Week 6 - Monday

 What did we talk about last time?  Quantum cryptography  Non-malicious program errors

 Incomplete mediation happens with a system does not have complete control over the data that it processes  Example URL:   Wrong URL:   The HTML generates the URL, but the URL can be entered manually

 For a website, a carelessly altered URL might just mean a 404 error  For a program, bad data could cause any number of faults and failures  Malicious attackers could change data or mount an SQL injection attack to destroy or reveal database internals  Values should always be checked and sanitized

FileCommand MyFile.txt Change byte 4 to 'A' FileCommand YourFile.txt Delete file  It seems like things happen instantly in a computer  Many operations, especially those on files, may be put into a queue of work  Imagine you give the OS a data structure with this command:  After it is authorized but before it can be executed, you change it to:

 A program might have a way to access its private internal data  These access points are called backdoors or trapdoors  During development, these backdoors can be really useful for debugging  In production, they cause a security risk, either because the developers can have control they shouldn't or because other attackers can exploit the backdoor

 Integer overflow and underflow  Someone ordered -2 billion oranges?  Unterminated C-style string  A C-style string ends with the null character ( '\0' )  Without the null character, string processing functions might keep reading (or writing) into memory  Race conditions  In multi-threaded environments, data can be updated by multiple threads, leading to inconsistent (and unpredictable) results

 Therac-25 was a radiation therapy machine built by the Atomic Energy of Canada Limited  It was the successor to the Therac-6 and Therac-20 machines  The machine had low power and high power modes  The low power mode shot a beam directly at the patient  The high power mode created X-rays by shooting the beam at a target, spread these X-rays with a flattening filter, shaped the beam with movable blocks, and tested the strength of the beam with an X- ray ion chamber

 In some situations, the high power beam was activated without the spreader in place  The software and hardware systems did not catch this particular problem  Over 100 times the intended dose was given  At least 2 people died and there were at least 6 overdoses total  Software bugs actually kill people!

 A certain unusual combination of keystrokes had to happen within 8 seconds  There were no hardware interlocks to prevent the problem if the user overrode the error code  Error codes were not well-documented and were displayed as a number  Software was reused from previous models that did have hardware interlocks  Arithmetic overflow caused safety checks to fail in some cases

 The software/hardware combination had never been tested before use  Personnel did not believe complaints due to confidence in the system  Code was not independently reviewed  Errors were easily overridden

 Obviously, it’s a problem  It’s very difficult to stop  You never really know what’s getting installed on your computer  You’re downloading thousands of files from the Internet every day  Even if you had the source code for every program, could you catch all the dangerous stuff?  Malicious code has been around since at least 1970

 Malicious code (or a rogue program) is our blanket term for any code that has undesirable effects that were intentionally designed  The agent is the person who writes the code  A virus is a program that can replicate itself and add malicious code to nonmalicious programs  A transient virus runs when its host program is running  A resident virus lives in memory and can be active anytime

 Terminology is inconsistent  Popular culture tends to call everything a virus  Sometimes we will too, but here are some other terms:  Almost all of these are, by definition, Trojan horses  Worms differ from viruses primarily because they spread across networks Type Characteristics Virus Attaches itself to a program and propagates copies of itself to other programs Trojan horse Contains unexpected, additional functionality Logic bomb Triggers action when condition occurs Time bomb Triggers action when specified time occurs Trapdoor Allows unauthorized access to functionality Worm Propagates copies of itself through a network Rabbit Replicates itself without limit to exhaust resources

 A virus is not dangerous unless it is active  Just having an infected file on your hard drive won’t cause a problem unless it is accessed  But files get opened all the time  Programs call other programs  Just previewing files can be dangerous  programs open attachments automatically  How do these viruses infect code?

 A virus can be designed so that it starts running before the real program does  Machine code for the virus is inserted before the machine code for the beginning of the program  After the virus runs, it transfers control to the real program  The real program runs as if nothing happened  This kind of virus is easy to write  It is also relatively easy to catch for antivirus software Program Code Virus Code + Program Code Virus Code

 Another possibility is viruses that surround a program, gaining control before and after execution  The code may not be at the beginning and end of the executable, but that’s how the control flow works  Viruses can also be spread throughout the code Program Code Virus Code + Program Code Virus Code A Virus Code B Program Code Virus Code + Infected Program Code

 According to the book, the most common form of virus is a document virus  A document virus is an infected document (instead of an executable file)  Nevertheless, the macros that can be stored in Word, Excel, Access, and other similar complex documents are powerful enough to cause just as much damage as any other virus

 If you are making a virus, the following characteristics are ideal:  Hard to detect  Difficult to destroy or deactivate  Spreads infection widely  Capable of reinfecting its host or other programs  Easy to create  Machine and OS independent  It’s difficult to make a virus that meets all these criteria

 Many viruses will be executed just once  This could be on running a pirated (and infected) file  One of the most common avenues of attack is through an attachment

 The boot sector is the part of a hard drive that says what code to load to start your OS  The details are technical, but a boot sector virus is one that is stored in the chain of code that starts up your whole computer  A virus that can start this early can circumvent or disable antivirus  It has complete control over your system  It is also not obvious from the file system

 Some programs start up and then never really die  They are low level parts of the OS that need to keep running  Sometimes called TSR (terminate and stay resident)  Because these programs are always running, they are an attractive home for a virus  Even if you delete the original infected file, the memory resident virus can replace it

