November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-1 Chapter 19: Malicious Logic What is malicious logic Types of malicious logic.

Slides:



Advertisements
Similar presentations
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.1 Malicious Logic.
Advertisements

Lectures on File Management
 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.
Lecturer: Fadwa Tlaelan
1 Anti Virus vs virus System i-Specific Anti-Virus Product Ali ameen al said.
Chapter 3 (Part 1) Network Security
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #19-1 Chapter 19: Malicious Logic What is malicious logic Types of malicious.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
CS526: Information Security Chris Clifton November 25, 2003 Malicious Code.
Unit 18 Data Security 1.
Malicious Logic What is malicious logic Types of malicious logic Defenses Computer Security: Art and Science © Matt Bishop.
Fall 2008CS 334: Computer SecuritySlide #1 Malicious Logic Trojan Horses Viruses Worms.
Security, Privacy, and Ethics Online Computer Crimes.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
________________ CS3235, Nov 2002 Viruses Adapted from Pfleeger[Chap 5]. A virus is a program [fragment] that can pass on malicious code [usually itself]
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
June 1, 2004Computer Security: Art and Science © Matt Bishop Slide #22-1 Chapter 22: Malicious Logic What is malicious logic Types of malicious.
Malicious Logic What is malicious logic Defenses
1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
1 Malicious Logic CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 25, 2004.
Computer security virus, hacking and backups. Computer viruses are small software programs that are designed to spread from one computer to another.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
Video Following is a video of what can happen if you don’t update your security settings! security.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Computer Viruses Preetha Annamalai Niranjan Potnis.
Understanding and Troubleshooting Your PC. Chapter 12: Maintenance and Troubleshooting Fundamentals2 Chapter Objectives  In this chapter, you will learn:
Virus and Antivirus Team members: - Muzaffar Malik - Kiran Karki.
Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.
VIRUSES - Janhavi Naik. Overview Structure Classification Categories.
Structure Classifications &
Defense Against the Dark Arts Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: Types.
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Viruses, Trojans and Worms The commonest computer threats are viruses. Virus A virus is a computer program which changes the way in which the computer.
Malicious Code By Diana Peng. What is Malicious Code? Unanticipated or undesired effects in programs/program parts, caused by an agent with damaging intentions.
Chapter 10 Malicious software. Viruses and ” Malicious Programs Computer “ Viruses ” and related programs have the ability to replicate themselves on.
Name: Perpetual Ifeanyi Onyia Topic: Virus, Worms, & Trojan Horses.
30.1 Lecture 30 Security II Based on Silberschatz & Galvin’s slides And Stallings’ slides.
For any query mail to or BITS Pilani Lecture # 1.
Copyright © 2007 Heathkit Company, Inc. All Rights Reserved PC Fundamentals Presentation 25 – Virus Detection and Prevention.
Malicious Logic What is malicious logic Types of malicious logic Defenses Computer Security: Art and Science © Matt Bishop.
Malicious Logic What is malicious logic Types of malicious logic Defenses Computer Security: Art and Science © Matt Bishop.
Security CS Introduction to Operating Systems.
Malicious Logic and Defenses. Malicious Logic Trojan Horse – A Trojan horse is a program with an overt (documented or known) effect and covert (undocumented.
Computer security virus, hacking and backups. Computer viruses are small software programs that are designed to spread from one computer to another.
CONTENTS What is Virus ? Types of computer viruses.
VIRUS.
n Just as a human virus is passed from person from person, a computer virus is passed from computer to computer. n A virus can be attached to any file.
Computer Systems Viruses. Virus A virus is a program which can destroy or cause damage to data stored on a computer. It’s a program that must be run in.
Computer virus Speaker : 蔡尚倫.  Introduction  Infection target  Infection techniques Outline.
14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Protection.
VIRUSES AND SECURITY  In an information-driven world, individuals and organization must manage and protect against risks such as viruses, which are spread.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
ANTIVIRUS ANTIVIRUS Author: Somnath G. Kavalase Junior Software developer at PBWebvsion PVT.LTD.
Detected by, M.Nitin kumar ( ) Sagar kumar sahu ( )
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
Computer Viruses Author: Alyse Allen.
Chapter Objectives In this chapter, you will learn:
Chapter 19. Malicious Logic
Chapter 1: Introduction
Chapter 22: Malicious Logic
Chap 10 Malicious Software.
Chapter 22: Malicious Logic
Chapter 2: Operating-System Structures
Security.
Chap 10 Malicious Software.
Malicious Program and Protection
Chapter 2: Operating-System Structures
Presentation transcript:

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-1 Chapter 19: Malicious Logic What is malicious logic Types of malicious logic Defenses

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-2 Overview Defining malicious logic Types –Trojan horses –Computer viruses and worms –Other types Defenses –Properties of malicious logic –Trust

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-3 Malicious Logic Set of instructions that cause site security policy to be violated

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-4 Trojan Horse Program with an overt purpose (known to user) and a covert purpose (unknown to user) –Often called a Trojan –Named by Dan Edwards in Anderson Report Example: previous script is Trojan horse –Overt purpose: list files in directory –Covert purpose: create setuid shell

