36
Lecture 15 Overview
Lecture 15 Overview
Kinds of Malicious Codes
• Virus: a program that attaches copies of itself into other programs. – Propagates and performs some
unwanted function– Viruses are not programs– Definition from RFC 1135: A virus is a piece of code
that inserts itself into a host [program], including operating systems, to propagate. It cannot run independently. It requires that its host program be run to activate it.
2CS 450/650 Lecture 15: Malicious Codes
Kinds of Malicious Code• Worm: a program that propagates copies of
itself through the network. – Independent program. – May carry other code, including
programs and viruses. – Definition from RFC 1135: A worm is a program that
can run independently, will consume the resources of its host [machine] from within in order to maintain itself and can propagate a complete working version of itself on to other machines.
3CS 450/650 Lecture 15: Malicious Codes
Kinds of Malicious Code
• Rabbit/Bacteria: make copies of themselves to overwhelm a computer system's resources– Denying the user access to the resources
• Logic/Time Bomb: programmed threats that lie dormant for an extended period of time until they are triggered– When triggered, malicious code is executed
4CS 450/650 Lecture 15: Malicious Codes
Kinds of Malicious Code• Trojan Horse: secret, undocumented routine
embedded within a useful program – Execution of the program results in execution of
secret code• Trapdoor: secret, undocumented entry point
into a program, used to grant access without normal methods of access authentication
• Dropper: Not a virus or infected file– When executed, it installs a virus into memory, on
to the disk, or into a file5CS 450/650 Lecture 15: Malicious Codes
Virus Lifecycle
• Dormant phase: the virus is idle– not all viruses have this stage
• Propagation phase: the virus places an identical copy of itself into other programs of into certain system areas
• Triggering phase: the virus is activated to perform the function for which it was created
• Execution phase: the function is performed– The function may be harmless or damaging
6CS 450/650 Lecture 15: Malicious Codes
Virus Types
• Parasitic virus: – Attaches itself to a file and replicates when the
infected program is executed– most common form
• Memory resident virus: – lodged in main memory as part of a resident
system program– Virus may infect every program that executes
7CS 450/650 Lecture 15: Malicious Codes
Virus Types
• Boot Sector Viruses:– Infects the boot record and spreads when system
is booted– Gains control of machine before the virus
detection tools– Very hard to notice
• Macro Virus:– virus is part of the macro associated with a
document8CS 450/650 Lecture 15: Malicious Codes
Virus Types
• Stealth virus: – A form of virus explicitly designed to hide from
detection by antivirus software
• Polymorphic virus: – A virus that mutates with every infection making
detection by the “signature” of the virus difficult
9CS 450/650 Lecture 15: Malicious Codes
How Viruses Append
10
Original
program
virus
Original
program
virus
Virus appended to program
+ =
CS 450/650 Lecture 15: Malicious Codes
Original
program
Virus-1
Virus-2
Virus surrounding a program
Original
program
Virus-1
Virus-2
Virus-3Virus-4
Virus integrated into program
How Viruses Gain Control
• Virus V has to be invoked instead of target T– V overwrites T– V changes pointers from T to V
11CS 450/650 Lecture 15: Malicious Codes
Virus Signatures
• Storage pattern– Code always located on a specific address– Increased file size
• Execution pattern
• Transmission pattern
• Polymorphic Viruses
12CS 450/650 Lecture 15: Malicious Codes
Antivirus Approaches
• Detection: – determine infection and locate the virus
• Identification: – identify the specific virus
• Removal: – remove the virus from all infected systems, so the
disease cannot spread further
• Recovery: – restore the system to its original state
13CS 450/650 Lecture 15: Malicious Codes
Preventing Virus Infection
• Prevention:– Good source of software installed – Isolated testing phase– Use virus detectors
• Limit damage:– Make bootable diskette– Make and retain backup copies important
resources
14CS 450/650 Lecture 15: Malicious Codes
Worm• Self-replicating (like virus)• Objective: system penetration (intruder)• Phases: dormant, propagation, triggering, and
execution • Propagation:– Searches for other systems to infect
• e.g., host tables
– Establishes connection with remote system– Copies itself to remote system– Execute
15CS 450/650 Lecture 15: Malicious Codes
Lecture 16
Targeted Malware
CS 450/650
Fundamentals of Integrated Computer Security
Slides are modified from Csilla Farkas and Brandon Phillips
Targeted Malicious Code
• Trapdoor– undocumented entry point to a module
– forget to remove them– intentionally leave them in the program for testing– intentionally leave them in the program for
maintenance of the finished program, or– intentionally leave them in the program as a
