470 likes | 540 Views
CENG 410: Computer and Network Security. In this Lecture. Program security Non-Malicious Codes Malicious Codes and Viruses How do viruses work How Viruses Gain Control Control Against Program Threat. Program Security.
E N D
In this Lecture • Program security • Non-Malicious Codes • Malicious Codes and Viruses • How do viruses work • How Viruses Gain Control • Control Against Program Threat
Program Security • Security implies some degree of trust that the program enforces expected confidentiality, integrity, and availability. • Security means different things to different people • It’s a perspective issue • Program Security Flaw: an inappropriate program behavior caused by a program vulnerability • A flaw can be either a fault or failure • A vulnerability usually describes a class of flaws, such as a buffer overflow • Vulnerability and flaw is viewed as cause and effect
Program Security Flaws • Program security flaws can derive from any kind of software fault • The flaws can result from problems in a single code component or from the failure of several programs or program pieces to interact compatibly through a shared interface • inadvertent human errors • malicious, intentionally induced flaws. • Types of non-malicious flaws • Buffer Overflows, • incomplete mediation, • Time-of-Check to Time-of-Use Errors
Buffer Overflow • It’s a non-malicious program error • Definition: • Abuffer(or array or string) is a space in which data can be held. A buffer resides in memory. Because memory is finite, a buffer's capacity is finite. • A buffer overflow is the computing equivalent of trying to pour two liters of water into a one-liter pitcher: Some water is going to spill out and make a mess
Buffer Overflow Example Char sample[10]; for (i=0; i<=9; i++) sample[i] = 'A'; sample[i] = 'B' Suppose each of the ten elements of the array sample is filled with the letter A and the erroneous reference uses the letter B, as follows:
Security Implications of Buffer Overflow • Suppose that a malicious person understands the damage that can be done by a buffer overflow • The attacker may replace code in the system space • If the attacker can gain control by masquerading as the operating system, the attacker can execute many commands in a powerful role. • The attacker may make use of the stack pointer or the return register • An alternative style of buffer overflow occurs when parameter values are passed into a routine, especially when the parameters are passed to a web server on the Internet.
Example-Buffer overflow • Slammer Worm • Saturday, 25 Jan. 2003 around 05:30 UTC • Exploited buffer overflow in Microsoft's SQL Server or MS SQL Desktop Engine (MSDE). • Port 1434 (not a very commonly used port) • Infected > 75,000 hosts (likely more) • Less than 10 minutes! • No malicious payload • Used a single UDP packet with buffer overflow code injection to spread. • Bugs in the Slammer code slowed its growth • The author made mistakes in the random number generator
Example-stack overflow • Occurs when buffer is located on stack - used by Morris Worm “Smashing the Stack” • have local variables below saved frame pointer and return address • –hence overflow of a local buffer can potentially overwrite these key control items • attacker overwrites return address with address of desired code • program, system library or loaded in buffer
Example-Buffer overflow • Heap buffer overflow • Data buffer overflow • Are some other possibilities
DEP – Data execution prevention • Some OS offer the possibility to prevent execution in the data space of memory. • Example: XP sp 2 and later Offer DEP (Data execution prevention) • W7 procedure: • Right click on my computer. • Select properties • Select Advanced system settings • In the advanced tab, under performance, select Settings • Select data execution prevention tab
Incomplete Mediation • Consider the example • http://www.somesite.com/subpage/userinput.asp?parm1=(808)555-1212 &parm2=2009Jan17 • What would happen if parm2 were submitted as 1800Jan01? Or 1800Feb30? Or 2048Min32? Or 1Aardvark2Many? • Programmers can insert some validation techniques to detect these errors. BUT WHAT IF the user modified them in the URL box
Security Implications of Incomplete Mediation • Unchecked data values represent a serious potential vulnerability. • Example, company THINGS that sells boats • http://www.things.com/order.asp?custID=101&part=555A&qy=20&price =10&ship=boat&shipcost=5&total=205 • An attacker can change the quantities and price • The most serious concern about this flaw was the length of time that it could have run undetected
Time-of-Check to Time-of-Use Errors • Modern processors supports out-of-order execution • Instructions that appear adjacent may not be executed in order. This could be intentionally or because of concurrency • Access control should be given to authorized personal • Every requested access must be governed by an access policy stating who is allowed access to what; then the request must be mediated by an access-policy-enforcement agent. • This flaw concerns mediation that is performed with a "bait and switch" in the middle. • It is also known as a serialization or synchronization flaw.
Example of Time-of-Check to Time-of-Use Errors Incomplete mediation flaw can be exploits and the user can change the name descriptor to your_file while checking for access right of my_file. The problem is called a time-of-check to time-of-use flaw because it exploits the delay between the two times. That is, between the time the access was checked and the time the result of the check was used, a change occurred, invalidating the result of the check. • The data structure is essentially a "work ticket," requiring a stamp of authorization • once authorized, it is put on a queue of things to be done • the access control mediator receives the data structure, determines: • If the access should be allowed, and either rejects the access and stops or allows the access and forwards the data structure to the file handler for processing.
