1 / 31

Lecture 14 Overview

Lecture 14 Overview. Program Flaws. Taxonomy of flaws: how (genesis) when (time) where (location) the flaw was introduced into the system. Security Flaws by Genesis. Genesis Intentional Malicious: Trojan Horse, Trapdoor, Logic Bomb, Worms, Virus Non-malicious Inadvertent

kieve
Download Presentation

Lecture 14 Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 14 Overview

  2. Program Flaws • Taxonomy of flaws: • how (genesis) • when (time) • where (location) • the flaw was introduced into the system CS 450/650 Lecture 14: Program Flaws

  3. Security Flaws by Genesis • Genesis • Intentional • Malicious: Trojan Horse, Trapdoor, Logic Bomb, Worms, Virus • Non-malicious • Inadvertent • Validation error • Domain error • Serialization error • Identification/authentication error • Other error CS 450/650 Lecture 14: Program Flaws

  4. Flaws by time • Time of introduction • During development • Requirement/specification/design • Source code • Object code • During maintenance • During operation CS 450/650 Lecture 14: Program Flaws

  5. Flaws by Location • Location • Software • Operating system: system initialization, memory management, process management, device management, file management, identification/authentication, other • Support tools: privileged utilities, unprivileged utilities • Application • Hardware CS 450/650 Lecture 14: Program Flaws

  6. Malware Evolution • 1980s • Malware for entertainment (pranks) • 1983: “virus” • 1988: Internet Worm • 1990s • Malware for social status / experiments • 1990: antivirus software • Early 2000s • Malware to spam • Mid 2000s • Criminal malware CS 450/650 Lecture 14: Program Flaws

  7. Lecture 15Malicious Codes CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Csilla Farkas and Brandon Phillips

  8. Kinds of Malicious Codes • Virus: a program that attaches copies of itself into other programs. • Propagates and performs some unwanted function • Viruses are not programs • Definition from RFC 1135: A virus is a piece of code that inserts itself into a host [program], including operating systems, to propagate. It cannot run independently. It requires that its host program be run to activate it. CS 450/650 Lecture 15: Malicious Codes

  9. Kinds of Malicious Code • Worm: a program that propagates copies of itself through the network. • Independent program. • May carry other code, including programs and viruses. • Definition from RFC 1135: A wormis a program that can run independently, will consume the resources of its host [machine] from within in order to maintain itself and can propagate a complete working version of itself on to other machines. CS 450/650 Lecture 15: Malicious Codes

  10. Kinds of Malicious Code • Rabbit/Bacteria: make copies of themselves to overwhelm a computer system's resources • Denying the user access to the resources • Logic/Time Bomb: programmed threats that lie dormant for an extended period of time until they are triggered • When triggered, malicious code is executed CS 450/650 Lecture 15: Malicious Codes

  11. Kinds of Malicious Code • Trojan Horse: secret, undocumented routine embedded within a useful program • Execution of the program results in execution of secret code • Trapdoor: secret, undocumented entry point into a program, used to grant access without normal methods of access authentication • Dropper: Not a virus or infected file • When executed, it installs a virus into memory, on to the disk, or into a file CS 450/650 Lecture 15: Malicious Codes

  12. Malware Proliferation (Microsoft Security Intelligence Report 6)‏ CS 450/650 Lecture 15: Malicious Codes

  13. Malware Families CS 450/650 Lecture 15: Malicious Codes

  14. Regional Threat Categories (Microsoft Security Intelligence Report 6)‏ CS 450/650 Lecture 15: Malicious Codes

  15. Virus Lifecycle • Dormant phase: the virus is idle • not all viruses have this stage • Propagation phase: the virus places an identical copy of itself into other programs of into certain system areas • Triggering phase: the virus is activated to perform the function for which it was created • Execution phase: the function is performed • The function may be harmless or damaging CS 450/650 Lecture 15: Malicious Codes

  16. Virus Types • Parasitic virus: • Attaches itself to a file and replicates when the infected program is executed • most common form • Memory resident virus: • lodged in main memory as part of a resident system program • Virus may infect every program that executes CS 450/650 Lecture 15: Malicious Codes

  17. Virus Types • Boot Sector Viruses: • Infects the boot record and spreads when system is booted • Gains control of machine before the virus detection tools • Very hard to notice • Macro Virus: • virus is part of the macro associated with a document CS 450/650 Lecture 15: Malicious Codes

  18. Virus Types • Stealth virus: • A form of virus explicitly designed to hide from detection by antivirus software • Polymorphic virus: • A virus that mutates with every infection making detection by the “signature” of the virus difficult CS 450/650 Lecture 15: Malicious Codes

  19. How Viruses Append + = virus virus Original program Original program Virus appended to program CS 450/650 Lecture 15: Malicious Codes

  20. How Viruses Append + = Virus-1 virus Original program Original program Virus-2 Virus surrounding a program CS 450/650 Lecture 15: Malicious Codes

  21. Virus-1 Virus-2 Virus-3 Virus-4 How Viruses Append + = virus Original program Original program Virus integrated into program CS 450/650 Lecture 15: Malicious Codes

  22. How Viruses Gain Control • Virus V has to be invoked instead of target T • V overwrites T • V changes pointers from T to V CS 450/650 Lecture 15: Malicious Codes

  23. High risk virus properties • Hard to detect • Hard to destroy • Spread infection widely • Can re-infect • Easy to create • Machine independent CS 450/650 Lecture 15: Malicious Codes

  24. Virus Signatures • Storage pattern • Code always located on a specific address • Increased file size • Execution pattern • Transmission pattern • Polymorphic Viruses CS 450/650 Lecture 15: Malicious Codes

  25. Antivirus Approaches • Detection: • determine infection and locate the virus • Identification: • identify the specific virus • Removal: • remove the virus from all infected systems, so the disease cannot spread further • Recovery: • restore the system to its original state CS 450/650 Lecture 15: Malicious Codes

  26. Preventing Virus Infection • Prevention: • Good source of software installed • Isolated testing phase • Use virus detectors • Limit damage: • Make bootable diskette • Make and retain backup copies important resources CS 450/650 Lecture 15: Malicious Codes

  27. Nyxem Email Virus • Estimate of total number of infected computers is between 470K and 945K • At least 45K of the infected computers were also compromised by other forms of spyware or botware • Spread CS 450/650 Lecture 15: Malicious Codes

  28. Worm • Self-replicating (like virus) • Objective: system penetration (intruder) • Phases: dormant, propagation, triggering, and execution • Propagation: • Searches for other systems to infect • e.g., host tables • Establishes connection with remote system • Copies itself to remote system • Execute CS 450/650 Lecture 15: Malicious Codes

  29. Code-Red Worm • On July 19, 2001, more than 359,000 computers connected to the Internet were infected with the Code-Red (CRv2) worm in less than 14 hours • Spread CS 450/650 Lecture 15: Malicious Codes

  30. Sapphire/Slammer Worm • was the fastest computer worm in history • doubled in size every 8.5 seconds • infected more than 90 percent of vulnerable ~75K hosts within 10 minutes. CS 450/650 Lecture 15: Malicious Codes

  31. Witty Worm • reached its peak activity after approximately 45 minutes • at which point the majority of vulnerable hosts had been infected • World • USA CS 450/650 Lecture 15: Malicious Codes

More Related