covert means of access to the component after it becomes an accepted part of a production system
17CS 450/650 Lecture 16: Targeted Malicious Codes
Targeted Malicious Code
• Salami Attack– a series of many minor actions that together
results in a larger action that would be difficult or illegal to perform at once
– Ex. Interest computation
• rootkit – A program or coordinated set of programs
designed to gain control over a computer system or network of computing systems
18CS 450/650 Lecture 16: Targeted Malicious Codes
Targeted Malicious Code
• Privilege Escalation– a means for malicious code to be launched by a
user with lower privileges but run with higher privileges
• Interface illusion – a spoofing attack in which all or part of a web
page is false
• Keystroke Logging
19CS 450/650 Lecture 16: Targeted Malicious Codes
Targeted Malicious Code
• Man-in-the-Middle Attacks
• Timing Attacks– attempts to compromise a cryptosystem by
analyzing the time taken to execute cryptographic algorithms
• Covert Channels– programs that leak information– Ex. Hide data in output
20CS 450/650 Lecture 16: Targeted Malicious Codes
Covert Channel - Trojan Horse
John
Spy
Only John
is permitted
to access
the document
MS Word
Document
Spy’s
Document
copy
TH
installcopy
21CS 450/650 Lecture 16: Targeted Malicious Codes
Covert Channel• Two active agents
– Sender (has access to unauthorized information)• e.g., Trojan Horse in MS Word
– Receiver (reads sent information)• e.g., program creating the copy
• Encoding schema– How the information is sent
• e.g., – File F exists 0– File F is does not exist 1
• Synchronization– e.g., when to check for existence of F
22CS 450/650 Lecture 16: Targeted Malicious Codes
Storage Covert Channels
• Based on properties of resources– pass information by using presence or absence of
objects in storage
• Examples:– File locks– Delete/create file– Memory allocation
23CS 450/650 Lecture 16: Targeted Malicious Codes
File Lock Covert Channel
24
File Existence Channel Used to Signal 100
25
Timing Covert Channel
• Time is the factor – how fast– pass information using the speed at which things
happen
• Examples:– Processing time– Transmission time
26CS 450/650 Lecture 16: Targeted Malicious Codes
Covert Timing Channel
27
Covert Channel Detection and Removal
• Identification:– Shared resources– Program code correctness– Information flow analysis
• Removal:– Total removal – may not be possible– Reduce bandwidth
28CS 450/650 Lecture 16: Targeted Malicious Codes
Controls Against Program Threats
• Prevent Threats during software development– Modularity• security analysts must be able to understand each
component as an independent unit and be assured of its limited effect on other components
29CS 450/650 Lecture 16: Targeted Malicious Codes
Controls Against Program Threats
• Prevent Threats during software development– Encapsulation• hide a component's implementation details • minimize interfaces to reduce covert channels
– Information hiding • a component as a kind of black box • components will have limited effect on other
components
30CS 450/650 Lecture 16: Targeted Malicious Codes
Controls Against Program Threats
• Peer Reviews– Hazard Analysis• set of systematic techniques to expose potentially
hazardous system states
– Testing • unit testing, integration testing, function testing,
performance testing, acceptance testing, installation testing, regression testing
31CS 450/650 Lecture 16: Targeted Malicious Codes
Controls Against Program Threats
• Good Design– Using a philosophy of fault tolerance– Have a consistent policy for handling failures– Capture the design rationale and history– Use design patterns
• Prediction– predict the risks involved in building and using the
system
32CS 450/650 Lecture 16: Targeted Malicious Codes
Controls Against Program Threats
• Static Analysis– Use tools and techniques to examine characteristics
of design and code to see if the characteristics warn of possible faults
• Configuration Management– control changes during development and
maintenance• Analysis of Mistakes• Proofs of Program Correctness– Can we prove that there are no security holes?
33CS 450/650 Lecture 16: Targeted Malicious Codes
Operating System Controls on Use of Programs
• Trusted Software– code has been rigorously developed and analyzed• Functional correctness• Enforcement of integrity• Limited privilege• Appropriate confidence level
34CS 450/650 Lecture 16: Targeted Malicious Codes
Operating System Controls on Use of Programs
• Mutual Suspicion– assume other program is not trustworthy
• Confinement – limit resources that program can access
• Access Log – list who access computer objects, when, and for
how long
35CS 450/650 Lecture 16: Targeted Malicious Codes
Administrative Controls
• Standards of Program Development• Standards of design• Standards of documentation, language, and coding
style• Standards of programming• Standards of testing• Standards of configuration management• Security Audits
• Separation of Duties
36CS 450/650 Lecture 16: Targeted Malicious Codes
