GSoC/GCI Archive
Google Summer of Code 2011

The Honeynet Project

Web Page: http://www.honeynet.org/gsoc/ideas

Mailing List: https://public.honeynet.org/mailman/listinfo/gsoc

Honeynet Project

Founded in 1999, The Honeynet Project is an international, non-profit (501c3) research organization dedicated to improving the security of the Internet at no cost to the public.

For the past ten years everything we have done and continue to do is based on the principles of opensource and volunteer efforts. Our bylaws specifically state any software or papers developed and published by the organization must be licensed as open source and made freely available to the community.

Our goal is to help coordinate the development, deployment, advancement and research findings of honeypot related technologies. With over thirty chapters, one hundred members and twenty opensource research projects around around the world, we are a highly diverse and international organization.

Simply put, our goal is to make a difference. We accomplish this goal in the following three ways:

Awareness We raise awareness of the threats and vulnerabilities that exist in the Internet today. Many individuals and organizations do not realize they are a target, nor understand who is attacking them, how, or why. We provide this information so people can better understand they are a target, and understand the basic measures they can take to mitigate these threats. This information is provided through our Know Your Enemy series of papers.

Information For those who are already aware and concerned, we provide details to better secure and defend your resources. Historically, information about attackers has been limited to the tools they use. We provide critical additional information, such as their motives in attacking, how they communicate, when they attack systems and their actions after compromising a system. We provide this service through our Know Your Enemy whitepapers and our Scan of the Month challenges.

Tools For organizations interested in continuing their own research about cyber threats, we provide the tools and techniques we have developed. We provide these through our Tools Site.

Learn more at http://www.honeynet.org.

Google Summer of Code 2011

This year in Google Summer of Code we have a wide range of project ideas and we are also interested in your ideas that advance the community knowledge into new areas. Our projects and skill sets cover a wide range of programming languages (C, C++, python, PHP, perl, java, javascript, Processing, etc), database/SQL, IP networking, kernel and device driver development, UI and web interface development, databases, IDS, data visualisation, etc. Project idea difficulty can range from fairly challenging, low level root kit / kernel / hypervizor modification type projects that are likely to appeal to pretty confident programmers, through to less code intensive but equally interesting data analysis and presentation projects building effective user interfaces.

If you want to find out more, take a look at our project ideas web page, subscribe to our blog and public GSoC questions mailing list come and say hello on the #gsoc2011-honeynet IRC channel on irc.freenode.net (you can connect via webchat if you are behind a firewall or don't have a command line client too). There should be a mix of organisational admins, project mentors, past successful GSoC students, general Honeynet Project members and prospective students, so feel free to ask questions and we will always try and get back to you. If you are new to IRC, try reading an online primer but don't be worried, we'll be happy to help you get up to speed.

Our code repository can be found here: http://code.google.com/p/google-summer-of-code-2011-honeynet-project/

Projects

  • An Android Application Sandbox for Dynamic Analysis In recent time there has been an increase of malicious Android applications and therefore, there is a need for a tool providing initial perspective on a package's behavior. The sandbox would utilize static pre-check, dynamic taint analysis and API monitoring. Data leaks can be detected by tainting sensitive data and placing taint sinks throughout the API. Additionally, by logging API function parameters and return values, a potential malware can be discovered and reported for further analysis
  • Cuckoobox The goal of this project is to improve some of Cuckoobox features. The main proposal is to create a new component that will hide Cuckoo's components and avoid simple detection techniques employed by malware. It will be implemented as a Windows Kernel Driver.
  • Extending Wireshark
 Analysis I will work on extending wireshark with three proposed plugins: WireShnork, WireSpade and WireViz. If time permit I'll try to build WireTables plugins, which work like WireShnork but use iptables rules
  • Honeynet Visualization (Project #3) Develop a GIS based visualization of Honeynet streams to show real-time attacks happening across the world.
  • Hypervisor data collection This project will involve porting the VIX tools from Xen to KVM as well as developing tool to dynamically determine the location of kernel structs.
  • Improving shellcode emulation performance Libemu is a library used for shellcode analysis. One of its main features is the extraction of OS-API calls, with which one can get a quick hint in what way shellcode acts, without the need to look at assembler code. To figure out the function calls, Libemu executes shellcode with a build in emulator, resulting in the downside that this is rather slow. The aim of this project is to enhance the performance of libemu by using a virtualizer.
  • Network Sinkhole (Project #13). A network sinkhole is designed to emulate existing services to analyse and log attacks. It must be able to take on large amounts of incoming connections and data without trouble as it is purposely put in the face of network attacks.
  • Project 1 - Improve our high interaction client honeypot Capture-HPC To solve this problem, I will develop a new plug-in that can meet any function call requests. When calling the GetIDsOfNames, it can return the ID based on any name of function. Meanwhile, this plug-in need return different class factory objects to simulate different plug-ins, so that meet the identity .COMSniffer use object address as object id.
  • Project 16 - VoIP low interaction server honeypots This project is about the further development of the sip module for dionaea to support more scanning tools and also handle client registrations and calls. It is also important to capture the rtp data and to convert the captured data into an audio file like wave or ogg.
  • Project 2 - HonEeeBox Data Management Interface Creating a central public web-based malware information service, based on continuous data aggregation from the Honeynet Project sensor network and related third party malware information services.
  • Static Analysis of Android Malware Nowadays Android malware is more and more threatening and so we would like to provide a powerful tool for analyzers to analyze the samples manually. To implement a prototype GUI to aide static analysis, I’d like to use PyQT as the framework of the prototype. Because PyQT provides a complete interface to QT applications and python can interact with androguard easily. We can reuse some androguard’s codes. Other features are presented, such as syntax highlighting and so on.
  • Web based visualization for malware/attack analysis My aim will be to develop a web based visualization that will have 3D mesh structure with heatmap tiles. The visualization will have time based changes so that according to time-series event it will be possible to see the malware distribution/attack geographic distribution