News
Argos 0.7 for Qemu 1.1.0 released (runs Windows 7)
20/01/2014Apologies for the long delay. We never got 'round to putting Argos version 0.7 online (the one that supports Windows 7). We now did it, but it has not been tested very rigorously, so use at your own risk. The current status can be described as: it works for us! The tarball is available from the downloads page.
Argos for new version of Qemu (supports Windows 7)
17/12/2012Most taint analysis systems to date work with older versions of Qemu (0.9.x). This works fine for older versions of Windows like XP, but it prevents you from running, say, Windows 7 or later. The problem is that newer versions of Qemu, which do support Windows 7, are radically different 'under the hood'. We finally ported Argos to the latest version of Qemu and are now able to run W7. The only thing we are still working on is a network driver for W7 (NE2000 is no longer supported by W7). As soon as we have this done, we will release this new version of Argos.
Argos 0.5.0 released: shellcode extraction and client-side honeypot
19/05/2011And finally, we released the new 0.5.0 version with shellcode extraction and support for running as a client-side honeypot (using the same infrastructure as the Shelia client-side honeypot). The shellcode extractor keeps an attack running after an attack is detected, and extracts the NOP sled, unpacker(s), and real shellcode.
Argos shellcode extractor released
14/04/2011While there have not been many releases recently, we have been working quite hard on cool new features for Argos. We have just been incredibly slow in making them public. In the near future we will start adding them here. For now I have made the shellcode extractor available. I hope you find it useful.
The Argos shellcode extractor is a new version of Argos that does not stop the attack immediately. Rather it keeps it running in order to detect the shellcode---and separate it from nop sleds and unpacker(s). To confine the shellcode, you can specify exactly what API calls it is allowed to make by means of a white list. Everything else is still prohibited and will stop the execution. As an aside, the new version is also usable as a very accurate, but fairly slow client-side honeypot.
Client argos library v0.1.4 released
16/04/2009Client argos library v0.1.4 contains an updates to the carlog utility that enables the user to print the contents of an arbitrary memory block from an Argos csi log.
Argos critical fix
29/03/2009Argos v0.4.2-1 fixes a critical error that caused a crash if the control socket was not used.
New packages released
25/03/2009
Argos v0.4.2 released
This release of Argos is fixing problems with the control socket. Threading is not used any more. Instead Qemu's async. IO mechanisms are used.
Another modification allows one to let tainted data execute, by supplying the '-no-fsc' option at run time. This of course disables the injection of forensics shellcode.
Also, this version makes whitelists optional. The user needs to enable whitelist support when configuring Argos, as well as at runtime.
Argos-replay
This is an early release of versions of Qemu and Argos that allow you to record the execution of a VM running within our
modified Qemu emulator, and replay the exact same execution
using Argos.
This code has not been extensively tested, and currently does
not support graphical output, and IO-APIC.
Prospector
Prospector is a flavour of Argos that performs more
aggressive data tracking for more comprehensive signature
generation.
Please consult the research paper, and included documentation
files for more information.
New Argos web site
18/03/2009Our website got a new look. You will also notice that we added a "Use Cases" page, which lists the security frameworks that are currently using Argos.
Argos 0.4.1 released
21/05/2008The new version of Argos (0.4.1) contains bug fixes related with taint tracking. It is recommended to update to the latest version of Argos, since it solves issues with reported false positives. Checking the CALL instruction for tainted operands, has also been re-enabled, since it seems it does not cause problems with windows systems anymore. The use of a whitelist is not necessary as well, since the false positives reported by 2.6.* linux kernels are also solved. Finally, crashes reported with windows 2000 guest systems, seem to be also solved. If any of the users discovers false positives, after these changes please notify the developers immediately.
Argos version 0.4.0 released
29/02/2008Finally, the long awaited port to QEMU 0.9.* series is here. Argos v0.4.0 is based upon QEMU v0.9.1.Additional changes, besides the port, include a double taintness check before executing a part of code to ensure attackers' injected code is always detected at the moment it is first executed. The check is performed whenever a TB is scheduled to be executed, as well as within the translated code whenever EIP is modified. This is to cover TB chaining performed by QEMU to speed up emulation. In the future we might consider disabling chaining, if a single check offers a significant performance gain.
Improved argos network logs conversion utility
25/01/2008A new argos-utils package has been released, containing the utility netlog2pcap, which converts an argos network log to a pcap log without using Ethereal's text2pcap. The older raw2pcap is also included, with a small bug fix. Thanks are going to Tillmann Werner.
New logs processing library
18/01/2008Version 0.1.3 of the logs processing library has been released. Contains large file support for Linux, as well as a bug fix for cargos_lib_csi_mbnext().