95-752:8-1

Application Security

95-752:8-2

Malicious Code• Vulnerable Software• Hacker toolkits• Back/Trapdoors• Greedy Programs / Logic bombs• Salami Attacks• Trapdoors• Worms/Viruses• Bot Networks

95-752:8-3

Vulnerable Software

• Buffer overflows• Insecure running environment• Insecure temporary files• Insecure program calls• Weak encryption• Poor programming• “If people built buildings the way that

programmers write software, the first woodpecker to come along would destroy civilization.”

95-752:8-4

Handling Vulnerabilities

• Locating

• Dealing with vendors

• Applying patches

• Disabling services

• Reconfiguring software/services

95-752:8-5

Hacker ToolkitsPrograms that automatically scan for

security problems on systems– Useful for system administrators to find

problems for fixing– Useful for hackers to find problems for

exploitation

Examples:– SATAN– COPS– ISS

Countermeasure: Detection Software

95-752:8-6

Back/Trapdoors• Pieces of code written into applications of

operating systems to grant programmers easy access

• Useful for debugging and monitoring• Too often, not removed• Examples:

– Dennis Richie’s loging/compiler hack– Sendmail DEBUG mode

• Countermeasures– Sandboxing– Code Reviews

95-752:8-7

Logic Bombs• Pieces of code to cause undesired effects

when event occurs• Used to enforce licenses (time-outs)• Used for revenge by disgruntled• Can be hard to determine malicious• Examples

– British accounting firm logic bomb– British bank hack

• Countermeasures– Personnel security

95-752:8-8

Viruses

• Pieces of code that attach to existing programs• Not distinct program• No beneficial use – VERY destructive• Examples:

– Michelangelo

– Love letter

• Countermeasures– Virus detection/disinfection software

95-752:8-9

Structure of a Virus

• Marker: determine if a potential carrier program has been previously infected

• Infector: Seeks out potential carriers and infects

• Trigger check: Establishes if current conditions are sufficient for manipulation

• Manipulation: Carry out malicious task

95-752:8-10

Types of Viruses

• Memory-resident

• Hardware

• Buffered

• Hide-and-seek

• Live-and-die

• Boot segment

• Macro

95-752:8-11

Worms• Stand-alone programs that copy themselves

from system to system• Some use in network computation• Examples:

– Dolphin worm (Xerox PARC)– Code Red (2001, $12B cost)– Morris Worm (1988, $20M cost)

• Countermeasures– Sandboxing– Quick patching: fix holes, stop worm

95-752:8-12

Trojan Horses

• Programs that have malicious covert purpose• Have been used for license enforcement• Examples:

– FIX2001– AOL4FREE– RIDBO

• Countermeasures– Sandboxing– Code reviews

95-752:8-13

Greedy Programs• Programs that copy themselves• Core wars• Have been used in destructive web pages,

standalone programs• Can be very difficult to show deliberate usage• Countermeasures:

– CPU quotas on process families– Process quotas– Review of imported software & web pages

95-752:8-14

Bot Networks

• Collections of compromised machines• Typically, compromised by scripts• Respond to commands, perhaps encrypted• Examples:

LeavesCode Red II

• Countermeasures: Vul patching, Integrity checks