Eudaemon: dynamic user-space process possession and instrumentation
I recently came across an interesting paper by researchers at Vrije University in Amsterdam (the hosts for last month’s WOMBAT workshop). It details a project they call “Eudaemon” (a good spirit from Greek mythology) which borrows from the heavily instrumented system-wide dynamic taint analysis approach of the Argos honeypot but instead ports Argos’s dynamic taint analysis engine to a user-space emulator called SEAL. Individual suspect processes within a high interaction honeypot can be marked for “possession” by Eudaemon, are temporarily frozen then are passed into SEAL for dynamic taint checking (by transparently pre-loading the emulator library into the memory space for every process and using ptrace to attach to the frozen process) and can be subsequently released cleanly once detailed instrumentation complete. Their initial benchmarks show significant performance improvements over Argos’s system-wide approach (which typically slows down a running virtual machine by an order of magnitude or more), and this appears to be the first security system that allows fully native applications to be switched into emulated operation mid-process. Definitely worth a read from a high interaction honeypot perspective (particularly for client honeypot applications), and I’m looking forward to seeing working code.