First page Back Continue Last page Summary Graphics

UML as a honeypot


There are currently some limitations to using UML as a honeypot. The main one is that UML can be distinguished from a physical machine if you look carefully enough. The major things that distinguish UML from a physical box are its device names, the boot log, and various files in /proc.
There are plans for disguising these so that UML honeypots will be much harder to detect. The main piece of this will be a replacement for /proc which will allow the contents of the UML /proc to be specified from the host. With this, and already-existing mechanisms for changing UML device names, UML will be much harder to detect.