Upload
buixuyen
View
228
Download
3
Embed Size (px)
Citation preview
Software Flaws and Malware
Giảng viên hướng dẫn :
Sinh viên :Hoàng Xuân Nhật HuyNguyễn Nam Tiệp
What are software flaws and malware ?
Program flaws (unintentional)Buffer overflowRace conditions
Malicious software (intentional)VirusesWormsOther breeds of malware
Buffer Overflow
In the following example, a program has two data items which are adjacent in memory: an 8-byte-long string buffer, A, and a two-byte big-endian integer, B.
Initially, A contains nothing but zero bytes, and B contains the number 1979.
Now, the program attempts to store the null-terminated string "excessive" with ASCII encoding in the A buffer.
"excessive" is 9 characters long and encodes to 10 bytes including the terminator, but A can take only 8 bytes. By failing to check the length of the string, it also overwrites the value of B:
Race Conditions
Race conditions are commonRace conditions may be more prevalent than buffer
overflowsBut race conditions harder to exploit
Critical race conditions and non-critical race conditions
A critical race occurs when the order in which internal variables are changed determines the eventual state that the state machine will end up in.
A non-critical race occurs when the order in which internal variables are changed does not alter the eventual state..
Dining philosophers problem
0
1
23
4 0 1
4 23
Solutionthink until the left fork is available; when it is, pick it up;think until the right fork is available; when it is, pick it
up;when both forks are held, eat for a fixed amount of time;then, put the right fork down;then, put the left fork down;repeat from the beginning.
Malware
Types of malware (no standard definition) Virus passive propagation Worm active propagation Trojan horse unexpected functionality Trapdoor/backdoor unauthorized access Spyware steals info, such as passwords
Where do Viruses Live?Boot sectorMemoryApplications, macros, data, etc.Library routinesCompilers, debuggers, virus checker, etc.
Malware ExamplesBrain virus (1986)Morris worm (1988)Mac trojan (2001)Backdoor through Powershell (2004)Ardamax keylog (2010)
Virus : Blame virusq First appeared in 1986q More annoying than harmfulq A prototype for later virusesq Not much reaction by usersq What it did
1. Placed itself in boot sector (and other places)2. Screened disk calls to avoid detection3. Each disk read, checked boot sector to see if boot sector
infected; if not, goto 1q Brain did nothing really malicious
Worm : Morris WormFirst appeared in 1988What it tried to do
Determine where it could spread, then……spread its infection and……remain undiscovered
Morris claimed his worm had a bug!It tried to re-infect infected systemsLed to resource exhaustionEffect was like a so-called rabbit
Trojan horse : Mac trojanTrojan: unexpected functionalityFile icon for freeMusic.mp3: For a real mp3, double click on icon
o iTunes openso Music in mp3 file plays
But for freeMusic.mp3, unexpected results
Double click on freeMusic.mp3iTunes opens (expected)“Wild Laugh” (not expected)Message box (not expected)
Backdoor : Power Shell A backdoor is a method of bypassing normal
authentication, securing unauthorized remote access to a computer,
Open a port from 0 to 65535.
Spyware : ArdamaxRecords all typed keystrokes, passwords and hidden
characters.Records a log of all websites visited for all browsers.Ardamax Keylogger can upload recorded logs through
FTP delivery.Record voice from the microphone with real-time
compression.