Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. ·...
Transcript of Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. ·...
![Page 1: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/1.jpg)
Defense against the Dark ArtsOverview / Terminology
1
![Page 2: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/2.jpg)
![Page 3: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/3.jpg)
malware
“evil software”
display a funny message
send passwords/credit card numbers to criminals
take pictures to send to criminals
delete data
hold data hostage
insert/replace ads in webpages
…
3
![Page 4: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/4.jpg)
malware
“evil software”
display a funny message
send passwords/credit card numbers to criminals
take pictures to send to criminals
delete data
hold data hostage
insert/replace ads in webpages
…3
![Page 5: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/5.jpg)
viruses
malware that inserts itself into another program
“infects” other programs when runusually modifies executables directly
4
![Page 6: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/6.jpg)
macro viruses
Word, Excel, other office software support macrosscripts embedded in Word/Excel/etc. documents
viruses written in a scripting languageVisual Basic for Applications
spread to office documents, not executableseasily spread in corporate environments
vendor reaction: macros disabled by default now
5
![Page 7: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/7.jpg)
![Page 8: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/8.jpg)
all viruses?
some sources call almost all malware virsues
or all self-propagating malware
I won’t — but I will avoid testing you on this
goal of hierarchy is knowing variety, notcharacterizing
7
![Page 9: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/9.jpg)
worms
independent program
usually “blends in” with system programs
copies itself to other machines or USB keys, etc.
sometimes configures systems to run it automatically
8
![Page 10: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/10.jpg)
trojan (horse)s
useful-looking program that is malware:‘cracked’ version of commerical softwarefake anti-virus softwareor looks like useful PDF doc…
maybe is (or not), but also does something evil
common form for targeted attacks
9
![Page 11: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/11.jpg)
potentially unwanted programs
unwanted software bundled with wanted software
sometimes disclosed but in deceptive fine print
sometimes considered malware, sometimes not
10
![Page 12: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/12.jpg)
rootkit
root = full privilegescommon name for Unix administrator account
rootkit = malware for maintaining full controlthing that malware/attackers install
rootkits evade removal, detection
e.g. program made invisible to “task manager”/ps
e.g. reinstall malware if removed “normally”
11
![Page 13: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/13.jpg)
logic bomb
dormant malicious code
e.g. from disgruntled employee before quitting
12
![Page 14: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/14.jpg)
vulnerabilities
trojans: the vulnerability is the userand/or the user interface
otherwise?
software vulnerability
unintended program behaviorthat can be used by an adversary
13
![Page 15: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/15.jpg)
vulnerability example
website able to install software without prompting
not intended behavior of web browser
14
![Page 16: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/16.jpg)
software vulnerability classes (1)
memory safety bugsproblems with pointersbig topic in this course
“injection” bugs — type confusioncommands/SQL within name, label, etc.
integer overflow/underflow
…
15
![Page 17: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/17.jpg)
software vulnerability classes (2)
not checking inputs/permissionshttp://webserver.com/../../../../file-I-shouldn't-get.txt
almost any ’s “undefined behavior” in C/C++
synchronization bugs: time-to-check to time-of-use
… more?
16
![Page 18: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/18.jpg)
vulnerability versus exploit
exploit — something that uses a vulnerability to dosomething
proof-of-concept — something = demonstration theexploit is there
example: open a calculator program
17
![Page 19: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/19.jpg)
malware logistics: how?
what are they written in?
18
![Page 20: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/20.jpg)
malware languages (1)
assembly language/machine codehand-coded or partially hand-coded
vulnerabilities deal with machine code/memorylayout
better for hiding malware from anti-malware tools
19
![Page 21: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/21.jpg)
malware languages (2)
high-level scripting languagesfast prototypingmaintainability/efficiency not prioritysometimes malicious scriptsnon-machine-code parts can use anything!
sometimes specialized “toolkits”example: Virus Construction Kit
20
![Page 22: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/22.jpg)
malware spreading
vulnerable network-accessible services
shared files/foldersautorun on USB sticksmacros in Word/Excel/etc. files
email attachments
websites + browser vulnerabilitiesJavaScript interpreter bugsAdobe Flash Player bugs
21
![Page 23: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/23.jpg)
malware defenses (1)
“antivirus” software:
Windows Defender
avast!
Avira
AVG
McAfee
…22
![Page 24: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/24.jpg)
malware defenses (2)
app stores/etc. filtering (in theory)require developer registrationblacklisting after the fact?
“sandboxing” policiesdon’t let, e.g., game access your taxes
23
![Page 25: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/25.jpg)
![Page 26: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/26.jpg)
![Page 27: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/27.jpg)
malware defenses (3)
some email spam filters
blacklists for web browsersGoogle Safe Browsing list (Chrome, Firefox)Microsoft SmartScreen (IE, Edge)
26
![Page 28: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/28.jpg)
malware counter-defenses
malware authors tries to make it hard-to-detect
obfuscation:make code harder to readmake code different each timeblend in with normal files/applications/etc.
