- About us
- Code of Conduct
- Google SoC
- Recent posts
- Security Workshops
Please note that GSoC 2011 has now successfully completed. This content is being retained for reference only.
Below is an overview of a number of current projects ideas that we are keen to develop during 2009. We are also always interested in hearing any ideas for additional relevant honeynet-related R&D projects (although remember to qualify for receiving GSoC funding it needs to fit in to Google's 3-month project timescales!). If you have a suitable project and we have the right resources to mentor it, we'd also be happy to support you.
Each sponsored project will have one or more mentors available to provide a guaranteed contact point plus one or more technical advisors to help applicants with the technical direction and delivery of the project (often the original author of the tool or its current maintainer, and usually someone recognised as an international expert in their particular field). Our Google Summer of Code administrator Lance Spitzner will also be available to all sponsored GSoC students for general advice and logistical support. For all questions about the Honeynet Project, the GSoC program or our projects, please contact us at [email protected] To learn more about the Google Summer of Code event, see the GSoC Website.
The initial goal of this project is to integrate the Pyprofjsploit proof of concept into phoneyc and then complete a number of missing PHoneyC features and improvements before formally releasing it publicly. Depending on the number of volunteers available, there are some additional features that we would like to also pursue:
Analyze the detailed internals of new client-side vulnerabilities, generate predicate signatures that reflect the essentials of these vulnerabilities for detection, and improve current honeyclient simulation and exploit detection mechanisms.
Mentors: Georg Wicherski (DE) and Jose Nazario (US)
Honeynet Project members have developed a number of solutions for emulating vulnerable computer systems and automatically collecting attacks against them. Honeypots such as Nepenthes and HoneyTrap have proven to be successful at capturing known attacks, but have generally proved difficult to extend and add signatures to for newly discovered vulnerabilities. They have also struggled to reliably detect and capture previously unknown, zero day exploits. Shellcode emulation in LibEmu has helped, but integration with existing honeypots has been demanding.
We are currently working on a new low-interaction server honeypot which builds on the lessons learned to date. This will include detection of unknown attacks via LibEmu and better updatability and scalability. The goal of this project is to advance this next generation low interaction server honeypot to the working prototype stage. We believe that this project is important because existing low interaction honeypots are used by a wide range of researchers and organisations to study internet attacks, so increasing attack detection rates will potentially benefit many people with interests in this area.
C programming, Python programming, understanding Windows x86 shellcode.
Previous experience with Nepenthes, HoneyTrap and LibEmu would be very useful
Mentor: Paul Baecher (DE)
Technical Advisors: Georg Wicherski (DE)
Capture-HPC is one of our most actively developed public projects. Capture-HPC provides a method of driving a real high interaction windows system running within a virtual machine to potentially malicious websites, obtained from sources such as spam or DNS typosquatting. State changes to the VM are monitored and malicious activity is detected by measuring unexpected changes. It is regularly used in surveys of malicious websites and has been extended to support a number of Internet enabled applications and file formats. CaptureBAT is the original behavioural analysis tool that Capture-HPC is based on, using Windows API hooking to monitor state.
The goal of this project would be to continue the current planned development of Capture-HPC and CaptureBAT, in the areas of improving data logging and operational management, adding network API hooking, improving stateful operations (pause, failover, etc) and moving result data storage from flat file to a suitable database solution. We also seek input for the future development roadmap of Capture-HPC v3, for which we currently plan to add:
We believe that continuing to improve Capture-HPC will encourage more automated analysis of malicious websites, helping to detect new generations of client focused attacks and further improve web browser security for Internet users.
C programming, Java programming, familiarity with Windows and Internet Explorer internals
Mentor: Peter Komisarczuk (NZ) and Ian Welch (NZ)
Honeynet Project members have developed a number of leading open source client honeypot solutions for analysing potentially malicious web sites. However, these tools are generally stand alone in nature and do not provide a number of features necessary for large scale, long running analysis excercises such as crawling the top N web sites from Google in a particular category each each day and reporting activity trends. The current tool construction also does not encourage centralised submission of suspect URLs and web based reporting.
The goal of this project would be to implement a web based management layer for registering existing instances of client honeypots, submitting URLs for analysis, scheduling analysis runs, persisting results data, summarising trends and presenting the results to to multiple users. Prototype user stories, designs, etc are available, as is access to client honeypot data, but we would welcome additional input on the best means of managing client honeypot workflow and presenting this information through a web interface.
