Presentation is loading. Please wait.

Presentation is loading. Please wait.

Announcement r Project dates adjusted (correct those on the syllabus handed out last time) r Sign-up for the paper presentation at the end of next week.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Announcement r Project dates adjusted (correct those on the syllabus handed out last time) r Sign-up for the paper presentation at the end of next week."— Presentation transcript:

1 Announcement r Project dates adjusted (correct those on the syllabus handed out last time) r Sign-up for the paper presentation at the end of next week (after proj assignment) m Ashish and Stephan volunteer for the next week r Projects will be online soon, find your partners

2 Overview r Integrity r Key distribution and certification r Mobile malcode m Overview m Viruses m Worms m Automatic updates r History of Viruses (if time allowed)

3 Digital Signatures Cryptographic technique analogous to hand- written signatures. r sender (Bob) digitally signs document, establishing he is document owner/creator. r verifiable, nonforgeable: recipient (Alice) can prove to someone that Bob, and no one else (including Alice), must have signed document

4 Digital Signatures Simple digital signature for message m: r Bob signs m by encrypting with his private key K B, creating “signed” message, K B (m) - - Dear Alice Oh, how I have missed you. I think of you all the time! …(blah blah blah) Bob Bob’s message, m Public key encryption algorithm Bob’s private key K B - Bob’s message, m, signed (encrypted) with his private key K B - (m)

5 Digital Signatures (more) r Suppose Alice receives msg m, digital signature K B (m) r Alice verifies m signed by Bob by applying Bob’s public key K B to K B (m) then checks K B (K B (m) ) = m. r If K B (K B (m) ) = m, whoever signed m must have used Bob’s private key. + + - - -- + Alice thus verifies that: ü Bob signed m. ü No one else signed m. ü Bob signed m and not m’. Non-repudiation: Alice can take m, and signature K B (m) to court and prove that Bob signed m. -

6 Message Digests Computationally expensive to public-key-encrypt long messages Goal: fixed-length, easy- to-compute digital “fingerprint” r apply hash function H to m, get fixed size message digest, H(m). Hash function properties: r many-to-1 r produces fixed-size msg digest (fingerprint) r given message digest x, computationally infeasible to find m such that x = H(m) large message m H: Hash Function H(m)

7 Internet checksum: poor crypto hash function Internet checksum has some properties of hash function: ü produces fixed length digest (16-bit sum) of message ü is many-to-one But given message with given hash value, it is easy to find another message with same hash value: I O U 1 0 0. 9 9 B O B 49 4F 55 31 30 30 2E 39 39 42 D2 42 message ASCII format B2 C1 D2 AC I O U 9 0 0. 1 9 B O B 49 4F 55 39 30 30 2E 31 39 42 D2 42 message ASCII format B2 C1 D2 AC different messages but identical checksums!

8 large message m H: Hash function H(m) digital signature (encrypt) Bob’s private key K B - + Bob sends digitally signed message: Alice verifies signature and integrity of digitally signed message: K B (H(m)) - encrypted msg digest K B (H(m)) - encrypted msg digest large message m H: Hash function H(m) digital signature (decrypt) H(m) Bob’s public key K B + equal ? Digital signature = signed message digest

9 Hash Function Algorithms r MD5 hash function widely used (RFC 1321) m computes 128-bit message digest in 4-step process. m arbitrary 128-bit string x, appears difficult to construct msg m whose MD5 hash is equal to x. r SHA-1 is also used m US standard [ NIST, FIPS PUB 180-1] m 160-bit message digest r SHA-2 is the new variant m Is the collective name of one-way hash functions developed by the NIST: SHA-256, SHA-384, and SHA-512

10 Overview r Integrity r Key distribution and certification r Mobile malcode m Overview m Viruses m Worms m Automatic updates

