Argos – Emulator for Zero-Day Attacks

By | May 25, 2007

Argos is a full and secure system emulator designed for use in Honeypots. It is based on QEMU, an open source processor emulator that uses dynamic translation to achieve a fairly good emulation speed.

We have extended QEMU to enable it to detect remote attempts to compromise the emulated guest operating system. Using dynamic taint analysis Argos tracks network data throughout the processor´s execution and detects any attempts to use them in a malicious way. When an attack is detected the memory footprint of the attack is logged and the emulators exits.

Argos is the first step to create a framework that will use next generation honeypots to automatically identify and produce remedies for zero-day worms, and other similar attacks. Next generation honeypots should not require that the honeypot´s IP address remains un-advertised. On the contrary, it should attempt to publicise its services and even actively generate traffic. In former honeypots this was often impossible, because malevolent and benevolent traffic could not be distinguished. Since Argos is explicitly signaling each possibly successful exploit attempt, we are now able to differentiate malicious attacks and innocuous traffic.

Leave a Reply