Web development skills in appropriate technologies
Mentor: Peter Komisarczuk (NZ), Ian Welch (NZ) and David Watson (UK)
Sebek is the de-facto open source honeypot monitoring tool and was developed and released by The Honeynet Project. Sebek is a kernel module that is installed on high-interaction honeypots for the purpose of collecting I/O activity. Sebek allows administrators to collect attackers' activities, such as keystrokes and API calls on the system. However, currently Sebek has a number of problems, which include: operational instability, lack of invisibility, potential for detection by correlation with network activities and lack of regular maintenance and development on some platforms. Collectively this means that today Sebek does not satisfy all the requirements for stealthy and stable high interaction honeypot monitoring, especially for the win32 high-interaction honeypots.
While you can submit a proposal for whatever cool idea you would like to improve our current high interaction data collection capabilities, here are a few suggestions that would be extremely helpful to the Sebek project and its users. Basically, they fall into two categories: improvement of the current kernel rootkit based approach and development of a new virtualization based approach. These suggested ideas are in no particular order.
Sebek currently lacks regular maintenance. The Sebek development team has been relatively inactive after the release of Honeywall GenIII version in 2006, only really patching bugs rather than developing new features. For the Win32 client on recent OS releases, the situation is even worse - it is unstable, which badly limits its practical deployment and usage. We would like some developers with experience of kernel driver development and testing to help us with a concerted drive this Summer to find any remaining lurking bugs and fix them. We also hope developers could make Sebek Win32 client support modern Windows OS better, such as XP and Vista, which should be an interesting technical challenge.
Sebek's stealth could definitely be improved. It can currently be detected, subverted and disabled by a determined attacker. Tan Chew Keong has presented several techniques to detect the existence of Sebek Win32 client. We need some experienced kernel driver developers to help us improve the stealth of Sebek client by replacing the old fashioned rootkit mechanism with one of the more powerful techniques that have evolved in the last few years. We have a number of candidate ideas and prototypes, so we hope to be able to improve the difficulty of detecting or subverting the Sebek client in the future.
Another current weakness with Sebek is the easy correlation of system activities with the network activities. It is currently hard to determine the relationship between monitored system calls and network connections, especially for keystrokes, where the parent process that receives data from the network is not necessarily the child process that actually uses the data. Developers are needed for improving the data capture mechanism and improving the identification of the network source of captured keystrokes.
The same goals as per the Win32 version above, but for the Linux 2.6 kernel family.
A virtualization based approach to high interaction data collection potentially provides us with better invisibility (it is almost impossible to determine whether you are monitored by a hyperviser or not), better isolation (it is much harder to compromise a hyperviser than compromising Sebek running with a VM) and better introspection (it is extremely difficult to fool or bypass the monitoring if this occurs external to the processes running in a VM). We need talented, creative developers to develop hooking mechanisms for Virtual Machine Monitors as the infrastructure of high interaction data capture. There is no requirement for VMM, developers will decide this based on their experience, but we would like the hooking to be as stealthy as possible. Again, we have a number of internal prototypes and possible VMM solutions include QEMU, Xen, KVM and VirtualBox, but we are open to suggestions.
Although virtualization based solutions to high interaction data capture have many advantages, the data captured at the virtualization layer is low level and lacks the usual semantic information available within a traditional OS rootkit. We need capable developers to help us develop the code to reconstruct OS level information (e.g. process information, file system information) from the raw data (e.g. memory values, disk values) captured by the virtualization-based Sebek, so this project offers plenty of technical challenge. We think that this project is important as it will help to improve high interaction data capture capabilities, potentially decrease the chance of honeypot detection in areas such as sandboxing and malware analysis and will also provide positive input into the hyperviser and kernel development community.
C programming, kernel driver programming, familiarity with Windows or Linux internals, virtualisation.
Mentors: Brian Hay (US, Win32/VMI), Rob McMillen (US, Linux), Eugene Teo (SG, Linux), Georg Wicherski (DE, VMI)
In May 2008, the Honeynet Project released a new tool called nebula. The program implements a new concept for automatic intrusion signature generation based on data from honeynets and honeypots. Automatic IDS signature engineering becomes more important as attack trends change very fast nowadays, making it impossible to keep up
with manually written rules. Generating signatures from attack traces is one of the most interesting data analysis tasks. While signature generation is a hot scientific topic, the outcomes of a project can be an immediate contribution to practical network security if the tools are used to detect and block intrusion attempts.
