Mid-term Report on PHoneyC GSoC project 1

Introduction

PHoneyC is a low-interaction honeyclient written by Jose Nazario. The
shellcode (SC for short) and heapspray (HS for short) detection module
for PHoneyC is listed on the GSoC this year and I feel lucky to be
chosen to implement it. This report is the main idea about how to
detect SC/HS in PHoneyC and how to build and run this version of
PHoneyC. Note that this module (I call it honeyjs) is far from
complete currently and this report is only for midterm evaluation. So
it is possible that the way to build and run it won’t work in the
future.

One project mentored by the Honeynet Project during GSoC aims at improving nebula, an automated intrusion signature generator. There are two critical components in the signature generator: A clustering engine that groups similar attacks into classes, and a signature assembler that extracts common features and selects some of them for the actual signature.

The first work package’s goal is to improve the overall signature quality. This can be achieved by tuning the core components, i.e. the clustering and the signature assembler. Further, nebula looses all states upon restart in its current version. The second goal is to make nebula state-aware and add the ability to save and load states.

Hello all!

Currently I’m very busy in hard work on PicViz gsoc tasks, nevertheless I still taking arbitrary tickets (tasks that I not proposed for gsoc) of this tool. Some bit but very useful features  were done.

For first picviz-gui has a set of rows that shows data about plotted events and have a slider for hide events. I got a ticket that required connection about these, i.e., when user moves the slider Picviz should hide the rows (data) that makes reference about event. And now this is done!

Hi folks:

      I have done some basic shellcode and heapspray detection codes in the phoneyc’s ‘honeyjs’ javascript engine (based on python-spidermonkey, with extra tracing and auditing works). And also I have made a presentation on the local honeynet chinese chapter last weeked. Details about my current approaches can be found on this slide: http://is.gd/J9QP

Z. Chen (Joyan)

PS: This post is also available on my personal blog: http://joyan.appspot.com/2009/06/1/whats_new_phoneyc_2_shellcode_detection.html

The goal of this post is to introduce myself and my project: my name is Robin Berthier and I just got my PhD from the University of Maryland. I’ll be working this summer on improving Honeybrid, a hybrid honeypot architecture. I’ve been working with honeypot technologies for the past 4 years, and Honeybrid represents a central part of my dissertation. 

Honeypots are usually divided into two categories according to the level of interaction they provide to attackers. First, we have low interaction honeypots that emulates network services and collect the beginning of attack processes. And then we have high interaction honeypots that are identical to production machines and collect detailed information about attacks. These two types of honeypot offer complementary advantages and limitations. The goal of honeybrid is to combine the best of both world. As such, Honeybrid is a hybrid honeypot solution.

Hello, this initial blog post is used to introduce me and to provide a brief overview of my GSoC Project.

My name is Lukas Rist (my personal blog) and I am currently studying Math and Physics at the University of Kaiserslauter in Germany. This is my first time in GSoC and I will be working with Thorsten Holz on Glastopf, a Web Application Honeypot.

Glastopf is a minimalistic web server emulator written in Python. The honeypot tool collects information about web application-based attacks like for example remote file inclusion, SQL injection, and local file inclusion attacks.

Hi folks !

As the GSoC started, this blog entry will introduce to you, myself and my project.

My name is Thibaut, I am still a student like all GSoC participants I guess and I belong to the ENSI of Bourges (France). I took one year off for doing research at the university of Maryland (USA) in the IT security field, especially in honeypots.

About my GSoC project, here is a short description of it:

1. Overview

As I wrote in my project outline (https://www.honeynet.org/gsoc/project1) . I should have done some basic  enhancement and experiments on python-spidermonkey for a more fine-granted tracing on spidermonkey. So till now what I have done on it includes:                                                                              

a. Implemented the get_globj method in the Context class, which enables one to ‘pull’ all the properties of the global object inside spidermonkey ( namely the global variables, because all the global variables are properties of the global object ) into python context.

Hi all!

As defined in gsoc proposal the first step was prepare PicViz-Gui to allow change axes order, including add duplicated axes. Even before start the codification process this feature is done. I hope this is a little sinal of we’ll have success in all tasks that were defined. See a shot:

axis0, As first and last.

Axes reorder

I have no time for this yet, but soon I’ll post new shots of these feature.

The results for Google Summer of Code 2009 are out and the Honeynet Project are very excited to have been allocated 9 official slots by Google. You can view the project selection here:

http://socghop.appspot.com/org/home/google/gsoc2009/honeynet

Congratulations to all the students accepted for GSoC 2009, and commiserations to those who didn’t make it this time. We had many more applicants than slots, making the final selection very tough, so we hope everyone who applied will still consider getting involved in open source software and honeynet research. Even if you didn’t get an allocated slot, please get in touch if you would still like get involved. Project mentors and Honeynet Project members may well still be interested in mentoring your project ideas, plus as a volunteer organisation we always welcome new input.