First page Back Continue Last page Summary Graphics
UML as a honeypot
A sufficiently careful intruder can detect a UML honeypot
- device names
- boot log
- miscellaneous - /proc/interrupts
A disguise kit is in the works
- make a UML look identical to a physical box
There are currently some limitations to using UML as a honeypot. The main one is that UML can be distinguished from a physical machine if you look carefully enough. The major things that distinguish UML from a physical box are its device names, the boot log, and various files in /proc.
There are plans for disguising these so that UML honeypots will be much harder to detect. The main piece of this will be a replacement for /proc which will allow the contents of the UML /proc to be specified from the host. With this, and already-existing mechanisms for changing UML device names, UML will be much harder to detect.