ch4 program security1 -...

PROGRAM SECURITYText Book: Security in Computing

Charles P. Pfleeger

From Charles P. Pfleeger, Security in Computing, 2nd Edition, Prentice Hall, 1996

Malicious Code

n By themselves, programs are seldom security threats.

n Most users don’t know which programs in addition to their programs are executed or modified, and which files are changed because they usually do not see computer data directly, malicious people can make programs serve as vehicles to access and change data and other programs.

Malicious Code (cont.)

When a user install a SW package, or a plug-in from the Internet, or download an application s.a. a Java applet or an ActiveX control while viewing a web site; a lot of programs and data are transferred and a lot of modifications may be made to your existing files, all occurring without your explicit consent or knowledge.

→ We should worry about malicious code.

Malicious Code (cont.)nMalicious code can do anything like any other program

(writing data, stopping a running program, erasing a file, …etc).

nMalicious code can do nothing at all right now; it can be planted to lie dormant, undetected, until some event triggers the code to act s.a.:- A time or date trigger- An interval (eg. after 30 minutes)- An event (eg. when a particular program is executed)- A condition (eg. when communication occurs on a NW)- A count (eg. the fifth time something happens)- A random situatio- etc.

OR some combination of theseOR different things each time

nMalicious code runs under the user's authority, but without the user's permission or even knowledge.

Program Flaws

n Programs behaving unexpectedlyn Intentional malicious coden Unintentional flaws that can be exploited

n There are no techniques to stop all program flaws

n Program controls apply at the level of the individual program and programmer

n Software engineering techniques change very rapidly


Kinds of Malicious Code

■ Malicious code or rogue program is the general name for unanticipated or undesired effects in programs or program parts, caused by an agent intent on damage.

■ The agent is the writer of the program or the person who causes its distribution.

Kinds of Malicious Coden Virus - A program that can replicate itself and

pass malicious code to other nonmalicious programs by modifying them

n Transient - Runs when its attached program executes and terminates when its attached program ends

n Resident - Locates itself in memory so that it can remain active even after its attached program ends


Kinds of Malicious Code (continued)

n Trojan Horse - A piece of malicious code that in addition to its primary effect, has a second, nonobvious malicious effect

n Logic Bomb - A class of malicious code that detonates when a specified condition occurs. A time bomb is a logic bomb whose trigger is a time or date.

n Trapdoor /backdoor - A feature in a program by which someone can access the program other than by the obvious direct call (perhaps with special privileges)


Kinds of Malicious Code (continued)

n Worm- A program that spreads copies of itself through a network.

n Rabbit - A virus or worm that self-replecats without bound, with the intention of exhausting some computing resources


A worm vs. a virus

nA worm operates through networks, and a virus can spread through any medium.

nA worm spreads copies of itself as a stand-alone program, whereas the virus spreads copies of itself as a program that attaches to or embeds in other programs.

TYPES OF ROGUE PROGRAMS

A virus attaches itself to Gerrold72, When Harlie Was Oneother programs and copies Cohen83 coined the term at USCitself in the process.

A worm copies itself to other Brunner75, Shockwave Ridersystems without attaching to Shoch & Hupp81, Xerox PARCor infecting another program. Ex: Internet 88, WANK 89

A Trojan horse performs some Homer 1200 B.C.unexpected hidden function. AIDS Trojan diskette

Ken Thompson's cc

A logic bomb checks for some Legitimate demo diskslogical condition before Burleson (wasn't a virus)executing unexpected code. Special case: time bomb (4/1)

IF Fred no longer inemployee-data-baseTHEN Erase all files

Summary of Malicious Code

Attaches itself to program and propagates copies of itself to other programs

Virus

Contains unexpected, additional functionality

Trojan horse

Triggers action when condition occursLogicbomb

bombTriggers action when specified time occursTrapdoorAllows

Time bomb

Allows unauthorized access to functionalityTrapdoor

Propagates copies of itself through a network

Worm

Replicates itself without limit to exhaust resources

Rabbit

How Viruses AttachnAppended Viruses: A program virus attaches

itself to a program; then, whenever the program is run, the virus is activated. This kind of attachment is usually easy to program.