 As with everything in security, the assumption is that attackers do not play by the rules  A virus does not have to live where we expect it to  A few other places that are sensible:  Applications  Libraries  Compilers (infect programs as you create them)  Antivirus software

 Ken Thompson's seminal paper Reflections on Trusting Trust:  He added a backdoor to the Unix login program  Too easy to trace, so he added a backdoor to the C compiler to insert the backdoor in any program called login  Too easy to trace, so he added a backdoor in the compiler compiler to insert code that would insert the backdoor in any program called login  And so on, and so on…  You can’t trust anything you didn’t completely create yourself  Some amount of trust is necessary

 Viruses are difficult to detect, but we can still classify them by the way they change code or the way they execute  We call these tell-tale signs a signature  Antivirus programs work by searching for certain signatures in code

 At simplest, this is just a particular string of code in the binary  Often this code is at the beginning of a program so that it gets control immediately  Craftier viruses will put themselves other places that get jumped to early in execution  An antivirus program can check:  The size of a file  The functioning of the code compared to some standard  It can look for suspicious execution patterns (weird JUMP commands)  The program against a hash digest for the program

 Viruses are also suspicious because of the way they execute  The virus should:  Spread infection  Avoid detection  Cause harm  How do these behaviors look like normal programs?  How do they look abnormal?  It’s not easy to tell…

 Because virus scanners try to match strings in machine code, virus writers design polymorphic viruses that change their appearances  No-ops, code that doesn’t have an impact on execution, can be used for simple disguises  Clever viruses can break themselves apart and hide different parts in randomly chosen parts of code  Similar to code obfuscation  Advanced polymorphic viruses called encrypting viruses encrypt parts of themselves with randomly chosen keys  A scanner would have to know to decrypt the virus to detect it  Virus scanners cannot catch everything

Virus EffectVirus Cause Attach to executable program  Modify file directory  Write to executable program file Attach to data or control file  Modify directory  Rewrite data  Append to data  Append data to self Remain in memory  Intercept interrupt by modifying interrupt handler address table  Load self in nontransient memory area Infect disks  Intercept interrupt  Intercept OS system call  Modify system file  Modify ordinary executables Conceal self  Intercept system calls  Classify self as hidden file Spread infection  Infect boot sector  Infect system program  Infect ordinary program  Infect data ordinary program reads Prevent deactivation  Activate before deactivating program  Store copy to reinfect after deactivation

 It is impossible to prevent infection entirely  Some guidelines:  Use only commercial software acquired from reliable, well-established vendors  Test all new software on an isolated computer  Open attachments only when you know them to be safe  Make a recoverable system image and store it safely  Make and retain backup copies of executable system files  Use virus detectors regularly and update them daily

 Viruses can infect only Microsoft Windows systems  Viruses can modify hidden and read-only files  Viruses can appear only in data files or only in programs  Viruses spread only on disks or only through  Viruses cannot remain in memory after a power cycle  Viruses can be malevolent, benign, or benevolent False True False True, but so what? True

 The Brain virus is one of the oldest known  It changed the label of disks it attacked to “BRAIN”  It was written by two brothers from Pakistan  It copies itself to the boot sector in MS-DOS  It rewrites the system interrupt for disk reading so that it controls reads  If you try to look at the boot sector, it will lie to you about what’s there  Anytime it sees an uninfected disk, it infects it  It doesn’t otherwise do anything malicious

 In 1988 Robert Morris, a Cornell graduate student, wrote an worm that infected a lot of the Internet that existed at that time  Serious connectivity issues happened because of the worm and because people disconnected uninfected system  He claimed the point was the measure the size of the Internet  The worm’s goal: 1. Determine where it could spread to 2. Spread its infection 3. Remain undiscovered

 It tried to find user accounts on the host machine  It tried 432 common passwords and compared their hash to the list of password hashes  Ideally, this list should not have been visible  It tried to exploit a bug in the fingerd program (using a buffer overflow) and a trapdoor in the sendmail mail program  Both were known vulnerabilities that should have been patched

 Once a target was found, the worm would send a short loader program to the target machine  The program (99 lines of C) would compile and then get the rest of the virus  It would use a one-time password to talk to the host  If the host got the wrong password, it would break connection  This mechanism was to prevent outsiders from gaining access to the worm’s code

 Any errors in transmission would cause the loader to delete any code and exit  As soon as the code was successfully transmitted, the worm would run, encrypt itself, and delete all disk copies  It periodically changed its name and process identifier so that it would be harder to spot

 The worm would ask machines if they were already infected  Because of a flaw in the code, it would reinfect machines 1 out of 7 times  Huge numbers of copies of the worm started filling infected machines  System and network performance dropped  Estimates of the damage are between $100,000 and $97 million  Morris was fined $10,000 and sentenced to 400 hours of community service  The CERT was formed to deal with similar problems

 Code Red appeared in 2001  It infected a quarter of a million systems in 9 hours  It is estimated that it infected 1/8 of the systems that were vulnerable  It exploited a vulnerability by creating a buffer overflow in a DLL in the Microsoft Internet Information Server software  It only worked on systems running an MS web server, but many machines did by default

 The original version of Code Red defaced the website that was being run  Then, it tried to spread to other machines on days 1-19 of a month  Then, it did a distributed denial of service attack on whitehouse.gov on days  Later versions attacked random IP addresses  It also installed a trap door so that infected systems could be controlled from the outside

 Review for exam

 Read section 3.2  Finish Assignment 2  Due tonight!  Start on Project 2