PROGRAM SECURITYText Book: Security in Computing
Charles P. Pfleeger
From Charles P. Pfleeger, Security in Computing, 2nd Edition, Prentice Hall, 1996
Malicious Code
n By themselves, programs are seldom security threats.
n Most users don’t know which programs in addition to their programs are executed or modified, and which files are changed because they usually do not see computer data directly, malicious people can make programs serve as vehicles to access and change data and other programs.
Malicious Code (cont.)
When a user install a SW package, or a plug-in from the Internet, or download an application s.a. a Java applet or an ActiveX control while viewing a web site; a lot of programs and data are transferred and a lot of modifications may be made to your existing files, all occurring without your explicit consent or knowledge.
→ We should worry about malicious code.
Malicious Code (cont.)nMalicious code can do anything like any other program
(writing data, stopping a running program, erasing a file, …etc).
nMalicious code can do nothing at all right now; it can be planted to lie dormant, undetected, until some event triggers the code to act s.a.:- A time or date trigger- An interval (eg. after 30 minutes)- An event (eg. when a particular program is executed)- A condition (eg. when communication occurs on a NW)- A count (eg. the fifth time something happens)- A random situatio- etc.
OR some combination of theseOR different things each time
nMalicious code runs under the user's authority, but without the user's permission or even knowledge.
Program Flaws
n Programs behaving unexpectedlyn Intentional malicious coden Unintentional flaws that can be exploited
n There are no techniques to stop all program flaws
n Program controls apply at the level of the individual program and programmer
n Software engineering techniques change very rapidly
From Charles P. Pfleeger, Security in Computing, 2nd Edition, Prentice Hall, 1996
Kinds of Malicious Code
■ Malicious code or rogue program is the general name for unanticipated or undesired effects in programs or program parts, caused by an agent intent on damage.
■ The agent is the writer of the program or the person who causes its distribution.
Kinds of Malicious Coden Virus - A program that can replicate itself and
pass malicious code to other nonmalicious programs by modifying them
n Transient - Runs when its attached program executes and terminates when its attached program ends
n Resident - Locates itself in memory so that it can remain active even after its attached program ends
From Charles P. Pfleeger, Security in Computing, 2nd Edition, Prentice Hall, 1996
Kinds of Malicious Code (continued)
n Trojan Horse - A piece of malicious code that in addition to its primary effect, has a second, nonobvious malicious effect
n Logic Bomb - A class of malicious code that detonates when a specified condition occurs. A time bomb is a logic bomb whose trigger is a time or date.
n Trapdoor /backdoor - A feature in a program by which someone can access the program other than by the obvious direct call (perhaps with special privileges)
From Charles P. Pfleeger, Security in Computing, 2nd Edition, Prentice Hall, 1996
Kinds of Malicious Code (continued)
n Worm- A program that spreads copies of itself through a network.
n Rabbit - A virus or worm that self-replecats without bound, with the intention of exhausting some computing resources
From Charles P. Pfleeger, Security in Computing, 2nd Edition, Prentice Hall, 1996
A worm vs. a virus
nA worm operates through networks, and a virus can spread through any medium.
nA worm spreads copies of itself as a stand-alone program, whereas the virus spreads copies of itself as a program that attaches to or embeds in other programs.
TYPES OF ROGUE PROGRAMS
A virus attaches itself to Gerrold72, When Harlie Was Oneother programs and copies Cohen83 coined the term at USCitself in the process.
A worm copies itself to other Brunner75, Shockwave Ridersystems without attaching to Shoch & Hupp81, Xerox PARCor infecting another program. Ex: Internet 88, WANK 89
A Trojan horse performs some Homer 1200 B.C.unexpected hidden function. AIDS Trojan diskette
Ken Thompson's cc
A logic bomb checks for some Legitimate demo diskslogical condition before Burleson (wasn't a virus)executing unexpected code. Special case: time bomb (4/1)
IF Fred no longer inemployee-data-baseTHEN Erase all files
Summary of Malicious Code
Attaches itself to program and propagates copies of itself to other programs
Virus
Contains unexpected, additional functionality
Trojan horse
Triggers action when condition occursLogicbomb
bombTriggers action when specified time occursTrapdoorAllows
Time bomb
Allows unauthorized access to functionalityTrapdoor
Propagates copies of itself through a network
Worm
Replicates itself without limit to exhaust resources
Rabbit
How Viruses AttachnAppended Viruses: A program virus attaches
itself to a program; then, whenever the program is run, the virus is activated. This kind of attachment is usually easy to program.
From Charles P. Pfleeger, Security in Computing, 2nd Edition, Prentice Hall, 1996
+ =
OriginalProgram
Virus Code
OriginalProgram
Virus Code
How Viruses Attach (continued)
n Viruses that surround a program - Virus code runs the original program but has control before and after its execution.