Nebula implements a general signature generation framework based on efficient automatic classification for identifying unique classes per attack type. In a second step, information common to all members of a cluster are extracted. Finally, a signature is composed of these. The approach allows to correlate data without any further knowledge about the input which is a general requirement for signatures that match previously unknown attacks.
With the first nebula release it was shown that generated signatures can be used in the snort IDS to detect or block other intrusion attempts. While the current nebula version can already be set up in a distributed sensor setup, it must still be seen as a proof-of-concept. Past development aimed at implementing the core algorithms in a stable
and efficient way. For the time being integration into production setups had low priority. A submission plugin is currently only available for honeytrap , but tests with argos netlogs, malware binaries showed that in principle the method works with other input as well.
Plans are to mprove nebula such that it better supports data analysis as a central collector in a distributed, heterogeneous sensor setup. The concrete goals are:
To develop a public web-based signature archive, o to further develop the nebula daemon, in particular:
- improve the attack processing system with respect to speed,
- implement additional metrics for automated attack classification,
- add a white-listing feature that allows to exclude certainpatterns from the
- generation process for false-positive prevention,
To develop a nebula client C library for easy nebula integration in other applications,
To develop extensions to other honeypot sensors (primarily nepenthes) such that they can contribute attack data to a signature generator,
To create a honeywall addon (as snort preprocessor for inline usage) for central passive data collection and nebula attack submission.
C programming, good knowledge of network traffic protocols and IDS signatures
Mentor: Felix Leder (DE)
Honeynet Project members have developed a number of leading open source low interaction honeypot solutions that are used to automatically record data about network based malware attacks, such as Nepenthes and HoneyTrap. We have a number of active international sensor deployments to collect malware globally and are in the process of rolling out a larger low interaction sensor network during 2009. However, currently there is no publicly available web based reporting interface available for users of low interaction sensor systems.
The goal of this project would be to implement a web based user interface and management reporting tool to allow analysts to easily explore large amounts of malware data. Typical tasks will be to search for high level trends (growth of a particular malware strain over time, attacks from a certain location on a particular day, etc). End users will be the operators of malware collection sensors or interested analysts within the secuirty community.
As input, the system will take reasonably simple CSV type data from low interaction malware sensors (such as timestamp, source IP, attack type, attacker IP address, MD5sum, etc in the form of an HTTP POST). This data is then automatically enriched by submitting the malware binary samples to multiple sandbox and antivirus engines for analysis (both public and private). The output from this post processing analysis is usally returned as XML or text after a short period, by HTTP or email. We also perform IP geo-location and ASN resolution against IP address to provide more information about sources, including latitude and longitutude for spatial mapping.
This data will be persisted in a database, procesed and then presented via a new web interface to multiple distributed analyst users. This interesting project and malware data set provides many potential data analysis, information presentation and information security data visualisation options for interested GSoC students. We have a number of prototype reporting interface examples available internally, or you are free to develop a new system from scratch. Background reading and design inspiration might be found by looking at how leading network security and antivirus vendors or opensource groups current present similar information, or by applying skills you bring to the project from your personal experiences and specialisms. Successful students will also be lucky enough to have access to a number of the leading subject matter experts in this field as technical advisors.
We believe that this project is important to the community as it will help researchers to more easily understand the types of attacks routinely occuring on the Internet today.
Probably Python and Javacript programming plus some database experience, although any suitable previous web development and user interface development experience would be good. We are happy to support whatever development toolkit you are most capable in, and follow a development approach of releasing small updates often, for maximum user feedback.
Mentor: David Watson (UK)
To process and analyze the vast amount of HoneyPot data, we have a set of visualization tools. Among them PicViz (http://www.wallinfire.net/picviz), which is a parallel coordinates plotter, AfterGlow (http://afterglow.sf.net) a tool that builds link graphs, and the Data Analysis and Visualization Linux (DAVIX) (http://davix.secviz.org), which is a live CD containing a large number of visualization tools.
Each of these three tools or projects are in need of specific additions and improvements:
PicViz: Python programming
AfterGlow: Flash, Web, (or Tcl/TK), Perl
DAVIX: UNIX/Linux, python/perl, parsers/regular expressions, HTML/Web applications
Mentors: Sebastien Tricaud (FR), Raffael Marty (US) and Kara Nance (US)
If you are interested in getting started, please:
You can find more information about the Honeynet Project at our About Us section, including links to our international chapters and their members. You can also subscribe to our blog to learn more about our recent R&D activities.