  Steve Zdancewic,et al.  Challenges for Information-flow Security , 2004 .

[24]  Kara L. Nance,et al.  Dynamic Honeypot Construction , 2006 .

[25]  Eddie Kohler,et al.  Manageable fine-grained information flow , 2008, Eurosys '08.

[26]  Angelos D. Keromytis,et al.  Detecting Targeted Attacks Using Shadow Honeypots , 2005, USENIX Security Symposium.