260 likes | 400 Views
Outline for Today’s Lecture. Administrative: Objective: Viruses and worms. Viruses and Worms. Virus = program can reproduce itself by attaching its code to another executable program Activated by executing its host Worm = program which replicates itself and causes execution of new copy
E N D
Outline for Today’s Lecture Administrative: Objective: • Viruses and worms
Viruses and Worms • Virus = program can reproduce itself by attaching its code to another executable program • Activated by executing its host • Worm = program which replicates itself and causes execution of new copy • Self-contained • Hijacks or creates a new process
Lifecycle of an Attack Scan ports Ping addresses Guess passwordsGet address email address book Probe Penetrate Mail attachmentsBuffer overflowsBackdoorsMacros Paralyze Do damageDestroy dataDenial of ServiceLeak information Persist Propagate Create / modify filesInfect boot sectorModify registryWeaken security settingsHide and disguise actions Use email clientBring up own SMTPor http serversftp
History of Worms 1982 – PARC envisions works as an administrative mechanism to perform legit tasks on distributed system 1988 – Morris worm is the first Internet worm (with dramatic consequences) … 2001 – Code Red 2003 – Slammer, Blaster 2004 – Sasser, Witty
The Morris Internet Worm • Nov. 1988, Robert Morris, Cornell grad student • Consisted of two programs • bootstrap to upload worm • the worm itself • Worm first hid its existence • Next replicated itself on new machines • rsh • finger name@site - overflow finger daemon’s stack with long string • Bug in sendmail to mail bootstrap & exec it • Tried to break user passwords and go on • Too aggressive – let 1 in 7 re-infects live • Caught and convicted
Often < 1 day Stopping Attacks • CERT – Computer Emergency Response Team – collects info on system flaws that can be attacked. Fields reports of security break-ins • Traditional timeline of attack Application released with bug Good guyspatch fast Vulnerability announced& patchreleased Attack released Bad guys create attack
How Viruses Work • Virus usually written in assembly language • Inserted into another program • use tool called a “dropper” • Virus dormant until program executed • then infects other programs • eventually executes its “payload” • possibly waits for significant date
How Viruses Work • An executable program • with a parasitic virus at the front • at the end • spread over free space within program (cavity virus)
How Viruses Work Boot sector viruses 1st hide the real boot sector When booted, copies virus into memory, making it a memory resident virus Then boots the OS Device driver infected with virus, loads it at boot time.
How Viruses Work • After virus has captured interrupt, trap vectors • Syscall trap a good one. Can look for exec calls • After OS has retaken printer interrupt vector • After virus has noticed loss of printer interrupt vector and recaptured it
How Viruses Work Macros Applications like Word or Excel allow macros that get executed via keystroke or menu Attach a macro to open file function and you are off and running Can be sent in email attachments Some emailers automatically open attachments
How Viruses Spread • Virus placed where likely to be copied • When copied • infects programs on hard drive, floppy • may try to spread over LAN • Attach to innocent looking email • when it runs, use mailing list to replicate
Stopping Attacks • Identifying viruses and worms before they execute • antivirus • trusted code only • Catch’em in the act of misbehaving before they do harm • Monitoring and controlling what suspicious code can do • interpreters and sandboxing
Antivirus and Anti-Antivirus Techniques (a) A program (b) Infected program, metadata giveaways (c) Compressed infected program (d) Encrypted virus (e) Compressed virus with encrypted compression code
Antivirus and Anti-Antivirus Techniques Examples of a polymorphic virus All of these examples do the same thing Mutation engine – code that morphs the signature part of the virus each time it spreads
Antivirus and Anti-Antivirus Techniques • Integrity checkers - checksums • Behavioral checkers • Virus avoidance • good OS • install only shrink-wrapped software • use antivirus software • do not click on attachments to email • avoid active content • frequent backups • Recovery from virus attack • halt computer, reboot from safe disk, run antivirus
Trusted Mobile Code When code is intentionally brought in, what can you do to protect yourself?Only download code from sources you trust – use digitally signed code
Mobile Code Sandboxing Confine the effects of running (untrusted) code(a) Memory divided into 1-MB sandboxes(b) One way of checking an instruction for validity
Interpreted Mobile Code Applets can be interpreted by a Web browser
Interpretation • Interpreter never lets go of the program counter itself • Interpreter can check each instruction as it is emulated • Transfers of control flow are the danger points • Performance cost, but can be mitigated
Covert Channels Can information be leaked from “confined” processes? Encapsulated server can still leak to collaborator via covert channels:Observable performance patterns (e.g., busy/blocked, page faulting)
Covert Channels A covert channel using file locking
Covert Channels • Pictures appear the same • 7-bit colors can not be distinguished from 8-bit colors • Picture on right has text of 5 Shakespeare plays • Compressed & encrypted, inserted into low order bits of color values Hamlet, Macbeth, Julius Caesar Merchant of Venice, King Lear Zebras
Is it a Technical Problem? Lots of known solution techniques • Access control • Crypto • Firewalls • Intrusion detection So why isn’t it a solved problem?
Economics “The party who is in a position to protect a system is not the party who would suffer the results of security failure.” Ross Anderson Security • For whom is it built? • Who pays for it?