Download presentation
Presentation is loading. Please wait.
Published byVivien McBride Modified over 8 years ago
1
Program Security Malicious Code Program Security Malicious Code
2
CSCE 522 - Farkas2 Reading Required: – Denning Chapter 10 Recommended: – USC Computing Services – Virus Information Center – Ukrainian computer systems attacked by sophisticated malware with "Russian roots, Homeland Security News Wire, March 10, 2014, http://www.homelandsecuritynewswire.com/dr20140310- ukrainian-computer-systems-attacked-by-sophisticated-malware- with-russian-rootshttp://www.homelandsecuritynewswire.com/dr20140310- ukrainian-computer-systems-attacked-by-sophisticated-malware- with-russian-roots – NSA planted sleeper malware in 50,000 computer networks, Homeland Security News Wire, Dec. 11, 2013, http://www.homelandsecuritynewswire.com/dr20131211-nsa- planted-sleeper-malware-in-50-000-computer-networks http://www.homelandsecuritynewswire.com/dr20131211-nsa- planted-sleeper-malware-in-50-000-computer-networks
3
Who needs to be aware of malware? CSCE 522 - Farkas3
4
Slammer Worm January 25, 2003, 75,000 victims within 10 minutes Buffer overflow exploitation of Microsoft SQL Server and Desktop Engine database Used UDP packets to propagate Code: 376 bytes (fit within a single packet) Demo: http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/etc/maps.ht ml http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/etc/maps.ht ml Interesting read: Moore et al. Inside the Slammer Worm, IEEE Security and Privacy, 2003, http://cseweb.ucsd.edu/~savage/papers/IEEESP03.pdf http://cseweb.ucsd.edu/~savage/papers/IEEESP03.pdf CSCE 522 - Farkas4
5
Program Logic Program logic: is used to model the programming language instructions carried out by the computer when the program is executed (blue print) CSCE 522 - Farkas5 Logic Model Program Statements
6
CSCE 522 - Farkas6 Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system Interesting read: Landwehr et al. A Taxonomy of Computer Program Security Flaws with Examples, NRL, 1993, http://cwe.mitre.org/documents/sources/ATaxonomyofComp uterProgramSecurityFlawswithExamples%5BLandwehr93%5 D.pdf http://cwe.mitre.org/documents/sources/ATaxonomyofComp uterProgramSecurityFlawswithExamples%5BLandwehr93%5 D.pdf
7
CSCE 522 - Farkas7 Security Flaws by Genesis Genesis – Intentional Malicious: Trojan Horse, Trapdoor, Logic Bomb, Worms, Virus Non-malicious – Inadvertent Validation error Domain error Serialization error Identification/authentication error Other error
8
CSCE 522 - Farkas8 Flaws by time Time of introduction – During development Requirement/specification/design Source code Object code – During maintenance – During operation
9
CSCE 522 - Farkas9 Flaws by Location Location – Software Operating system: system initialization, memory management, process management, device management, file management, identification/authentication, other Support: privileged utilities, unprivileged utilities Application – Hardware
10
Malware Tools to attack computer systems Assume authorized user’s identity Traditional access control becomes useless New types – Scareware: to cause shock, anxiety, or the perception of threat – Ransomware: holds computers or data hostage demanding ransom CSCE 522 - Farkas10
11
CSCE 522 - Farkas11 Malware History 1980: first virus written on the AppleII 1982: Elk Cloner 1983: “virus” 1984: experiment shows virus can spread BLP didn’t control virus spread 1988: Internet Worm 1990: antivirus software 2000s: virus mitigation
12
CSCE 522 - Farkas12 Kinds of Malicious Codes Virus: a program that attaches copies of itself into other programs. – Propagates and performs some unwanted function – Not programs - they cannot run on their own. Bacteria: make copies of themselves – Overwhelm a computer system's resources
13
CSCE 522 - Farkas13 Kinds of Malicious Code Worm: a program that propagates copies of itself through the network. – Independent program – May carry other code, including programs and viruses. Trojan Horse: secret, undocumented routine embedded within a useful program. – Execution of the program results in execution of secret code.
14
CSCE 522 - Farkas14 Kinds of Malicious Code Logic bomb, time bomb: programmed threats that lie dormant for an extended period of time until they are triggered. – When triggered, malicious code is executed. Trapdoor: secret, undocumented entry point into a program – Used to grant access without normal methods of access authentication Dropper: Not a virus or infected file. – When executed, it installs a virus into memory, on to the disk, or into a file.