11 Trusted Intermediaries Symmetric key problem: r How do two entities establish shared secret key over network? Solution: r trusted key distribution center (KDC) acting as intermediary between entities Public key problem: r When Alice obtains Bob’s public key (from web site, e-mail, diskette), how does she know it is Bob’s public key, not Trudy’s? Solution: r trusted certification authority (CA)

12 Key Distribution Center (KDC) r Alice, Bob need shared symmetric key. r KDC: server shares different secret key with each registered user (many users) r Alice, Bob know own symmetric keys, K A-KDC K B-KDC, for communicating with KDC. K B-KDC K X-KDC K Y-KDC K Z-KDC K P-KDC K B-KDC K A-KDC K P-KDC KDC

13 Key Distribution Center (KDC) Alice knows R1 Bob knows to use R1 to communicate with Alice Alice and Bob communicate: using R1 as session key for shared symmetric encryption Q: How does KDC allow Bob, Alice to determine shared symmetric secret key to communicate with each other? KDC generates R1 K B-KDC (A,R1) K A-KDC (A,B) K A-KDC (R1, K B-KDC (A,R1) )

14 Certification Authorities r Certification authority (CA): binds public key to particular entity, E. r E (person, router) registers its public key with CA. m E provides “proof of identity” to CA. m CA creates certificate binding E to its public key. m certificate containing E’s public key digitally signed by CA – CA says “this is E’s public key” Bob’s public key K B + Bob’s identifying information digital signature (encrypt) CA private key K CA - K B + certificate for Bob’s public key, signed by CA

15 Certification Authorities r When Alice wants Bob’s public key: m gets Bob’s certificate (Bob or elsewhere). m apply CA’s public key to Bob’s certificate, get Bob’s public key Bob’s public key K B + digital signature (decrypt) CA public key K CA + K B +

16 Overview r Integrity r Key distribution and certification r Mobile malcode m Overview m Viruses m Worms m Automatic updates

17 Mobile Malcode Overview r Malicious programs which spread from machine to machine without the consent of the owners/operators/users m Windows Automatic Update is (effectively) consensual r Many strains possible m Viruses m Worms m Compromised Auto-updates No user action required, very dangerous

18 Viruses r Definition from RFC 1135: A virus is a piece of code that inserts itself into a host, including operating systems, to propagate. It cannot run independently. It requires that its host program be run to activate it. r On execution m Search for valid target files Usually executable files Often only infect uninfected files m Insert a copy into targeted files When the target is executed, the virus starts running r Only spread when contaminated files are moved from machine to machine r Mature defenses available

19 r 1988: Less than 10 known viruses r 1990: New virus found every day r 1993: 10-30 new viruses per week r 1999: 45,000 viruses and variants Source: McAfee

20 Virus Infectables r Executable files:.com,.exe,.bat r Macros m With macro languages the line between pure data files and executable files is blurring m An infected file might be attached to an E-mail m E-mail programs may use other programs (e.g., word) with macros to display incoming mail r System sector viruses m Infect control sectors on a disk DOS boot sectors Partition (MBR) sectors m System sector viruses spread easily via floppy disk infections

21 Virus Infectables (cont’d) r Companion viruses m Create a.com files for each.exe files m DOS runs COM files before EXE files m Relatively easy to find and eliminate r Cluster viruses m Change the DOS directory info so that directory entries point to the virus code instead of the real program m Even though every program on the disk may be "infected“, there is only one copy of the virus on the disk

22 Anatomy of a Virus r Two primary components m Propagation mechanism m Payload r Propagation m Method by which the virus spreads itself. m Old days: single PC, transferred to other hosts by ways of floppy diskettes. m Nowadays: Internet.