+ =

OriginalProgram

Virus Code

OriginalProgram

Virus Code

How Viruses Attach (continued)

n Viruses that surround a program - Virus code runs the original program but has control before and after its execution.


OriginalProgram

Virus Code

OriginalProgram

Virus CodePart a

Virus CodePart b


n Integrated Viruses - Virus program replaces some of its target, integrating itself into the original code of the target.


+ =

OriginalProgram

Virus Code

ModifiedProgram


n Viruses That Replace a Program - Virus code replaces the target, either mimicking the effect of the target or ignoring the expected effect of the target and performing only the virus effect.


Document Viruses

Document virus is implemented within a formatted document, such as a written document, a database, a slide presentation, a picture, or a spreadsheet.

These documents are highly structured files that contain both data and commands. The commands are part of a rich programming language, including macros, variables and procedures, file accesses, and even system calls.

Document Viruses (cont.)The writer of a document virus uses any of the features of the programming language to perform malicious actions.

The ordinary user usually sees only the content of the document (its text or data), so the virus writer simply includes the virus in the commands part of the document, as in the integrated program virus.

How Viruses gain control (Continued)

n Virus changes the pointers in the file table so that V is located instead of T whenever T is accessed though the file system.


T

FileDirectory

T

FileDirectory

T = TargetV = Virus

TV

V

Disk StorageDisk Storage

How Viruses Gain ControlnThe virus (V) has to be invoked instead of the target

(T).

The virus writer may find these qualities appealing in a virus:nIt is hard to detect.nIt is not easily destroyed or deactivated.nIt spreads infection widely.nIt can reinfect its home program or other programs.nIt is easy to create.nIt is machine independent and operating system independent.

*** Few viruses meet all these criteria

Homes for Viruses

n Boot Sector Viruses

n Memory-Resident Viruses

n Other Homes n Application Programsn Libraries


Boot Sector Viruses

n An especially appealing place to house a virus

n Virus gains control very early in the boot process before most detection tools are active

n Operating systems usually make files in the boot area invisible to the user, therefore, virus code is not readily noticed

n Change control on the OS instructions, when a computer is started


Boot Sector Viruses (continued)

n In an MS-DOS/PC system, the virus may,n attach itself to either of the system files, IO.SYS or

MSDOS.SYSn attach itself to any other program loaded because of an entry

in CONFIG.SYS or AUTOEXEC.BAT n add an entry to CONFIG.SYS or AUTOEXEC.BAT to cause it to

be loaded.


Memory Resident Viruses

n Virus attaches itself to memory resident code

n Virus is activated many times while the machine is runningn Once activated it looks for and infects uninfected carriers


Other Homes for Viruses

n Application Programsn Virus macro adds itself to startup directivesn Virus embeds itself in data files

n Libraries - Desirable home for virusesn Used by many programsn Shared between usersn Spreads infections to compilers, linkers, runtime debuggers,

etc.


COMPANION ROGUE PROGRAMS

• Operating system decides "which" with same name to run

• MS-DOS runs programs with same name in this order:- Internal command of command interpreter ("dir")- .COM- .EXE- .BAT

• A rogue or viral .COM supplanting an .EXE or .BATprogram can have the "hidden" attribute set (soMS-DOS dir will not show it [but XTREE, etc., will])and end with a specific call to the supplantedprogram, therefore appearing like the real thing.

Virus Detectionn Virus Signature - The execution and spreading

characteristics of a virus have certain telltale patterns

n Virus signatures are used by virus scanners to detect the virus

n Storage Patternsn Execution Patternsn Transmission Patterns


Virus Signatures

A virus cannot be completely invisible. Code must be stored somewhere, and the code must be in memory to execute. Moreover, the virus executes in a particular way, using certain methods to spread. Each of these characteristics yields a telltale pattern, called a signature.

Virus scanner looks for the virus signature to detect its existence.

polymorphic virus changes its appearance.

Date post:	10-Jul-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

ch4 program security1 -...

Documents