Malicious software has become a major threat to computer users on the Internet today. Security researchers need to gather and analyze large sample sets to develop effective countermeasures. The setting of honeypots, which emulate vulnerable applications, is one method to collect attack code. We have proposed a dedicated hardware architecture for honeypots which allows both high-speed operation at 10?Gb/s and beyond and offers a high resilience against attacks on the honeypot infrastructure itself. In this work, we refine the base NetStage architecture for better management and scalability. Using dynamic partial reconfiguration, we can now update the functionality of the honeypot during operation. To allow the operation of a larger number of vulnerability emulation handlers, the initial single-device architecture is extended to scalable multichip systems. We describe the technical aspects of these modifications and show results evaluating an implementation on a current quad-FPGA reconfigurable computing platform. 1. Introduction The significant increase of malicious software (malware) in recent years (see [1]) requires security researchers to analyze an ever increasing amount of samples for developing effective prevention mechanisms. One method for collecting a large number of samples is the use of low-interaction honeypots (e.g., [2]). Such dedicated computer systems emulate vulnerabilities in applications and are connected directly to the Internet, spanning large IP address spaces to attract many different attackers. A number of software applications are available helping in building up honeypot systems. But in addition to having performance limitations in high-speed environments (10+?Gb/s), such software systems also suffer from being compromisable themselves (they can be subverted to attack even more hosts). Given the experience of the Nepenthes research project [3], it is extremely hard to realize an attack surface of millions of IP addresses (such as multiple class B networks) with actively communicating service modules running in software on a single server. In this context, we have proposed MalCoBox, a low-interaction malware-collection honeypot realized entirely in reconfigurable hardware without any software components in [4]. The core of the MalCoBox system is NetStage, a high-speed implementation of the basic Internet communication protocols, attached to several independent vulnerability emulation handlers (VEH), each emulating a specific security flaw of an application (see Figure 1). We have demonstrated the feasibility of that approach by
P. Baecher, M. Koetter, T. Holz, M. Dornseif, and F. Freiling, “The nepenthes platform: an efficient approach to collect malware,” in Recent Advances in Intrusion Detection,, vol. 4219 of Lecture Notes in Computer Science, pp. 165–184, Springer, Berlin, Germany, 2006.
[4]
S. Mühlbach, M. Brunner, C. Roblee, and A. Koch, “Mal-CoBox: designing a 10?Gb/s malware collection honeypot using reconfigurable technology,” in Proceedings of the 20th International Conference on Field Programmable Logic and Applications (FPL ’10), pp. 592–595, IEEE Computer Society, 2010.
[5]
J. W. Lockwood, N. Naufel, J. S. Turner, and D. E. Taylor, “Reprogrammable network packet processing on the field programmable port extender (FPX),” in Proceedings of the ACM/SIGDA 9th International Symposium on Field Programmable Gate Arrays (FPGA ’01), pp. 87–93, ACM, 2001.
[6]
S. Mühlbach and A. Koch, “A dynamically reconfigured network platform for high-speed malware collection,” in Proceedings of the International Conference on ReConFigurable Computing and FPGAs (ReConFig ’10), pp. 79–84, IEEE Computer Society, 2010.
[7]
S. Mühlbach and A. Koch, “A scalable multi-FPGA platform for complex networking applications,” in Proceedings of the IEEE International Symposium on Field-Programmable Custom Computing Machines (FCCM '11), pp. 81–84, IEEE Computer Society, 2011.
[8]
BEEcube, Inc., “BEE3 Hardware User Manual,” 2008.
[9]
V. Pejovi?, I. Kova?evi?, S. Bojani?, C. Leita, J. Popovi?, and O. Nieto-Taladriz, “Migrating a honeypot to hardware,” in Proceedings of the International Conference on Emerging Security Information, Systems, and Technologies (SECURWARE '07), pp. 151–156, 2007.
[10]
J. W. Lockwood, N. McKeown, G. Watson et al., “NetFPGA—an open platform for gigabit-rate network switching and routing,” in Proceedingsof the IEEE International Conference on Microelectronic Systems Education: Educating Systems Designers for the Global Economy and a Secure World (MSE '07), pp. 160–161, IEEE Computer Society, 2007.
[11]
C. Albrecht, R. Koch, and E. Maehle, “DynaCORE: a dynamically reconfigurable coprocessor architecture for network processors,” in Proceedings of the 14th Euromicro International Conference on Parallel, Distributed, and Network-Based Processing, pp. 101–108, IEEE Computer Society, 2006.
[12]
C. Kachris and S. Vassiliadis, “Analysis of a reconfigurable network processor,” in Proceedings of the 20th International Parallel and Distributed Processing Symposium (IPDPS '06), p. 187, IEEE Computer Society, 2006.
[13]
D. Yin, D. Unnikrishnan, Y. Liao, L. Gao, and R. Tessier, “Customizing virtual networks with partial FPGA reconfiguration,” ACM SIGCOMM—Computer Communication Review, vol. 41, pp. 57–64, 2010.
[14]
S. Bourduas and Z. Zilic, “A hybrid ring/mesh interconnectfor network-on-chip using hierarchical rings for global routing,” in Proceedings of the 1st International Symposium on Networks-on-Chip (NOCS '07), pp. 195–204, IEEE Computer Society, 2007.
[15]
C. Thacker, “DDR2 SDRAM Controller for BEE3,” Microsoft Research, 2008.
[16]
K. v. d. Bok, R. Chaves, G. Kuzmanov, L. Sousa, and A. v. Genderen, “FPGA reconfigurations with run-time region delimitation,” in Proceedings of the 18th Annual Workshopon Circuits, Systems and Signal Processing (ProRISC '07), pp. 201–207, 2007.
[17]
Y. Hori, A. Satoh, H. Sakane, and K. Toda, “Bitstream encryption and authentication using AES-GCM in dynamically reconfigurable systems,” in Proceedingsof the 3rd International Workshop on Security (IWSEC '08), pp. 261–278, Springer, 2008.
[18]
M. Miller, “Bandwidth engine serial memory chip breaks 2 billion accesses/sec,” in Proceedings of the 23rd Hot Chips Symposium, 2011.
[19]
J. T. Pawlowski, “Hybrid memory cube: breakthrough DRAM performance with a fundamentally re-architected DRAM subsystem,” in Proceedings of the 23rd Hot Chips Symposium, 2011.
[20]
M. Thumann, “Buffer Overflow in SIP Foundry’s SipXtapi,” 2006, http://www.securityfocus.com/archive/1/439617.
[21]
D. Litchfield, “Microsoft SQL Server 2000 Unauthenticated System Compromise,” http://marc.info/?l=bugtraq&m=102760196931518&w=2.
