Google Summer of Code 2013 Project Ideas

This page contains a list of potential project ideas that we are keen to develop during GSoC 2013 (we also have additional project ideas currently undergoing internal review, which will be added here too once project deliverables and available mentors have been confirmed). You can view our previous GSoC 2009GSoC 2010 GSoC 2011 and GSoC 2012 project ideas pages if you are looking for inspiration, or you might like to work on one of our existing tools, rather than working on something new.

We are always also interested in hearing any ideas for additional relevant honeynet-related R&D projects (although remember that to qualify for receiving GSoC funding from Google your project deliverables need to fit in to GSoC’s 3-month project timescales!). If you have a suitable and interesting project, we’ll always try and find the right resources to mentor it and support you. Please note – even if you aren’t an eligible GSoC student, we are also always looking for general volunteers who are enthusiastic and interested in getting involved in honeynet R&D.

Each sponsored GSoC 2013 project will have one or more mentors available to provide a guaranteed contact point to students, plus one or more technical advisors to help applicants with the technical direction and delivery of the project (often the original author of a tool or its current maintainer, and usually someone recognised as an international expert in their particular field). Our Google Summer of Code organisational administrators will also be available to all sponsored GSoC students for general advice and logistical support. We’ll also provide supporting hosted svn/trac/git/redmine/mailman/IRC/etc project infrastructure, if required.

For all questions about the Honeynet Project, the GSoC program or our projects, please contact us on #gsoc-honeynet on irc.freenode.net, subscribe to our public mailing list for people interested in GSoC at https://public.honeynet.org/mailman/listinfo/gsoc or email us directly at [email protected]

To learn more about the Google Summer of Code event, see the the GSoC 2013 Website.

R&D Focus Areas

In previous years our internal honeynet R&D focus was primarily directed into a number of priority areas, which were:

  • Mobile device honeypots
  • Virtualization honeypots / monitoring / attacks
  • Topical malware (e.g. stuxnet SCADA, attacks against mobile platforms such as Android, etc)
  • Active defense research (e.g. botnet take down in an ethical manner)
  • IPv6 honeynets
  • Distributed data collection, analysis and visualisation

So unsurprisingly a number of our suggested potential project ideas fall into these research areas. However, we are also interested in receiving project proposals and tool updates/new tool developments outside these research focus areas too, so hopefully this provides potential students with a wide variety of exciting topics to contributed to and be engaged with this summer.

GSoC 2013 Project Ideas

(more to follow)

GSoC 2013 Project Ideas

Name: Project 1 – Pwnypot Honeyclient (detection improvement)
Mentor: Georg Wicherski (DE)
Backup mentor: Technical support Shahriyar Jalayeri
Skills required:

  • C++ (good)
  • Windows and Java Internals (good)
  • Exploitation (and anti-exploitation) techniques (familiar)

Project type: Improve existing tool
Project goal:
The goal of the project is to add more detection techniques to Pwnypot (https://github.com/shjalayeri/MCEDP) for detecting shellcodes, ROPs and also Java logical exploits.
Description:
Pwnypot (a.k.a. MCEDP) is a high-interaction client honeypot that uses some techniques to detect malicious web servers at exploitation stage. Some of the methods used in Pwnypot have been first implemented in MS EMET. Attackers can use some methods (which has not been seen in the wild yet!) to bypass Shellcode and ROP detector modules. Currently we are aware of most of these evasion methods and we expect to fix them during this project. Another problem is Java Sandbox Escape exploits. This kind of exploits are often logical and do not use any kind of memory corruption or legacy Shellcodes. Because MCEDP/Pwnypot is designed base on memory corruption issues and Shellcode execution, it can’t detect this type of Java exploits yet! We also need to detect these types of Java exploits.

Name: Project 2 – Pwnypot manager
Mentor: Jamie Riden (UK)
Backup mentor: Georg Wicherski (DE), Techincal support Adel Karimi
Skills required:

  • Python (good)
  • HTML/CSS/Javascript (good)

Project type: Extension of existing tool
Project goal:
The goal of the project is to develop a manager module for Pwnypot (https://github.com/shjalayeri/MCEDP), sending tasks to pwnypot agents / VMs, get the results after the analysis and insert them in a DB) and a simple web frontend for management and showing the results.
Description:
Currently Pwnypot honeyclient is not fully automated and just has a detection module with a GUI for its configuration (agent / pwnypot client). We need a manager module for sending tasks to agents/VMs (feeding inputs to pwnypot clients) and getting the results. We also need a DB and simple web frontend to manage the pwnypot and showing the analysis results.