23 Structure of A Virus Virus() { infectExecutable(); if (triggered()) { doDamage(); } jump to main of infected program; } void infectExecutable() { file = choose an uninfected executable file; prepend V to file; } void doDamage() {... } int triggered() { return (some test? 1 : 0); }

24 Variable Viruses r Polymorphic viruses m Change with each infection Executables virus code changing (macros: var name, line spacing, etc.) Control flow permutations (rearrange code with goto’s) m Attempt to defeat scanners r Virus writing tool kits have been created to "simplify" creation of new viruses m Current tool kits create viruses that can be detected easily with existing scanner technology m But just a matter of time …

25 Virus Detection/Evasion r Look for changes in size r Check time stamp on file r Look for bad behavior m False alarm prone r Look for patterns (byte streams) in virus code that are unique r Look for changes in file checksum r Compression of virus and target code r Modify time stamp to original r Do bad thing insidiously r Change patterns – polymorphism r Rearrange data in the file r Disable anti-virus programs

26 More on Virus Detection r Scanning m Depend on prior knowledge of a virus m Check programs before execution m Need to be regularly updated r Integrity Checking m Read entire disk and record integrity data that acts as a signature for the files and system sectors m Analyze the nature of the changes to differentiate file corruption caused by a bug from corruption caused by a virus m Use cryptographic computation technique instead of simple checksum

27 More on Virus Detection r Interception m Monitoring for system-level routines that perform destructive acts m Good for detecting logic bomb and Trojoran horse m Cannot depend entirely upon behavior monitors as they are easily bypassed. r Combination of all three techniques can detect most viruses

28 Logic Bomb: r Logic Bomb: A logic bomb executes when specific conditions occur. r Triggers for logic bombs can include change in a file, by a particular series of keystrokes, or at a specific time or date.

29 Trojan Horse r Programs that appear to have one function but actually perform another function.  Modern Trojan Horse: resemble a program that the user wishes to run - a game, a spreadsheet, or an editor. r While the program appears to be doing what the user wants, it is also doing something else unrelated to its advertised purpose, and without the user's knowledge.

30 Virus Recovery r Extricate the virus from the infected file to leave the original behind r Remove the redirection to the virus code r Recover the file from backup r Delete the files and move on with life

31 Email-Borne Viruses/Worms r The logic/code is contained in an email, usually as an executable attachment m Some mail agents execute content automatically m Upon execution Search for email addresses in address book, emails Send out copies of itself to all the addresses it can find r Taxonomy: are they viruses or worms? m Email viruses: when human or human-agents asynchronously trigger the worm m Email worms: when they are fully automatic

32 Worms r Autonomous, active code that can replicate to remote hosts without any triggering m Typically, a worm is a process not a file r Because they propagate autonomously, they can spread much more quickly than viruses! r Much of the class focuses on worms r Speed and general lack of user interaction make them the most significant threats

33 Compromised Auto-updates r Auto-update program: At a given time, call to central server m If new programs are available, download and install Probably a good thing when correctly implemented r Hijack the auto-update m May be trivial DNS cache poisoning or router redirection m May be very difficult Capture the code-signing and the server’s private keys r Present a fake update to the world r Unlike other mobile malcode, it only travels a single step: from server to the clients

34 Malcode Attributes VirusEmail- borne Virus WormEmail- borne Worm Auto- Update Autonom ous XXX Triggere d XXX Domain/ Universe File/ File system Email User /Email Users Host/Ne twork Email User /Email Users Host/Ne twork

35 Overview r Integrity r Key distribution and certification r Mobile malcode m Overview m Viruses m Worms m Automatic updates r A History of Viruses

36 First Wild Viruses Apple I/II/III: 1981 r Three viruses for the Apple machines emerged in 1981 m Boot sector viruses r Floppies of that time had the disk operating system (DOS) on them by default m Wrote it without malice

37 Fred Cohen’s Work: 1983 r First documented work with viruses m Cohen’s PhD advisor, Leo Adelman, coined the term “virus” m Virus: “a program that can infect other programs by modifying them to include a … version of itself” m Viruses can quickly (~30 min) spread through a networked file system r Dissertation (1986) conclusion: "universal" detection of a virus is undecidable m Gave insights to some heuristic detection mechanisms that are widely used now m No 100% guaranteed detection for virus/worm

