1. CS 5950/6030 Network Security Class 15 (W, 10/5/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing. Third Edition by Pfleeger and Pfleeger. Using some slides courtesy of: Prof. Aaron Striegel — at U. of Notre Dame Prof. Barbara Endicott-Popovsky and Prof. Deborah Frincke — at U. Washington Prof. Jussipekka Leiwo — at Vrije Universiteit (Free U.), Amsterdam, The Netherlands Slides not created by the above authors are © by Leszek T. Lilien, 2005 Requests to use original slides for non-profit purposes will be gladly granted upon a written request.

2. 2 3. Program Security 3.1. Secure Programs – Defining & Testing 3.2. Nonmalicious Program Errors 3.3. Malicious Code 3.3.1. General-Purpose Malicious Code (incl. Viruses) a. Introduction b. Kinds of Malicious Code c. How Viruses Work – PART 1 c. How Viruses Work – PART 2 d. Virus Signatures e. Preventing Virus Infections f. Seven Truths About Viruses g. Case Studies h. Virus Removal and System Recovery After Infection 3.3.2. Targeted Malicious Code a.Trapdoors Class 14

3. 3 3.3.2. Targeted Malicious Code  Targeted = written to attack a particular system, a particular application, and for a particular purpose  Many virus techniques apply Some new techniques as well  Outline: a.Trapdoors b.Salami attack c.Covert channels

4. 4 a.Trapdoors (1)  Original def: Trapdoor / backdoor - A hidden computer flaw known to an intruder, or a hidden computer mechanism (usually software) installed by an intruder, who can activate the trap door to gain access to the computer without being blocked by security services or mechanisms.  A broader definition: Trapdoor – an undocumented entry point to a module  Inserted during code development  For testing  As a hook for future extensions  As emergency access in case of s/w failure

5. 5 Trapdoors (2)  Testing:  With stubs and drivers for unit testing (Fig. 3-10 p. 138)  Testing with debugging code inserted into tested modules  May allow programmer to modify internal module variables  Major sources of trapdoors:  Left-over (purposely or not) stubs, drivers, debugging code  Poor error checking  E.g., allowing for unacceptable input that causes buffer overflow  Undefined opcodes in h/w processors  Some were used for testing, some random  Not all trapdoors are bad  Some left purposely w/ good intentions — facilitate system maintenance/audit/testing

6. 6 Class 14 Ended Here

7. 7 3. Program Security 3.1. Secure Programs – Defining & Testing 3.2. Nonmalicious Program Errors 3.3. Malicious Code 3.3.1. General-Purpose Malicious Code (incl. Viruses)... c. How Viruses Work – PART 2 d. Virus Signatures e. Preventing Virus Infections f. Seven Truths About Viruses g. Case Studies h. Virus Removal and System Recovery After Infection 3.3.2. Targeted Malicious Code a.Trapdoors a.Salami attack b.Covert channels Class 15 Class 14

8. 8 b. Salami attack  Salami attack - merges bits of seemingly inconsequential data to yield powerful results  Old example: interest calculation in a bank:  Fractions of 1 ¢ „shaved off” n accounts and deposited in attacker’s account  Nobody notices/cares if 0.1 ¢ vanishes  Can accumulate to a large sum  Easy target for salami attacks: Computer computations combining large numbers with small numbers  Require rounding and truncation of numbers  Relatively small amounts of error from these op’s are accepted as unavoidable – not checked unless a strong suspicion  Attacker can hide „salami slices” within the error margin

9. 9 c. Covert Channels (CC) (1)  Outline: i.Covert Channels - Definition and Examples ii.Types of Covert Channels iii.Storage Covert Channels iv.Timing Covert Channels v.Identifying Potential Covert Channels vi.Covert Channels - Conclusions

10. 10 i. CC – Definition and Examples (1)  So far: we looked at malicious pgms that perform wrong actions  Now: pgms that disclose confidential/secret info  They violate confidentiality, secrecy, or privacy of info  Covert channels = channels of unwelcome disclosure of info  Extract/leak data clandestinely  Examples 1) An old military radio communication network  The busiest node is most probably the command center  Nobody is so naive nowadays 2) Secret ways spies recognize each other  Holding a certain magazine in hand  Exchanging a secret gesture when approaching each other ...

11. 11 Covert Channels – Definition and Examples (2)  How programmers create covert channels?  Providing pgm with built-in Trojan horse  Uses covert channel to communicate extracted data  Example: pgm w/ Trojan horse using covert channel  Should be: Protected Legitimate Data User  Is: Protected Legitimate Data User [ w/ Trojan h. ] covert channel Spy (Spy - e.g., programmer who put Trojan into pgm; directly or via Spy Pgm)

12. 12 Covert Channels – Definition and Examples (3)  How covert channels are created? I.e., How leaked data are hidden?  Example: leaked data hidden in output reports (or displays)  Different ‘marks’ in the report: (cf. Fig. 3-12, p.143)  Varying report format  Changing line length / changing nr of lines per page  Printing or not certain values, characters, or headings - each ‘mark’ can convey one bit of info

13. 13 Covert Channels – Definition and Examples (4)  Example – ctd.  How Trojan within pgm can leak a 4-bit value of a protected variable X? cf. Fig. 3-12, p.143 Trojan signals value of X as follows:  Bit-1 = 1 if >1 space follows ‘ACCOUNT CODE:’; 0 otherwise  Bit-2 = 1 if last digit in ‘seconds’ field is >5; 0 otherwise  Bit-3 = 1 if heading uses ‘TOTALS’; 0 otherwise (uses ‘TOTAL’)  Bit-4 = 1 if no space follows subtotals line; 0 otherwise => For the values as in this Fig, Trojan signaled and spy got: X = ‘1101’

