A First Look: Using Linux Containers for Deceptive Honeypots

The ever-increasing sophistication of malware has made malicious binary collection and analysis an absolute necessity for proactive defenses. Meanwhile, malware authors seek to harden their binaries against analysis by incorporating environment detection techniques, in order to identify if the binary is executing within a virtual environment or in the presence of monitoring tools. For security researchers, it is still an open question regarding how to remove the artifacts from virtual machines to effectively build deceptive "honeypots" for malware collection and analysis. In this paper, we explore a completely different and yet promising approach by using Linux containers. Linux containers, in theory, have minimal virtualization artifacts and are easily deployable on low-power devices. Our work performs the first controlled experiments to compare Linux containers with bare metal and 5 major types of virtual machines. We seek to measure the deception capabilities offered by Linux containers to defeat mainstream virtual environment detection techniques. In addition, we empirically explore the potential weaknesses in Linux containers to help defenders to make more informed design decisions.

[1]  Sudip Saha,et al.  DNS for Massive-Scale Command and Control , 2013, IEEE Transactions on Dependable and Secure Computing.

[2]  Vishal Goar,et al.  Tools, Techniques & Analysis of Botnet , 2014, ICTCS '14.

[3]  Christopher Krügel,et al.  Efficient Detection of Split Personalities in Malware , 2010, NDSS.

[4]  Sotiris Ioannidis,et al.  HoneyLab: Large-Scale Honeypot Deployment and Resource Sharing , 2009, 2009 Third International Conference on Network and System Security.

[5]  K. Harald Gjermundrød,et al.  HoneyCY: a configurable unified management framework for open-source honeypot services , 2015, Panhellenic Conference on Informatics.

[6]  Christopher Krügel,et al.  Detecting System Emulators , 2007, ISC.

[7]  Tal Garfinkel,et al.  Compatibility Is Not Transparency: VMM Detection Myths and Realities , 2007, HotOS.

[8]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[9]  Peter Ferrie Attacks on More Virtual Machine Emulators , 2007 .

[10]  Xu Chen,et al.  Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware , 2008, 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN).

[11]  Christopher Krügel,et al.  BareBox: efficient malware analysis on bare-metal , 2011, ACSAC '11.

[12]  Boris Lau,et al.  Measuring virtual machine detection in malware using DSD tracer , 2008, Journal in Computer Virology.

[13]  Adrian Perrig,et al.  Remote detection of virtual machine monitors with fuzzy benchmarking , 2008, OPSR.

[14]  Levente Buttyán,et al.  nEther: in-guest detection of out-of-the-guest malware analyzers , 2011, EUROSEC '11.

[15]  Ian Welch,et al.  Evaluation of Fingerprinting Techniques and a Windows-based Dynamic Honeypot , 2013, AISC.

[16]  Kumar Amit,et al.  A Wide Scale Survey on Botnet , 2011 .

[17]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[18]  Ritu Tiwari,et al.  Improving network security and design using honeypots , 2012, CUBE.

[19]  Michalis Polychronakis,et al.  Spotless Sandboxes: Evading Malware Analysis Systems Using Wear-and-Tear Artifacts , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[20]  Martín Abadi,et al.  Heat-seeking honeypots: design and experience , 2011, WWW.