Download presentation
Presentation is loading. Please wait.
Published byJonas Hodges Modified over 9 years ago
1
CSCE 522 Lecture 12 Program Security Malicious Code
2
CSCE 522 - Farkas2 Reading Reading for this lecture: Required: – Pfleeger: Ch. 3 Recommended: – USC Computing Services – Virus Information Center – L. Constantin, Eastern European cybercriminals trump Asian counterparts, researchers say, http://www.computerworld.com/s/article/9231563/Easte rn_European_cybercriminals_trump_Asian_counterpart s_researchers_say?taxonomyId=82&pageNumber=1 http://www.computerworld.com/s/article/9231563/Easte rn_European_cybercriminals_trump_Asian_counterpart s_researchers_say?taxonomyId=82&pageNumber=1
3
CSCE 522 - Farkas3 Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system
4
CSCE 522 - Farkas4 Security Flaws by Genesis Genesis – Intentional Malicious: Trojan Horse, Trapdoor, Logic Bomb, Worms, Virus Non-malicious – Inadvertent Validation error Domain error Serialization error Identification/authentication error Other error
5
CSCE 522 - Farkas5 Flaws by time Time of introduction – During development Requirement/specification/design Source code Object code – During maintenance – During operation
6
CSCE 522 - Farkas6 Flaws by Location Location – Software Operating system: system initialization, memory management, process management, device management, file management, identification/authentication, other Support: privileged utilities, unprivileged utilities Application – Hardware
7
CSCE 522 - Farkas7 Slammer Worm The Slammer worm (Sapphire worm) was the fastest worm in history – Start: Saturday, Jan. 25, 2003 – Doubled in size every 8.5 seconds at its peak – Infected more than 90 percent of the vulnerable hosts within 10 minutes using a vulnerability in Microsoft's SQL Server – Total infected: more than 75,000 hosts – Flooded networks all over the world, caused disruptions to financial institutions, ATMs, and even an election in Canada – http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/etc/map s.html http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/etc/map s.html
8
CSCE 522 - Farkas8 History 1982: Elk Cloner 1983: “virus” 1988: Internet Worm 1990: antivirus software 2000s: virus mitigation
9
CSCE 522 - Farkas9 Kinds of Malicious Codes Virus: a program that attaches copies of itself into other programs. Propagates and performs some unwanted function. Viruses are not programs - they cannot run on their own. Bacteria: make copies of themselves to overwhelm a computer system's resources. Denying the user access to the resources.
10
CSCE 522 - Farkas10 Kinds of Malicious Code Worm: a program that propagates copies of itself through the network. Independent program. May carry other code, including programs and viruses. Trojan Horse: secret, undocumented routine embedded within a useful program. Execution of the program results in execution of secret code.
11
CSCE 522 - Farkas11 Kinds of Malicious Code Logic bomb, time bomb: programmed threats that lie dormant for an extended period of time until they are triggered. When triggered, malicious code is executed. Trapdoor: secret, undocumented entry point into a program, used to grant access without normal methods of access authentication. Dropper: Not a virus or infected file. When executed, it installs a virus into memory, on to the disk, or into a file.
12
CSCE 522 - Farkas12 Virus Virus lifecycle: 1. Dormant phase: the virus is idle. (not all viruses have this stage) 2. Propagation phase: the virus places an identical copy of itself into other programs of into certain system areas. 3. Triggering phase: the virus is activated to perform the function for which it was created. 4. Execution phase: the function is performed. The function may be harmless or damaging.
13
CSCE 522 - Farkas13 Virus Types Parasitic virus: most common form. Attaches itself to a file and replicates when the infected program is executed. Memory resident virus: lodged in main memory as part of a resident system program. Virus may infect every program that executes.
14
CSCE 522 - Farkas14 Virus Types Boot Sector Viruses: – Infects the boot record and spreads when system is booted. – Gains control of machine before the virus detection tools. – Very hard to notice – Carrier files: AUTOEXEC.BAT, CONFIG.SYS,IO.SYS
15
CSCE 522 - Farkas15 Virus Types Stealth virus: a form of virus explicitly designed to hide from detection by antivirus software. Polymorphic virus: a virus that mutates with every infection making detection by the “signature” of the virus difficult.
16
CSCE 522 - Farkas16 How Viruses Append Original program virus Original program virus Virus appended to program +=
17
CSCE 522 - Farkas17 How Viruses Append Original program virus Original program Virus-1 Virus surrounding a program += Virus-2
18
CSCE 522 - Farkas18 How Viruses Append Original program virus Original program Virus-1 Virus integrated into program += Virus-2 Virus-3 Virus-4
19
CSCE 522 - Farkas19 How Viruses Gain Control Virus V has to be invoked instead of target T. – V overwrites T – V changes pointers from T to V High risk virus properties: – Hard to detect – Hard to destroy – Spread infection widely – Can re-infect – Easy to create – Machine independent
20
CSCE 522 - Farkas20 Virus Signatures Storage pattern – Code always located on a specific address – Increased file size Execution pattern Transmission pattern Polymorphic Viruses
21
CSCE 522 - Farkas21 Antivirus Approaches Detection: determine infection and locate the virus. Identification: identify the specific virus. Removal: remove the virus from all infected systems, so the disease cannot spread further. Recovery: restore the system to its original state.
22
CSCE 522 - Farkas22 Preventing Virus Infection Prevention: Good source of software installed Isolated testing phase Use virus detectors Limit damage: Make bootable diskette Make and retain backup copies important resources
23
CSCE 522 - Farkas23 Worm Self-replicating (like virus) Objective: system penetration (intruder) Phases: dormant, propagation, triggering, and execution Propagation: – Searches for other systems to infect (e.g., host tables) – Establishes connection with remote system – Copies itself to remote system – Execute
24
CSCE 522 - Farkas24 Covert Channel - Trojan Horse John Spy Only John is permitted to access the document MS Word Document Spy’s Document copy TH install copy
25
CSCE 522 - Farkas25 Covert Channel Need: Two active agents – Sender (has access to unauthorized information) – e.g., TH in MS Word – Receiver ( reads sent information) – e.g., program creating the copy Encoding schema – How the information is sent – e.g., File F exists 0 File F is does not exist 1 Synchronization – e.g., when to check for existence of F
26
CSCE 522 - Farkas26 Storage Covert Channels Based on properties of resources Examples: – File locks – Delete/create file – Memory allocation
27
CSCE 522 - Farkas27 Timing Covert Channel Time is the factor – how fast Examples: – Processing time – Transmission time
28
CSCE 522 - Farkas28 Covert Channel Detection and Removal Identification: Shared resources Program code correctness Information flow analysis Removal: Total removal – may not be possible Reduce bandwidth
29
CSCE 522 - Farkas29 Next Class Network Security
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.