15
CSCE 522 - Farkas15 Virus Virus lifecycle: 1. Dormant phase: the virus is idle. (not all viruses have this stage) 2. Propagation phase: the virus places an identical copy of itself into other programs of into certain system areas. 3. Triggering phase: the virus is activated to perform the function for which it was created. 4. Execution phase: the function is performed. The function may be harmless or damaging.
16
How virus works begin if spread-condition then begin for some set of target files do begin if target is not infected then determine where to place virus instructions copy virus instructions into target alter target to execute added instructions endif endfor endif perform some action go to beginning of infected program end CSCE 522 - Farkas16
17
CSCE 522 - Farkas17 Virus Types Parasitic virus: most common form. Attaches itself to a file and replicates when the infected program is executed. Memory resident virus: lodged in main memory as part of a resident system program. Virus may infect every program that executes.
18
CSCE 522 - Farkas18 Virus Types Boot Sector Viruses: – Infects the boot record and spreads when system is booted. – Gains control of machine before the virus detection tools. – Very hard to notice – Carrier files: AUTOEXEC.BAT, CONFIG.SYS,IO.SYS Brain virus for the IBM PC (first reported 1987)
19
Virus Types Executable Infectors: infects executable programs – Jerusalem (Israeli) virus: executes on Friday, 13 th if year is NOT 1987 – destruction Multipartite Virus: can infect either boot sector or applications TSR virus: terminate and stay resident. Stay resident in memory after the application has terminated CSCE 522 - Farkas19
20
CSCE 522 - Farkas20 Virus Types Stealth virus: explicitly designed to hide from detection by antivirus software. Polymorphic virus: mutates with every infection making detection by the “signature” of the virus difficult. Encrypted virus: avoid detection by encrypting virus code except the decryption routine
21
Theory of Computer Viruses It is undecidable whether an arbitrary program contains a computer virus. CSCE 522 - Farkas21
22
CSCE 522 - Farkas22 How Viruses Gain Control Virus V has to be invoked instead of target T. – V overwrites T – V changes pointers from T to V High risk virus properties: – Hard to detect – Hard to destroy – Spread infection widely – Can re-infect – Easy to create – Machine independent
23
True or False: 1. Viruses can infect only Microsoft windows systems 2. Viruses can modify “hidden” or “read-only” files 3. Viruses spread only on disks or only in e-mail 4. Viruses cannot infect hardware 5. Viruses can be malevolent, benign, or benevolent. CSCE 522 - Farkas23
24
Defenses Detect Block Execution – Behavior monitoring – Reduced rights of users – Sandboxing – Suspicious modifications – Proof-carrying code CSCE 522 - Farkas24
25
CSCE 522 - Farkas25 Detection: Virus Signatures Storage pattern – Code always located on a specific address – Increased file size Execution pattern Transmission pattern Polymorphic Viruses
26
CSCE 522 - Farkas26 Antivirus Approaches Detection: determine infection and locate the virus. Identification: identify the specific virus. Removal: remove the virus from all infected systems, so the disease cannot spread further. Recovery: restore the system to its original state.
27
CSCE 522 - Farkas27 Preventing Virus Infection Prevention: Good source of software installed Isolated testing phase Use virus detectors – Top 10 antivirus detection 2014, http://www.top10antivirussoftware.com/ http://www.top10antivirussoftware.com/ Limit damage: Make bootable diskette Make and retain backup copies important resources
28
CSCE 522 - Farkas28 Worm Self-replicating (like virus) Objective: system penetration (intruder) Phases: dormant, propagation, triggering, and execution Propagation: – Searches for other systems to infect (e.g., host tables) – Establishes connection with remote system – Copies itself to remote system – Execute
29
CSCE 522 - Farkas29 Covert Channel - Trojan Horse John Spy Only John is permitted to access the document MS Word Document Spy’s Document copy TH install copy
30
CSCE 522 - Farkas30 Covert Channel Need: Two active agents – Sender (has access to unauthorized information) – e.g., TH in MS Word – Receiver ( reads sent information) – e.g., program creating the copy Encoding schema – How the information is sent – e.g., File F exists 0 File F is does not exist 1 Synchronization – e.g., when to check for existence of F
31
CSCE 522 - Farkas31 Storage Covert Channels Based on properties of resources Examples: – File locks – Delete/create file – Memory allocation
32
CSCE 522 - Farkas32 Timing Covert Channel Time is the factor – how fast Examples: – Processing time – Transmission time
33
CSCE 522 - Farkas33 Covert Channel Detection and Removal Identification: Shared resources Program code correctness Information flow analysis Removal: Total removal – may not be possible Reduce bandwidth
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.