Outline for Today’s Lecture Administrative: –Potential extension on Program 4 (not on webpage yet) Thursday Dec. 15 at 11:59pm (1 week more) –Exam will include a very easy question based on Xen/Linux assignments –Course evaluations need volunteer to deliver; stop me 10 minutes from end-of-classtime. Answer question about your opinion of Linux vs. alternative. Objective: –Viruses and worms

From the Outside:Network Security External threat –code transmitted to target machine –code executed there, doing damage Goals of virus writer –quickly spreading virus –difficult to detect –hard to get rid of Virus = program can reproduce itself by attaching its code to another program –additionally, do harm

Viruses and Worms Virus = program can reproduce itself by attaching its code to another executable program –Activated by executing its host Worm = program which replicates itself and causes execution of new copy –Self-contained –Hijacks or creates a new process

Lifecycle of an Attack Probe Penetrate Persist Propagate Paralyze Scan ports Ping addresses Guess passwords Get address address book Mail attachments Buffer overflows Backdoors Macros Create / modify files Infect boot sector Modify registry Weaken security settings Hide and disguise actions Use client Bring up own SMTP or http servers ftp Do damage Destroy data Denial of Service Leak information

Damage Scenarios Blackmail Denial of service as long as virus runs Permanently damage hardware Target a competitor's computer –do harm –espionage Intra-corporate dirty tricks –sabotage another corporate officer's files

History of Worms 1982 – PARC envisions works as an administrative mechanism to perform legit tasks on distributed system 1988 – Morris worm is the first Internet worm (with dramatic consequences) … 2001 – Code Red 2003 – Slammer, Blaster 2004 – Sasser, Witty

The Morris Internet Worm Nov. 1988, Robert Morris, Cornell grad student Consisted of two programs –bootstrap to upload worm –the worm itself Worm first hid its existence Next replicated itself on new machines –rsh –finger - overflow finger daemon’s stack with long string –Bug in sendmail to mail bootstrap & exec it –Tried to break user passwords and go on Too aggressive – let 1 in 7 re-infects live Caught and convicted

Stopping Attacks CERT – Computer Emergency Response Team – collects info on system flaws that can be attacked. Fields reports of security break-ins Traditional timeline of attack Application released with bug Vulnerability announced & patch released Attack released Bad guys create attack Good guys patch fast Often < 1 day

How Viruses Work Virus usually written in assembly language Inserted into another program –use tool called a “dropper” Virus dormant until program executed –then infects other programs –eventually executes its “payload” possibly waits for significant date

Bait and switch – companion viruses MS-DOS example: run prog system tries prog.com then prog.exe Release a prog.com for a popular prog.exe How Viruses Work

Recursive procedure that finds executable files on a UNIX system Virus could infect them all

How Viruses Work An executable program with a parasitic virus at the front at the end spread over free space within program (cavity virus)

Boot sector viruses 1 st hide the real boot sector When booted, copies virus into memory, making it a memory resident virus Then boots the OS Device driver infected with virus, loads it at boot time. How Viruses Work

After virus has captured interrupt, trap vectors –Syscall trap a good one. Can look for exec calls After OS has retaken printer interrupt vector After virus has noticed loss of printer interrupt vector and recaptured it

Macros Applications like Word or Excel allow macros that get executed via keystroke or menu Attach a macro to open file function and you are off and running Can be sent in attachments Some ers automatically open attachments How Viruses Work

How Viruses Spread Virus placed where likely to be copied When copied –infects programs on hard drive, floppy –may try to spread over LAN Attach to innocent looking –when it runs, use mailing list to replicate

Stopping Attacks Identifying viruses and worms before they execute –antivirus –trusted code only Catch’em in the act of misbehaving before they do harm Monitoring and controlling what suspicious code can do –interpreters and sandboxing

Antivirus and Anti-Antivirus Techniques (a) A program (b) Infected program, metadata giveaways (c) Compressed infected program (d) Encrypted virus (e) Compressed virus with encrypted compression code

Antivirus and Anti-Antivirus Techniques Examples of a polymorphic virus All of these examples do the same thing Mutation engine – code that morphs the signature part of the virus each time it spreads

Antivirus and Anti-Antivirus Techniques Integrity checkers - checksums Behavioral checkers Virus avoidance –good OS –install only shrink-wrapped software –use antivirus software –do not click on attachments to –avoid active content –frequent backups Recovery from virus attack –halt computer, reboot from safe disk, run antivirus

Trusted Mobile Code When code is intentionally brought in, what can you do to protect yourself? Only download code from sources you trust – use digitally signed code

Mobile Code Sandboxing Confine the effects of running (untrusted) code (a) Memory divided into 1-MB sandboxes (b) One way of checking an instruction for validity

Interpreted Mobile Code Applets can be interpreted by a Web browser

Interpretation Interpreter never lets go of the program counter itself Interpreter can check each instruction as it is emulated Transfers of control flow are the danger points Performance cost, but can be mitigated

Java Security A type safe language –compiler rejects attempts to misuse variable Checks include … 1.Attempts to forge pointers 2.Violation of access restrictions on private class members 3.Misuse of variables by type 4.Generation of stack over/underflows 5.Illegal conversion of variables to another type

Java Security Examples of specified protection with JDK 1.2

Covert Channels Encapsulated server can still leak to collaborator via covert channels: Observable performance patterns (e.g., busy/blocked, page faulting) Can information be leaked from “confined” processes?

Covert Channels A covert channel using file locking

Covert Channels Pictures appear the same –7-bit colors can not be distinguished from 8-bit colors Picture on right has text of 5 Shakespeare plays –Compressed & encrypted, inserted into low order bits of color values Zebras Hamlet, Macbeth, Julius Caesar Merchant of Venice, King Lear

Is it a Technical Problem? Lots of known solution techniques Access control Crypto Firewalls Intrusion detection So why isn’t it a solved problem?

Economics “The party who is in a position to protect a system is not the party who would suffer the results of security failure.” Ross Anderson Security For whom is it built? Who pays for it?