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-5 Computer Virus Program that inserts itself into one or more files and performs some action –Insertion phase is inserting itself into file –Execution phase is performing some (possibly null) action Insertion phase must be present –Need not always be executed –Lehigh virus inserted itself into boot file only if boot file not infected

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-6 TSR Viruses A virus that stays active in memory after the application (or bootstrapping, or disk mounting) is completed –TSR is “Terminate and Stay Resident” Examples: Brain, Jerusalem viruses –Stay in memory after program or disk mount is completed

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-7 Stealth Viruses A virus that conceals infection of files Example: IDF virus modifies DOS service interrupt handler as follows: –Request for file length: return length of uninfected file –Request to open file: temporarily disinfect file, and reinfect on closing –Request to load file for execution: load infected file

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-8 Encrypted Viruses A virus that is enciphered except for a small deciphering routine –Detecting virus by signature now much harder as most of virus is enciphered

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-9 Polymorphic Viruses A virus that changes its form each time it inserts itself into another program Idea is to prevent signature detection by changing the “signature” or instructions used for deciphering routine At instruction level: substitute instructions At algorithm level: different algorithms to achieve the same purpose Toolkits to make these exist (Mutation Engine, Trident Polymorphic Engine)

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-10 Example These are different instructions (with different bit patterns) but have the same effect: –add 0 to register –subtract 0 from register –xor 0 with register –no-op Polymorphic virus would pick randomly from among these instructions

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-11 Macro Viruses A virus composed of a sequence of instructions that are interpreted rather than executed directly Can infect either executables (Duff’s shell virus) or data files (Highland’s Lotus spreadsheet virus) Independent of machine architecture –But their effects may be machine dependent

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-12 Computer Worms A program that copies itself from one computer to another Origins: distributed computations –Schoch and Hupp: animations, broadcast messages –Segment: part of program copied onto workstation –Segment processes data, communicates with worm’s controller –Any activity on workstation caused segment to shut down

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-13 Logic Bombs A program that performs an action that violates the site security policy when some external event occurs Example: program that deletes company’s payroll records when one particular record is deleted –The “particular record” is usually that of the person writing the logic bomb –Idea is if (when) he or she is fired, and the payroll record deleted, the company loses all those records

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-14 Defenses Distinguish between data, instructions Limit objects accessible to processes Inhibit sharing Detect altering of files Detect actions beyond specifications Analyze statistical characteristics

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-15 Data vs. Instructions Malicious logic is both –Virus: written to program (data); then executes (instructions) Approach: treat “data” and “instructions” as separate types, and require certifying authority to approve conversion –Keys are assumption that certifying authority will not make mistakes and assumption that tools, supporting infrastructure used in certifying process are not corrupt

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-16 Example: LOCK Logical Coprocessor Kernel –Designed to be certified at TCSEC A1 level Compiled programs are type “data” –Sequence of specific, auditable events required to change type to “executable” Cannot modify “executable” objects –So viruses can’t insert themselves into programs (no infection phase)

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-17 Limiting Accessibility Basis: a user (unknowingly) executes malicious logic, which then executes with all that user’s privileges –Limiting accessibility of objects should limit spread of malicious logic and effects of its actions Approach draws on mechanisms for confinement

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-18 Information Flow Metrics Idea: limit distance a virus can spread Flow distance metric fd(x): –Initially, all info x has fd(x) = 0 –Whenever info y is shared, fd(y) increases by 1 –Whenever y 1, …, y n used as input to compute z, fd(z) = max(fd(y 1 ), …, fd(y n )) Information x accessible if and only if for some parameter V, fd(x) < V

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-19 Example Anne: V A = 3; Bill, Cathy: V B = V C = 2 Anne creates program P containing virus Bill executes P –P tries to write to Bill’s program Q Works, as fd(P) = 0, so fd(Q) = 1 < V B Cathy executes Q –Q tries to write to Cathy’s program R Fails, as fd(Q) = 1, so fd(R) would be 2 Problem: if Cathy executes P, R can be infected –So, does not stop spread; slows it down greatly, though

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-20 Implementation Issues Metric associated with information, not objects –You can tag files with metric, but how do you tag the information in them? –This inhibits sharing To stop spread, make V = 0 –Disallows sharing –Also defeats purpose of multi-user systems, and is crippling in scientific and developmental environments Sharing is critical here

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-21 Detect Alteration of Files Compute manipulation detection code (MDC) to generate signature block for each file, and save it Later, recompute MDC and compare to stored MDC –If different, file has changed Example: tripwire –Signature consists of file attributes, cryptographic checksums chosen from among MD4, MD5, HAVAL, SHS, CRC-16, CRC-32, etc.)

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-22 Antivirus Programs Look for specific sequences of bytes (called “virus signature” in file –If found, warn user and/or disinfect file Each agent must look for known set of viruses Cannot deal with viruses not yet analyzed –Due in part to undecidability of whether a generic program is a virus

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-23 Virus Protection Companies around the world spend about US $20 billion a year to clean up viruses All critical servers are protected All internet is scanned Automated identification of workstations that do not have up-to-date signature files Organizations should block common virus file types to be proactive