Name: Project 3 – Thug Distributed Task Queueing

Mentor: Angelo Dell’Aera (IT)
Backup mentor: Sebastian Poeplau (DE)
Skills required:

  • Python (good)

  • Distributed computing (basic)


Project type: Improve existing tool

Project goal: 
The goal of the project is to introduce a new distributed operating mode in the honeyclient (Thug)
Description:
Currently Thug works like a stand-alone tool but there are plans to make it able to work in a distributed environment. The idea is that an instance of Thug operating in distributed mode should be able to connect to a (centralized or not) URL distribution point. Such distribution point will be fed with URLs coming from different sources (i.e. spamtraps) and redistribute such URLs to all Thug instances which are currently idle and waiting for tasks to run. The distribution algorithm should be able to load balance the tasks among the existing live and connected Thug instances and provide to them additional parameters in order to be able to fine tune the running instance.

Name: Project 4 – Thug Document Object Model (DOM) improvements and validation
Mentor: Angelo Dell’Aera (IT)
Backup mentor: Sebastian Poeplau (DE)
Skills required:

  • Python (good)
  • HTML, Javascript, browser internals(good)

Project type: Improve existing tool

Project goal: 
The goal of the project is to improve the Document Object Model implementation of the honeyclient (Thug) and implement a generic framework for its validation
Description:
Thug implements its own Document Object Model (DOM) which is far from perfect. Considering that a correct implementation is key for correctly emulating web pages (and thus exploit kits too) the goal of this project is about improving the existing Document Object Model implementation and implementing a generic framework for its validation.

Name: Project 5 – Android webhoneyclient
Mentor: Hugo Gonzalez (MX)
Backup mentor: Natalia Stakhanova (Canada)
Skills required:

  • Android (good)
  • Python (good)

Project type: Develop a new tool
Project goal: 
The goal of the project is to develop a new tool capable of detect and analyze malicious attacks to android using web servers.
Description:
Currently there are some honeyclients that mimic a browser in specific platform. These one won’t mimic, because this will be using a “real” platform to conduct a complete analysis. The point of this project is not to develop an Android app but an analysis tool to be run on a traditional (not mobile phone) environment.

At this stage the analysis should focus on URLs. An Android honeyclient should be able to (1) visit the suspicious url, (2) record all the activities of the device, (3) analyze the recorded activity.

An input to the Honeyclient is a list of URLs and an output is a result of their analysis. We envision the analysis to be performed through an emulation in virtual setting to expose an Android environment to a possibly malicious URL.
As such the project has two components to it: (1) a straightforward implementation of a controller that will be responsible for starting up a clean environment for Android platform emulation, running URL in it, collecting traces, closing an environment; and (2) a more advanced piece on behavioral analysis of recorded traces.
The latter component is likely to call for some research. We’re not looking for a sophisticated analysis here and were thinking of some definition of normal environment behavior and consequently a comparison of recorded traces with what is defined as normal.

Name: Project 6 – Dynamic attack surface for Glastopf
Mentor: Johnny Vestergaard (DK)
Backup mentor: Lukas Rist (DE)
Skills required:

  • Python (good)
  • HTML/CSS/Javascript (good)

Project type: Extension of existing tool
Project goal: 
Extend (Glastopf) with functionality to change attack surface.
Description:
The goal of this project is to develop functionality to dynamically change the attack surface of Glastopf, in this context attack surface means the HTML, CSS, Javascript and paths visible to the attacker. One or more of the following suggestions could be interesting in this context:

Functionality to mirror/mimic existing website. This would involve automatically scraping a website whereafter glastopf would mimic that site. Also see:http://research.microsoft.com/apps/pubs/default.aspx?id=145126 for a similar approach. There are definitely search engine consequences and legal aspects to consider.

Development of templates for common website. (WordPress, Drupal, etc). Maybe adept HIHATS approach of turning a CMS template into a honeypot:http://hihat.sourceforge.net/

Improve the WSGI application using Glastopf so we can run the Honeypot behind an already deployed web server like Apache and alongside other web applications.

