Argos

Introduction

Argos is a full and secure system emulator designed for use in honeypots. It is based on Qemu, an open source emulator that uses dynamic translation to achieve a fairly good emulation speed.

Argos extends Qemu to enable it to detect remote attempts to compromise the emulated guest operating system. Using dynamic taint analysis it tracks network data throughtout execution and detects any attempts to use them in an illegal way. When an attack is detected the memory footprint of the attack is logged.

Argos is the first step to create a framework that will use next generation honeypots to automatically identify and produce remedies for zero-day worms, and other similar attacks. Next generation honeypots should not require that the honeypot's IP address remains un-advertised. On the contrary, it should attempt to publicise its service and even actively generate traffic. In format honeypots this was often impossible, because malevolent and benevolent traffic could not be distinguished. Since Argos is explicitly signalling each possibly successful exploit attemp, we are now able to differentiate malicious from innocuous traffic.
General features

Does not require any modification of the guest operating system
Supports multiple guest operating systems including Linux, Windows 2000 and Windows XP (all QEMU supported guest OSes)
Emulates x86 processors, including MMX, SSE and SS2 extensions
Runs on multiple OSes (Linux/Unix, Windows) and CPUs (x86, x86_64, PowerPC)

Dynamic taint analysis

Detects arbitrary control flow attacks
Detects arbitrary code execution attacks
Handles DMA
Hanldes user/kernel space memory mappings