From Charles P. Pfleeger, Security in Computing, 2nd Edition, Prentice Hall, 1996
OriginalProgram
Virus Code
OriginalProgram
Virus CodePart a
Virus CodePart b
How Viruses Attach (continued)
n Integrated Viruses - Virus program replaces some of its target, integrating itself into the original code of the target.
From Charles P. Pfleeger, Security in Computing, 2nd Edition, Prentice Hall, 1996
+ =
OriginalProgram
Virus Code
ModifiedProgram
How Viruses Attach (continued)
n Viruses That Replace a Program - Virus code replaces the target, either mimicking the effect of the target or ignoring the expected effect of the target and performing only the virus effect.
From Charles P. Pfleeger, Security in Computing, 2nd Edition, Prentice Hall, 1996
Document Viruses
Document virus is implemented within a formatted document, such as a written document, a database, a slide presentation, a picture, or a spreadsheet.
These documents are highly structured files that contain both data and commands. The commands are part of a rich programming language, including macros, variables and procedures, file accesses, and even system calls.
Document Viruses (cont.)The writer of a document virus uses any of the features of the programming language to perform malicious actions.
The ordinary user usually sees only the content of the document (its text or data), so the virus writer simply includes the virus in the commands part of the document, as in the integrated program virus.
How Viruses gain control (Continued)
n Virus changes the pointers in the file table so that V is located instead of T whenever T is accessed though the file system.
From Charles P. Pfleeger, Security in Computing, 2nd Edition, Prentice Hall, 1996
T
FileDirectory
T
FileDirectory
T = TargetV = Virus
TV
V
Disk StorageDisk Storage
How Viruses Gain ControlnThe virus (V) has to be invoked instead of the target
(T).
The virus writer may find these qualities appealing in a virus:nIt is hard to detect.nIt is not easily destroyed or deactivated.nIt spreads infection widely.nIt can reinfect its home program or other programs.nIt is easy to create.nIt is machine independent and operating system independent.
*** Few viruses meet all these criteria
Homes for Viruses
n Boot Sector Viruses
n Memory-Resident Viruses
n Other Homes n Application Programsn Libraries
From Charles P. Pfleeger, Security in Computing, 2nd Edition, Prentice Hall, 1996
Boot Sector Viruses
n An especially appealing place to house a virus
n Virus gains control very early in the boot process before most detection tools are active
n Operating systems usually make files in the boot area invisible to the user, therefore, virus code is not readily noticed
n Change control on the OS instructions, when a computer is started
From Charles P. Pfleeger, Security in Computing, 2nd Edition, Prentice Hall, 1996
Boot Sector Viruses (continued)
n In an MS-DOS/PC system, the virus may,n attach itself to either of the system files, IO.SYS or
MSDOS.SYSn attach itself to any other program loaded because of an entry
in CONFIG.SYS or AUTOEXEC.BAT n add an entry to CONFIG.SYS or AUTOEXEC.BAT to cause it to
be loaded.
From Charles P. Pfleeger, Security in Computing, 2nd Edition, Prentice Hall, 1996
Memory Resident Viruses
n Virus attaches itself to memory resident code
n Virus is activated many times while the machine is runningn Once activated it looks for and infects uninfected carriers
From Charles P. Pfleeger, Security in Computing, 2nd Edition, Prentice Hall, 1996
Other Homes for Viruses
n Application Programsn Virus macro adds itself to startup directivesn Virus embeds itself in data files
n Libraries - Desirable home for virusesn Used by many programsn Shared between usersn Spreads infections to compilers, linkers, runtime debuggers,
etc.
From Charles P. Pfleeger, Security in Computing, 2nd Edition, Prentice Hall, 1996
COMPANION ROGUE PROGRAMS
• Operating system decides "which" with same name to run
• MS-DOS runs programs with same name in this order:- Internal command of command interpreter ("dir")- .COM- .EXE- .BAT
• A rogue or viral .COM supplanting an .EXE or .BATprogram can have the "hidden" attribute set (soMS-DOS dir will not show it [but XTREE, etc., will])and end with a specific call to the supplantedprogram, therefore appearing like the real thing.
Virus Detectionn Virus Signature - The execution and spreading
characteristics of a virus have certain telltale patterns
n Virus signatures are used by virus scanners to detect the virus
n Storage Patternsn Execution Patternsn Transmission Patterns
From Charles P. Pfleeger, Security in Computing, 2nd Edition, Prentice Hall, 1996
Virus Signatures
A virus cannot be completely invisible. Code must be stored somewhere, and the code must be in memory to execute. Moreover, the virus executes in a particular way, using certain methods to spread. Each of these characteristics yields a telltale pattern, called a signature.
Virus scanner looks for the virus signature to detect its existence.
polymorphic virus changes its appearance.