Apate - A Linux Kernel Module for High Interaction Honeypots

TL;DR

This paper introduces Apate, a Linux Kernel Module designed to enhance high interaction honeypots by enabling detailed logging, blocking, and manipulation of system calls based on configurable conditions, thereby improving security and data collection.

Contribution

The paper presents Apate, a novel Linux Kernel Module that simplifies the creation and hardening of high interaction honeypots through configurable system call manipulation.

Findings

Enables detailed system call logging and manipulation

Supports configurable conditions like PID and UID

Facilitates building more secure high interaction honeypots

Abstract

Honeypots are used in IT Security to detect and gather information about ongoing intrusions, e.g., by documenting the approach of an attacker. Honeypots do so by presenting an interactive system that seems just like a valid application to an attacker. One of the main design goals of honeypots is to stay unnoticed by attackers as long as possible. The longer the intruder interacts with the honeypot, the more valuable information about the attack can be collected. Of course, another main goal of honeypots is to not open new vulnerabilities that attackers can exploit. Thus, it is necessary to harden the honeypot and the surrounding environment. This paper presents Apate, a Linux Kernel Module (LKM) that is able to log, block and manipulate system calls based on preconfigurable conditions like Process ID (PID), User Id (UID), and many more. Apate can be used to build and harden High Interaction Honeypots. Apate can be configured using an integrated high level language. Thus, Apate is an important and easy to use building block for upcoming High Interaction Honeypots.