CSCE 522CSCE 522

Lecture 12Lecture 12

Program Security Program SecurityMalicious CodeMalicious Code

CSCE 522 - Farkas 2

ReadingReading Reading for this lecture:

Required:– Pfleeger: Ch. 3

Recommended: – USC Computing Services – Virus Information Center– L. Constantin, Eastern European cybercriminals trump

Asian counterparts, researchers say, http://www.computerworld.com/s/article/9231563/Eastern_European_cybercriminals_trump_Asian_counterparts_researchers_say?taxonomyId=82&pageNumber=1

CSCE 522 - Farkas 3

Program FlawsProgram Flaws

Taxonomy of flaws:– how (genesis)– when (time)– where (location)

the flaw was introduced into the system

CSCE 522 - Farkas 4

Security Flaws by GenesisSecurity Flaws by Genesis

Genesis– Intentional

Malicious: Trojan Horse, Trapdoor, Logic Bomb, Worms, Virus

Non-malicious

– Inadvertent Validation error Domain error Serialization error Identification/authentication error Other error

CSCE 522 - Farkas 5

Flaws by timeFlaws by time

Time of introduction– During development

Requirement/specification/design Source code Object code

– During maintenance– During operation

CSCE 522 - Farkas 6

Flaws by LocationFlaws by Location

Location– Software

Operating system: system initialization, memory management, process management, device management, file management, identification/authentication, other

Support: privileged utilities, unprivileged utilities Application

– Hardware

CSCE 522 - Farkas 7

Slammer WormSlammer Worm

The Slammer worm (Sapphire worm) was the fastest worm in history – Start: Saturday, Jan. 25, 2003 – Doubled in size every 8.5 seconds at its peak – Infected more than 90 percent of the vulnerable hosts within 10

minutes using a vulnerability in Microsoft's SQL Server– Total infected: more than 75,000 hosts– Flooded networks all over the world, caused disruptions to

financial institutions, ATMs, and even an election in Canada – http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/etc/map

s.html

CSCE 522 - Farkas 8

History History

1982: Elk Cloner1983: “virus”1988: Internet Worm1990: antivirus software2000s: virus mitigation

CSCE 522 - Farkas 9

Kinds of Malicious CodesKinds of Malicious Codes

Virus: a program that attaches copies of itself into other programs. Propagates and performs some unwanted function. Viruses are not programs - they cannot run on their own.

Bacteria: make copies of themselves to overwhelm a computer system's resources. Denying the user access to the resources.

CSCE 522 - Farkas 10

Kinds of Malicious CodeKinds of Malicious Code

Worm: a program that propagates copies of itself through the network. Independent program. May carry other code, including programs and viruses.

Trojan Horse: secret, undocumented routine embedded within a useful program. Execution of the program results in execution of secret code.

CSCE 522 - Farkas 11

Kinds of Malicious CodeKinds of Malicious Code Logic bomb, time bomb: programmed threats

that lie dormant for an extended period of time until they are triggered. When triggered, malicious code is executed.

Trapdoor: secret, undocumented entry point into a program, used to grant access without normal methods of access authentication.

Dropper: Not a virus or infected file. When executed, it installs a virus into memory, on to the disk, or into a file.

CSCE 522 - Farkas 12

VirusVirusVirus lifecycle:1. Dormant phase: the virus is idle. (not all

viruses have this stage)2. Propagation phase: the virus places an identical

copy of itself into other programs of into certain system areas.

3. Triggering phase: the virus is activated to perform the function for which it was created.

4. Execution phase: the function is performed. The function may be harmless or damaging.

CSCE 522 - Farkas 13

Virus TypesVirus Types

Parasitic virus: most common form. Attaches itself to a file and replicates when the infected program is executed.

Memory resident virus: lodged in main memory as part of a resident system program. Virus may infect every program that executes.

CSCE 522 - Farkas 14

Virus TypesVirus Types

Boot Sector Viruses:– Infects the boot record and spreads when

system is booted.– Gains control of machine before the virus

detection tools.– Very hard to notice– Carrier files: AUTOEXEC.BAT,

CONFIG.SYS,IO.SYS

CSCE 522 - Farkas 15

Virus TypesVirus Types

Stealth virus: a form of virus explicitly designed to hide from detection by antivirus software.

Polymorphic virus: a virus that mutates with every infection making detection by the “signature” of the virus difficult.

CSCE 522 - Farkas 16

How Viruses AppendHow Viruses Append

Originalprogram

virus

Originalprogram

virus

Virus appended to program

+ =

CSCE 522 - Farkas 17

How Viruses AppendHow Viruses Append

Originalprogram

virus

Originalprogram

Virus-1

Virus surrounding a program

+ =

Virus-2

CSCE 522 - Farkas 18

How Viruses AppendHow Viruses Append

Originalprogram

virus

Originalprogram

Virus-1

Virus integrated into program

+ =

Virus-2

Virus-3Virus-4

CSCE 522 - Farkas 19

How Viruses Gain ControlHow Viruses Gain Control

Virus V has to be invoked instead of target T.– V overwrites T– V changes pointers from T to V

High risk virus properties: – Hard to detect– Hard to destroy– Spread infection widely– Can re-infect– Easy to create – Machine independent

CSCE 522 - Farkas 20

Virus SignaturesVirus Signatures

Storage pattern– Code always located on a specific address– Increased file size

Execution patternTransmission patternPolymorphic Viruses

CSCE 522 - Farkas 21

Antivirus ApproachesAntivirus Approaches

Detection: determine infection and locate the virus.

Identification: identify the specific virus. Removal: remove the virus from all

infected systems, so the disease cannot spread further.

Recovery: restore the system to its original state.

CSCE 522 - Farkas 22

Preventing Virus InfectionPreventing Virus Infection

Prevention:Good source of software installed Isolated testing phaseUse virus detectorsLimit damage:Make bootable disketteMake and retain backup copies important

resources

CSCE 522 - Farkas 23

WormWorm

Self-replicating (like virus) Objective: system penetration (intruder) Phases: dormant, propagation, triggering, and

execution Propagation:

– Searches for other systems to infect (e.g., host tables)– Establishes connection with remote system– Copies itself to remote system– Execute

CSCE 522 - Farkas 24

Covert Channel - Trojan HorseCovert Channel - Trojan Horse

John

Spy

Only Johnis permittedto accessthe document

MS Word

Document

Spy’sDocumentcopy

TH

installcopy

CSCE 522 - Farkas 25

Covert ChannelCovert Channel

Need: Two active agents

– Sender (has access to unauthorized information) – e.g., TH in MS Word

– Receiver ( reads sent information) – e.g., program creating the copy

Encoding schema– How the information is sent – e.g.,

File F exists 0File F is does not exist 1

Synchronization – e.g., when to check for existence of F

CSCE 522 - Farkas 26

Storage Covert ChannelsStorage Covert Channels

Based on properties of resourcesExamples:

– File locks– Delete/create file– Memory allocation

CSCE 522 - Farkas 27

Timing Covert ChannelTiming Covert Channel

Time is the factor – how fastExamples:

– Processing time– Transmission time

CSCE 522 - Farkas 28

Covert Channel Detection and Covert Channel Detection and RemovalRemoval

Identification:Shared resourcesProgram code correctnessInformation flow analysis

Removal:Total removal – may not be possibleReduce bandwidth

CSCE 522 - Farkas 29

Next ClassNext Class

Network Security