Security Implications of Time-of-Check to Time-of-Use Errors • Checking one action and performing another is an example of ineffective access control • We must be wary whenever a time lag or loss of control occurs, making sure that there is no way to corrupt the check's results during that interval. • To prevent exploitation of the time lag: • Ensure that critical parameters are not exposed during any loss of control • The validation routine can initially copy data from the user's space to the routine's area out of the user's reach and perform validation checks on the copy. • the validation routine can seal the request data with a checksum to detect modification.
Combination of Non-malicious Program Flaws The attacker may begin a three-pronged attack by using a buffer overflow to disrupt all execution of arbitrary code on a machine At the same time, the attacker may exploit a time-of-check to time-of-use flaw to add a new user ID to the system. The attacker then logs in as the new user and exploits an incomplete mediation flaw to obtain privileged status, and so forth.
Viruses and Other Malicious Code • Malicious code or rogue program is the general name for unanticipated or undesired effects in programs or program parts, caused by an agent intent on damage • These programs operate on data, taking action only when data and state changes trigger it. • Much of the work done by a program is invisible to users who are not likely to be aware of any malicious activity. • Software is always working in the background • As a basic user you have no clue of what is changing and what files are being written • By just clicking install or setup, you gave access for the program to your computer
Harm from Malicious Codes • Malicious code can do anything any other program can: • Writing a message on a computer screen • Stopping a running program • Generating a sound • Erasing a stored file • It can be planted to lie dormant, undetected, until some event triggers the code to act • Malicious code runs under the user's authority • It can touch everything the user can touch, and in the same ways without the user's permission or even knowledge.
Virus • A virus is a program that can replicate itself and pass on malicious code to other non-malicious programs by modifying them. • A Virus can be : • Transient virus: That has a life that depends on the life of its host; the virus runs when its attached program executes and terminates when its attached program ends • resident virus: That locates itself in memory; then it can remain active or be activated as a stand-alone program, even after its attached program ends.
Trojan Horse • A Trojan horse is malicious code that, in addition to its primary effect, has a second, nonobvious malicious effect • Example: • Consider a login script that solicits a user identification and password. • The script will pass the id information to the rest of the system for login process • However it retains a copy for itself for malicious use
Logic Bomb and Trapdoor A logic bomb is a class of malicious code that "detonates" or goes off when a specified condition occurs. A time bomb is a logic bomb whose trigger is a time or date. A trapdoor or backdoor is a feature in a program by which someone can access the program other than by the obvious, direct call, perhaps with special privileges
Worm and Rabbit • A worm is a program that spreads copies of itself through a network. • Differences between a worm and a virus • A worm operates through networks, and a virus can spread through any medium (but usually uses copied program or data files). • A worm spreads copies of itself as a stand-alone program, whereas the virus spreads copies of itself as a program that attaches to or embeds in other programs. • Arabbit is as a virus or worm that self-replicates without bound, with the intention of exhausting some computing resource. • A rabbit might create copies of itself and store them on disk in an effort to completely fill the disk.
How Do We Get a Virus? • Using Setup or install if it contain a virus • Permissions is only required to install the software however since the virus is embedded with the software we also gave permission for it • More common ways are email attachments • A virus could be attached as an executable file or using images that act as an agent for virus transfer
Appended Viruses • a virus inserts a copy of itself into the executable program file before the first executable instruction. • all the virus instructions execute first; after the last virus instruction, control flows naturally to what used to be the first program instruction. A program virus attaches itself to a program; then, whenever the program is run, the virus is activated.
Viruses that Surround a Program An alternative to the attachment is a virus that runs the original program but has control before and after its execution
Integrated Viruses and Replacements A third situation occurs when the virus replaces some of its target, integrating itself into the original code of the target
Document Viruses • the most popular virus type is what we call the document virus • It is implemented within a formatted document, such as a written document, a database, a slide presentation, a picture, or a spreadsheet • These documents are highly structured files that contain both data (words or numbers) and commands (such as formulas, formatting controls, links). • The commands are part of a rich programming language, including macros, variables and procedures, file accesses, and even system calls. • The ordinary user usually sees only the content of the document (its text or data), so the virus writer simply includes the virus in the commands part of the document, as in the integrated program virus.
