Honeypots mailing list archives
Re: Client Honeyopt Patent
From: "Alexandre Dulaunoy" <adulau () gmail com>
Date: Mon, 24 Dec 2007 12:52:00 +0100
On Dec 21, 2007 8:07 PM, Lance Spitzner <lance () honeynet org> wrote:
CLAIM #1 ======== A system comprising: a browser that is capable of visiting network locations as represented by uniform resource locators (URLs); and a browser-based vulnerability exploit detector that directs the browser to visit a given URL by making an information request to the given URL; the browser-based vulnerability exploit detector adapted to detect if the given URL accomplishes an exploit on the system after the browser makes the information request to the given URL."
http://www.ics.forth.gr/dcs/Activities/papers/replay.pdf (published in 2005 and presented at Usenix Security '05). "The Shadow Honeypot architecture is a systems approach to handling network-based attacks, combining filtering, anomaly detection systems and honeypots in a way that exploits the best features of these mechanisms, while shielding their limitations. We focus on transactional applications, i.e., those that handle a series of discrete requests. Our architecture is not limited to server applications, but can be used for client-side applications such as web browsers, P2P clients, etc. As illustrated in Figure 2, the architecture is composed of three main components: a filtering engine, an array of anomaly detection sensors and the shadow honeypot, which validates the predictions of the anomaly detectors. The processing logic of the system is shown graphically in Figure 3." and "4.1.0.2 Mozilla Firefox For the evaluation of the client case, we used the Mozilla Firefox browser. For the initial validation tests, we back-ported the recently reported libpng vulnerability [7] that enables arbitrary code execution if Firefox (or any application using libpng) attempts to display a specially crafted PNG image. Interestingly, this example mirrors a recent vulnerability of Internet Explorer, and JPEG image handling [6], which again enabled arbitrary code execution when displaying specially crafted images. In the tightly-coupled scenario, the protected version of the application shares the address space with the unmodified version. This is achieved by transforming the original source code with our DYBOC tool. Suspicious requests are tagged by the ADS so that they are processed by the protected version of the code as discussed in Section 3.2. For the loosely-coupled case, when the AD component marks a request for processing on the shadow honeypot, we launch the instrumented version of Firefox to replay the request. The browser is configured to use a null X server as provided by Xvfb. All requests are handled by a transparent proxy that redirects these requests to an internal Web server. The Web server then responds with the objects served by the original server, as captured in the original session. The workload that the shadow honeypot can process in the case of Firefox is determined by how many responses per second a browser can process and how many different browser versions can be checked. " They use a client honeypot to validate the input captured before. There is the "vulnerability exploit detector" and testing if the exploit is successful or not. Maybe useful as prior art ? what's the official "grace period" in US before filling a patent and doing scientific publication before ? Hope this helps, adulau -- -- Alexandre Dulaunoy (adulau) -- http://www.foo.be/ -- http://www.foo.be/cgi-bin/wiki.pl/Diary -- "Knowledge can create problems, it is not through ignorance -- that we can solve them" Isaac Asimov
Current thread:
- Client Honeyopt Patent Lance Spitzner (Dec 21)
- Re: Client Honeyopt Patent Cedric Blancher (Dec 23)
- Re: Client Honeyopt Patent PCSC Information Services (Dec 23)
- Re: Client Honeyopt Patent Alexandre Dulaunoy (Dec 24)