14. 14 ii. Types of Covert Channels  Types of covert channels  Storage covert channels  Convey info by presence or absence of an object in storage  Timing covert channels  Convey info by varying the speed at which things happen

15. 15 iii. Storage Channels (1)  Example of storage channel: file lock covert channel  Protected variable X has n bits: X1,..., Xn  Trojan within Service Pgm leaks value of X  Trojan and Spy Pgm synchronized, so can „slice” time into n intervals  File FX (not used by anybody else)  To signal that Xk=1, Trojan locks file FX for interval k (1≤ k ≤ n) To signal that Xk=0, Trojan unlocks file FX for interval k  Spy Pgm tries to lock FX during each interval If it succeds during k-th interval, Xk = 0 (FX was unlocked) Otherwise, Xk = 1 (FX was locked) (see Fig. 3-13, 3-14 – p.144-145)  Q: Why FX should not be used by anybody else?

16. 16 Storage Channels (2)  Example of storage channel: file lock covert channel ...  Q: Why FX should not be used by anybody else?  A: Any other user lockin/unlocking FX would interfere with Trojan’s covert channel signaling.  Isn’t such bit-by-bit signaling too slow? No – bec. computers are very fast!  E.g., 10-100 bits/millisecond (10K – 100K b/s) is very slow for computers It still can leak entire P&P textbook in just minutes

17. 17 Storage Channels (3)  Examples of covert storage channels (synchronized intervals!) Covert channels can use:  File locks (discussed above)  Disk storage quota  To signal Xk=1, Trojan create enormous file (consuming most of available disk space)  Spy Pgm attempts to create enormous file. If Spy fails (bec. no disk space available), Xk = 1; otherwise, Xk = 0  Existence of a file  To signal Xk=1, Trojan creates file FX (even empty file)  Spy Pgm atempts to create file named FX. If Spy fails (bec. FX already exists), Xk = 1; otherwise, Xk = 0  Other resources - similarly

18. 18 Storage Channels (4)  Covert storage channels require:  Shared resource  To indicate Xk=1 or Xk=0  Synchronized time  To know which bit is signaled: in interval k, Xk is signaled

19. 19 iv. Timing Channels  Recall: Timing channels convey info by varying the speed at which things happen  Simple example of timing channel:  Multiprogramming system „slices” processor time for programs running on the processor  2 processes only: Trojan (Pgm w/ Trojan) and Spy Pgm  Trojan receives all odd slices (unless abstains) Spy Pgm receives all even slices (unless abstains)  Trojan signals Xk=1 by using its time slice, signals Xk=0 by abstaining from using its slice see: Fig.3-15, p.147 – how ‘101’ is signaled Details: Trojan takes Slice 1 (its 1st slice) signaling X1=1 Trojan abstains from taking Slice 3 (its 2nd slice) signaling X2=0 Trojan takes Slice 5 (its 3rd slice) signaling X3=1

20. 20 v. Identifying Potential Covert Channels (1)  Covert channels are not easy to identify  Otherwise wouldn’t be covert, right?  Two techniques for locating covert channels: 1) Shared Resource Matrix 2) Information Flow Method

21. 21 Identifying Potential Covert Channels (2) 1) The Shared Resource Matrix method  Shared resource is basis for a covert channel => identify shared resources and processes reading/writing them  Step 1: Construct Shared Resource Matrix Rows — resources Columns — processes that access them: R = observe resource M = modify/set/create/delete resource Example Process 1Process 2 Lock on FXR, M X (confid.)R

22. 22 Identifying Potential Covert Channels (3) ...  Step 2: Look for pattern: Meaning of this pattern: Process Pj can get value of Resource Rn via Process Pi (and a covert channel)  Q: Do you see such a pattern in SRM above? PiPj RmMR RnR Pgm 1Pgm 2 Lock on FXR, M X (confid.)R

23. 23 Identifying Potential Covert Channels (4) ...  Step 2: Look for pattern: Meaning of this pattern: Process Pj can get value of Resource Rn via Process Pi (and a covert channel)  Q: Do you see such a pattern in SRM above?  A: Yes. Process 2 can get value of X via Process 1 (no surprise: Proc. 1 & 2 are Trojan & Spy from earlier example) ij mMR nR Process 1Process 2 Lock on FXR, M X (confid.)R

24. 24 Identifying Potential Covert Channels (5) 2) Information Flow Method  Flow analysis of pgm’s syntax  Can be automated within a compiler  Identifies non-obvious flows of info between pgm statements  Examples of flows of info between pgm stmts  B:= A – an explicit flow from A to B  B:= A; C:=B – an explicit flow from A to C (via B)  IF C=1 THEN B:=A – an explicit flow from A to B – an implicit flow from C to B (bec. B can change iff C=1)

25. 25 Identifying Potential Covert Channels (6)  More examples of flows of info between pgm stmts [textbook and J. Leiwo]

26. 26 Identifying Potential Covert Channels (7)  Steps of Information Flow Method (IFM) 1)Analyze statements 2)Integrate results to see which outputs affected by which inputs  Variants of IFM: 1)IFM during compilation 2)IFM on design specs

27. 27 Covert Channels - Conclusions  Covert channels are a serious threat to confidentiality and thus security („CIA” = security)  Any virus/Trojan horse can create a covert channel  In open systems — no way to prevent covert channels  Very high security systems require a painstaking and costly design preventing (some) covert channels  Analysis must be performed periodically as high security system evolves

28. 28 End of Class 15