How Viruses Gain Control • The virus (V) has to be invoked instead of the target (T). • The virus can • Seem to be T and declare that he is T • Push T out and substitute for T by saying call me T • How to do it ? • It can assume T’s name Replacing or Joining T’s Code • The virus can overwrite T in storage • the virus can change the pointers in the file table so that the virus is located instead of T whenever T is accessed through the file system. • The virus can supplant T by altering the sequence that would have invoked T to now invoke the virus V
Home of Viruses • The virus writer may find these qualities appealing in a virus: • It is hard to detect. • It is not easily destroyed or deactivated. • It spreads infection widely. • It can re-infect its home program or other programs. • It is easy to create. • It is machine independent and operating system independent. • One-Time Execution • The majority of viruses today execute only once, spreading their infection and causing their effect in that one execution
Boot Sector Viruses • A special case of virus attachment, but formerly a fairly popular one • When a computer is started: • control begins with firmware that determines which hardware components are present • tests them • transfers control to an operating system • The operating system is software stored on disk • Code copies the operating system from disk to memory and transfers control to it; this copying is called the bootstrap • The firmware does its control transfer by reading a fixed number of bytes from a fixed location on the disk (called the boot sector) to a fixed address in memory and then jumping to that address • The bootstrap loader then reads into memory the rest of the operating system from disk
Boot Sector Viruses • Each block of the bootstrap is chained to (contains the disk location of) the next block. • This chaining allows big bootstraps but also simplifies the installation of a virus. • The virus writer simply breaks the chain at any point, inserts a pointer to the virus code to be executed, and reconnects the chain after the virus has been installed. To allow for change, expansion, and uncertainty, hardware designers reserve a large amount of space for the bootstrap load The boot sector on a PC is slightly less than 512 bytes, but since the loader will be larger than that, the hardware designers support "chaining,"
Memory-Resident Viruses • Some parts of the operating system and most user programs execute, terminate, and disappear, with their space in memory being available for anything executed later • Such code remains in memory and is called "resident" code • Resident routines are sometimes called TSRs or "terminate and stay resident" routines. • Virus writers also like to attach viruses to resident code because the resident code is activated many times while the machine is running • Once activated, the virus can look for and infect uninfected carriers.
Truths and Misconceptions About Viruses Viruses can infect only Microsoft Windows systems. False. Viruses can modify "hidden" or "read-only" files. True Viruses can appear only in data files, or only in Word documents, or only in programs. False. Viruses spread only on disks or only through e-mail. False. Viruses cannot remain in memory after a complete power off/power on reboot. True (if the virus is not resident in the memory) Viruses cannot infect hardware. True. Viruses can be malevolent, benign, or benevolent. True.
Trapdoors • A trapdoor is an undocumented entry point to a module • Developers insert trapdoors during code development • test the module • provide "hooks" by which to connect future modifications or enhancements • allow access if the module should fail in the future.
Examples of trapdoor To test a component on its own, the developer or tester cannot use the surrounding routines that prepare input or work with output
Control Against Program Threat • Three Types of control is discussed: Development, Operating System, and Administration. • Developmental Control: Applied during software development to ferret out and fix problems. • Modularity: Create a design or code in small, self-contained units • Encapsulation: Isolating components from the effects of other components • Information hiding: Some information are kept private from other components
Modularity • Modularization is the process of dividing a task into subtasks • The goal is to have each component meet four conditions: • single-purpose: performs one function • small: consists of an amount of information for which a human can readily grasp both structure and content • simple: is of a low degree of complexity so that a human can readily understand the purpose and structure of the module • independent: performs a task isolated from other modules
Coupling • Coupling refers to the degree with which a component depends on other components in the system • Low or loose coupling is better than high or tight coupling • the loosely coupled components are free from unwitting interference from other components
Encapsulation • Encapsulation hides a component's implementation details • it does not necessarily mean complete isolation • Many components must share information with other components • this sharing is carefully documented so that a component is affected only in known ways by others in the system
Information Hiding • Developers who work where modularization make sure that other components will have limited effect on the ones they write • we can think of a component as a kind of black box, with certain well-defined inputs and outputs and a well-defined function. • Other components' designers do not need to know how the module completes its function
Are we really in danger? Take a look into Windows update list and the frequency of the updates Select one item listed as important Check the Microsoft Security bulletin Understand the vulnerability Understand the severity of the problem What if someone else discover this…
Example: MS10-076 Microsoft Security Bulletin MS10-076 - Critical Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (982132) Published: October 12, 2010 Version: 1.0 Executive Summary This security update resolves a privately reported vulnerability in a Microsoft Windows component, the Embedded OpenType (EOT) Font Engine. The vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
A real virus X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* Yes this is a virus but It is harmless. To test this virus Create a text file on your desktop. Copy past this code As soon as you save, the antivirus will detect it. Stop the antivirus and redo the test. The virus will only display the message in red Reference: http://www.eicar.org/anti_virus_test_file.htm
A real virus: HOW? 58 35 4F 21 50 25 40 41 50 5B 34 5C 50 5A 58 35 34 28 50 5E 29 37 43 43 29 37 7D 24 45 49 43 41 52 2D 53 54 41 4E 44 41 52 44 2D 41 4E 54 49 56 49 52 55 53 2D 54 45 53 54 2D 46 49 4C 45 21 24 48 2B 48 2A Text files are in ASCII Executable files are in binary The binary conversion of this code is a program that can be executed by the Operating system.