Experiences using minos as a tool for capturing and analyzing novel worms for unknown vulnerabilities

Jedidiah R. Crandall, S. Felix Wu, Frederic T. Chong

Research output: Contribution to journalConference articlepeer-review

13 Scopus citations


We present a honeypot technique based on an emulated environment of the Minos architecture [1] and describe our experiences and observations capturing and analyzing attacks. The main advantage of a Minos-enabled honeypot is that exploits based on corrupting control data can be stopped at the critical point where control flow is hijacked from the legitimate program, facilitating a detailed analysis of the exploit. Although Minos hardware has not yet been implemented, we are able to deploy Minos systems with the Bochs full system Pentium emulator. We discuss complexities of the exploits Minos has caught that are not accounted for in the simple model of "buffer overflow exploits" prevalent in the literature. We then propose the Epsilon-Gamma-Pi model to describe control data attacks in a way that is useful towards understanding polymorphic techniques. This model can not only aim at the centers of the concepts of exploit vector (ε), bogus control data (γ), and payload (π) but also give them shape. This paper will quantify the polymorphism available to an attacker for γ and π, while so characterizing ε is left for future work.

Original languageEnglish (US)
Pages (from-to)32-50
Number of pages19
JournalLecture Notes in Computer Science
Issue numberDetection of Intrusions and Malware, and Vulnerability Assess...
StatePublished - 2005
Externally publishedYes
Event2nd International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2005 - Vienna, Austria
Duration: Jul 7 2005Jul 8 2005

ASJC Scopus subject areas

  • Theoretical Computer Science
  • General Computer Science


Dive into the research topics of 'Experiences using minos as a tool for capturing and analyzing novel worms for unknown vulnerabilities'. Together they form a unique fingerprint.

Cite this