Project Name: Project 7 – Network Analyzer
Primary Mentor: Oğuz Yarımtepe (TR)
Backup mentor: Adam Pridgen (US), Nicolas Collery (FR)
Skills required:

  • Python (intermediate)
  • Django / MTV related web development information (intermediate)

Project type: Improve existing tool
Project goal:
The goal of the project is to enhance the features of the Network Analyzer tool.
Description:
Currently Network Analyzer is supporting DNS, HTTP and SMTP protocols. It has a site that explains the installation procedure and other details:https://github.com/oguzy/ovizart

Briefly, Ovizart (network analyzer) aimed to analyze the traffic data in a more human readable way. It analyzes the information at the application level and displays the assembled information. It helps you answer questions when you analyze a traffic data:

  • What type of traffic am i looking at (HTTP, DNS, FTP, ..)
  • Does this HTTP traffic have malicious js files inside?
  • What is the mail content and header information of this SMTP traffic, does its attachment malicious?

There is also an online demo: http://ow.comu.edu.tr

This year the planned todos are below:

  • More plugins are required to support more protocols.
  • Testing the current modules is also esential.
  • Traffic analysis is working offline and supporting only raw traffic dumps. It should be able to support other feed sources, like HPFeeds, as well.
  • Application level information is gathered from Bro-ids logs. Integration with (Brownian) can improve the information displayed
  • Time line and other interfaces can be beautified.
  • Performance increase is required to decrease the analyze process and upload time of the big files. Optimizing the current code or suggesting a different method can be a solution.
  • Current handlers are written in a way to let anyone write its own handlers by overriting the current function definitions. The better way is to subclass usage and let them extendable. In addition to main functionality of an HTTP analyze for HTTP handler, a javascript analysis for ex, must be able to be added.
  • Clear seperation of handlers and web interface will be good addition. This requires CLI support to the project. One may use ovizart, analyze pcaps and get its outputs withour requiring to install Django.

Project Name: Project 8 – IMALSE: Integrated Malware Simulator and Emulator
Primary Mentor: Jing Conan Wang (CN)
Backup mentor: Cong Wei (US),
Skills required:

  • Python
  • C++

Project type: Improve existing tool
Project goal:
The goal of the project is to enhance the features of the existing IMALSE tool.
Description:
This is open source software we have developed to help researchers generate data of botnet-based network malware. Currently has basic functionality of simulating and emulating the botnet based
attack. IMALSE website.

The student will be asked to improve the software by:

  • Improving the background traffic generator; The tool has a simple background traffic generator which can generate normal traffic with some distribution. The student needs to improve the background traffic generator to make it more realistic.
  • Implementing more practical attack scenarios. Now we only have two attaching scenario, one is for data exfiltration attack, and the other is for DDoS ping flooding attack. More attacking scenarios will make the tool more useful.
  • Improve the usability of the software. There are two GUI systems in the software, one is used to create network topology and the other one is to animate the simulation process. For historical reasons, these two GUI systems are separate, the student should create a unified GUI system that has both functionality.
  • OS X (good)
  • dtrace (medium)
  • Python (good)
  • HTML5, CSS (good)
  • JavaScript (good)
  • Python (good)
  • D3.js (preferred)
  • HTML5, CSS (good)
  • JavaScript (Perfect)
  • Python (good)
  • D3.js (preferred)
  • Splunk (preferred)
  • Graph theory
  • (1) Improve transmission graph visualization readability. It means to apply graph algorithm to simplify similar common motifs with easily understandable entities. The most difficult part is to mining special attributes and topology for replacing with entities. After simplification, this will improve the graph readability and easy to analyze.
  • (2) Improve HpfeedsHoneyGraph interface to make easy to use and increase user dialogue functionality. Dialogue functionality is able to choose what malicious activities they needs to show on the graph and allow users to do filtering on tthe graph.
  • Python/Django or Ruby/Rails
  • JavaScript
  • Android static analysis
  • Python (good)
  • Network protocol (good)
  • Python (good)
  • DB acquaintance (mongodb, MySQL)
  • For easier deployment, an installation package has to be built to meet dependencies and create environment for project.
  • Intelligence of core engine needs to be improved to differentiate between new spam and another instance of old spam. Idea behind it is to keep database free of redundant data as much as possible and provide broader window for probing mails (mails by the spammers to verify open relay) to get relayed.
  • Intelligence is further to be increased to classify spams based on their content – phishing/scamming/banking etc.
  • HPFeeds / HPFriends integration would make it possible to publish spams hitting various sensors globally and with subscription to appropriate channel would present users with what they would be interested in obtaining from project – suspected attachments, malicious URLs, source IP addresses etc. Obtained data shall be in form to be used by other projects like Cuckoo, Thug, Mnemosyne etc.
  • Mongo DB Integration to handle big data.