38 First PC Virus: Pakistani Brain Virus (1986) r Written by Pakistani brothers to protect their copyright m Claim: infect only machines that had an unlicensed copy of their software m Boot sector, memory resident m Printed “Welcome to the Dungeon (c) 1986 Basit * Amjad (pvt) Ltd. BRAIN COMPUTER SERVICES 730 NIZAB BLOCK ALLAMA IQBAL TOWN LAHORE-PAKISTAN PHONE :430791,443248,280530. Beware of this VIRUS.... Contact us for vaccination............. !!"

39 Destructive Virus: Chernobyl (1998) r Designed to inflict harm m Flash BIOS: would cause permanent hardware damage to vulnerable motherboards m Also overwrote first 2K sectors of each disk Typically resulted in a loss of data and made it unbootable r Previously believed that being benign was necessary for virus longevity m Chernobyl provided evidence to the contrary

40 Early Mail Virus: Happy99 (1999) r One of the earliest viruses that propagated automatically when an infected attachment is executed r Did not infect files, only email user accounts r Email sent from infected person to others in address book (novelty at the time)

41 Early Macro Virus: Melissa (1999) r Microsoft Word 97 Macro virus r Target first 50 entries in Outlook’s address book r Adjusted subject “Important messages from ______” r Points to attachment as a document requested m Contains a list of porn sites r Macro security was greatly increased with Melissa

Download ppt "Announcement r Project dates adjusted (correct those on the syllabus handed out last time) r Sign-up for the paper presentation at the end of next week."

Similar presentations

Public Key Cryptography & Message Authentication By Tahaei Fall 2012.

Public Key Cryptography & Message Authentication By Tahaei Fall 2012.
1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Digital Signature Key distribution.

1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Digital Signature Key distribution.
1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Authentication Digital Signature Key distribution.

1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Authentication Digital Signature Key distribution.
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
1 Key Establishment Symmetric key problem: How do two entities establish shared secret key in the first place? Solutions: Deffie-Hellman trusted key distribution.

1 Key Establishment Symmetric key problem: How do two entities establish shared secret key in the first place? Solutions: Deffie-Hellman trusted key distribution.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
8: Network Security8-1 22 – Integrity, Firewalls.

8: Network Security – Integrity, Firewalls.
Outlines Mobile malcode Overview Viruses Worms.

Outlines Mobile malcode Overview Viruses Worms.
Network Security understand principles of network security:

Network Security understand principles of network security:
Outlines r Mobile malcode Overview r Viruses r Worms.

Outlines r Mobile malcode Overview r Viruses r Worms.
1 Key Establishment Symmetric key problem: How do two entities establish shared secret key over network? Solution: trusted key distribution center (KDC)

1 Key Establishment Symmetric key problem: How do two entities establish shared secret key over network? Solution: trusted key distribution center (KDC)
Outlines r Mobile malcode Overview r Viruses r Worms.

Outlines r Mobile malcode Overview r Viruses r Worms.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Chapter 31 Network Security

Chapter 31 Network Security
Behzad Akbari Spring 2012 1 In the Name of the Most High.

Behzad Akbari Spring In the Name of the Most High.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
The Utility Programs: The system programs which perform the general system support and maintenance tasks are known as utility programs. Tasks performed.

The Utility Programs: The system programs which perform the general system support and maintenance tasks are known as utility programs. Tasks performed.
Understanding and Troubleshooting Your PC. Chapter 12: Maintenance and Troubleshooting Fundamentals2 Chapter Objectives  In this chapter, you will learn:

Understanding and Troubleshooting Your PC. Chapter 12: Maintenance and Troubleshooting Fundamentals2 Chapter Objectives  In this chapter, you will learn:
8-1Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity, authentication.

8-1Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity, authentication.

Similar presentations

Ads by Google