Hermes Analysis System

de

Motivation

Cuckoo Sanbox is a malware analysis system for running and analysing malware inside of a controlled environment. Cuckoo makes it possible to run the malware on multiple different virtual machines. These have to be on the same physical machine (cuckoo-node), on which the active cuckoo instance is running.

For working around these constraints, without making bigger changes to cuckoo, we developed a client-server system for centralised administration and control of the cuckoo nodes. This system consists of a server (Hermes) and multiple clients (Secretary).

Conception

The Hermes server is the central control node for an arbitrary number of cuckoo nodes. Hermes is used to configure jobs for the cuckoo nodes and secretary polls the job in an autonomous manner in order to run them.

Architecture

Hermes

Hermes is a web application developed with Grails. Grails is a web framework specialized for rapid-web-development and based on established technologies like Spring and Hibernate. A lightweight development is promoted by using the JVM script language Groovy and by making massive use of the covention-over-configuration paradigma.

Layers of Grails

The Job and Node class are the central classes of Hermes. A Job object is the representation of a job configuration, it consist of a malware sample and a sensor, as well as the virtual machine that should be used to run this job. It is also possible, to configure additional metadataq, such as priority, simulated time or earliest publishing time. The Node objects represent the registered cuckoo nodes.

The user interface of Hermes is a custom developed content management system (CMS). The CMS is splitted into security-, information, administration- and api-component. The administration-component is used for CRUD operations on the domain objects. The security-component manages Role-Based-Access-Control (RBAC).

Komponenten

It is also possible to monitor the cuckoo nodes and their status. This functionality is realised by the information-component. It shows the node cpu usage as well as the status of the current job.

Secretary

Secretary consist of 3 main components: Secretary, used to coordinate the communication between Cuckoo and Hermes, the Hermes package, which abstracts the functions of the Hermes-API, accessible via HTTPS. The Cuckoo package abstracts the Cuckoo API-server and is based on HTTP communication.

Communication with Cuckoo is based on Cuckoo's API-Server (a simple HTTP-Server, developed with the Python web-framework Bottle) and works with HTTP. The message format is JSON.

Communication with Hermes is based on the Hermes-API-controller (Hermes Web-API) and works with HTTPS. Parameters are submitted as form-data inside a HTTP-POST request. The HTTP-response of the server is in JSON format. The response is translated into corresponding DTO objects by the DtoFactory.

Once initialized, secretary checks if this secretary instance is already registered on Hermes. If this is not the case, the instance registers itself on Hermes. Next a thread will be started, that is used to submit the node state to Hermes. The main thread contains the polling loop. Jobs are polled from Hermes until a job is received. These are submitted to Cuckoo. Once Cuckoo has finished analysing the job, the results are submitted to Hermes.

Future

The development of the Hermes system makes it possible, to add a custom visualisation plugin for the Cuckoo results. The extensibility of the system allows further functionalitys, for example additional malware detection engines. Another needed development step is the integration of a mongoDb database, for storing the raw analysis data.

The sources of Hermes and Secretary are available in the download section.