27
![Page 29: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/29.jpg)
![Page 30: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/30.jpg)
![Page 31: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/31.jpg)
Morris worm mechanisms
used vulnerabilities in some versions of:mail servers (sendmail)user information servers (fingerd)
also spread using rsh/rexec (predecessor to ssh)
hid by being called sh (default shell)
strings obscured slightly in binary
Eichin and Rochlis, “With Microscope and Tweezers: An Analysis of the Internet Virus of November 1998” 30
![Page 32: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/32.jpg)
the early Internet
pretty homogeneous — almost all Unix-like systems
sendmail was “the” email server to run
most institutions vulnerable
31
![Page 33: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/33.jpg)
Morris worm intent versus effect
code in viruses tried to avoid “reinfecting” machines
… but not actually effective
32
![Page 34: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/34.jpg)
Stuxnet
targeted Iranian nuclear enrichment facilities
physically damaged centrifuges
designed to spread via USB sticks
publicly known 2010, deployed 2009
US + Israel gov’t developedaccording to press reports
33
![Page 35: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/35.jpg)
Ransomware
encrypt files, hold for “ransom”
decryption key stored only on attacker-controlledserver
possibly decrypt files if victim pays
many millions in revenuesaccurate numbers are hard to find
34
![Page 36: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/36.jpg)
ad injection (1)
internet advertising is big business
… but you need to pay websites to add ads?
how about modifying browser to add/change ads
mostly bundled with legitimate software
35
![Page 37: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/37.jpg)
From Thomas et al, “Ad Injection at Scale: Assessing Deceptive Advertisement Modifications”
![Page 38: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/38.jpg)
ad injection (2)
5% of Google-accessing clients (2014)
>90% using code from VC-backed firm SuperFish:
$19.3 M in investment (CrunchBase)
$38M in revenue (Forbes, 2015)
defunct after Lenovo root CA incident (2015)
… but founders reported started new, similar venture(JustVisual; according to TechCrunch)
Adware prevalence: Thomas et al, “Ad Injection at Scale: Assessing Deceptive Advertisement Modifications” 37
![Page 39: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/39.jpg)
stealing banking credentials
From Haslebacher et al, “All Your Cards Are Belong To Us: Understanding Online Carding Forms”, arXiv preprint 1607.0017v1 38
![Page 40: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/40.jpg)
web-camera blackmail
39
![Page 41: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/41.jpg)
flooding websites
distributed denial of service
example: October 2016 against DNS provider Dynused by Twitter, GitHub, Amazon, …, …
40
![Page 42: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/42.jpg)
monetized DDoS
41
![Page 43: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/43.jpg)
other motivations
“cloud” of hijacked machines for computation
pride, vengeance (website defacement, etc.)
…
42
![Page 44: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/44.jpg)
why talk about why/what?
doesn’t change malware much
(also, not a likely topic later in this course)
…but, attacking monetization is a real strategy
attacker’s willingness to spend?
43
![Page 45: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/45.jpg)
Website
linked off Collab
https://www.cs.virginia.edu/~cr4bd/4630/S2017/
will include slides, assignments, lecture recordings
44
![Page 46: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/46.jpg)
lectures and attendance
I recommend coming to lecture
I will not be taking attendance (except exams)
Lectures will be recorded
45
![Page 47: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/47.jpg)
Prerequisites
technically CS 2150
CS 3330 will be very helpful
46
![Page 48: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/48.jpg)
things from 3330 we care about
more review of x86 assembly
exceptions and virtual memory(but probably not in much detail)
47
![Page 49: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/49.jpg)
Exams/Assignments
many approx. one week assignments
two midterms — schedule on website
one final
can’t make it? need accommodations? tell us ASAP!
48
![Page 50: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/50.jpg)
Textbook
no required textbook
optional materials:
Szor, The Art of Computer Virus Research andDefense
I can recommend more general books, too
49
![Page 51: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/51.jpg)
TAs/Office Hours
TAs posted on website
my office hours posted on website
TA office hours will be posted
50
![Page 52: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/52.jpg)
Piazza, etc.
Piazza — linked of Collab
TAs and I should be monitoring
anonymous feedback on Collab(almost) always appreciated
51
![Page 53: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/53.jpg)
Misc. Policies
possibly exceptional circumstances? ask!
there is a late policy
assignments are individual
don’t cheat
don’t know if it’s cheating? ask!
52
![Page 54: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/54.jpg)
On Ethics
don’t use someone’s computer without theirpermission
or in excess of what they’ve permitted
don’t assume it’s just a harmless prankunintended (but likely) consequences
don’t assume the system owner would give youpermission
if you’re afraid to ask, it’s not okay
53
![Page 55: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/55.jpg)
On Law
probably illegal (Federal and/or State crime):
accessing computers without authorizationeven if nothing is done with the access
deliberately overloading a service
“backhacking” into a malware operator’s machine
deploying a worm that patches security holes
54
![Page 56: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/56.jpg)
ethics pledge — please read and signon website, or I have copies
questions about ethics?
55
![Page 57: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/57.jpg)
VM
homework assignments
first assignment — get an appropriate VM working
56
![Page 58: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/58.jpg)
VM environment
64-bit Ubuntu 16.04 LTS
some assignments will require exactly this
(not some other Linux, not 32-bit)
57
![Page 59: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/59.jpg)
VM problems?
tiny possibility your machine can’t run 64-bit VM
(no CPU support — not “it’s hard to setup”)
we can find alternative solutions for you
talk to us!
58
![Page 60: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/60.jpg)
related assignment
due 27 Jan (week from Friday) at 5PM
assignment on website
submission on Collab
59
![Page 61: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/61.jpg)
next time: on VMs
virtual machines — what, why, how
virtual machines and malware
60
![Page 62: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/62.jpg)
topics outline
prerequisite: assembly review
malware history
cat-and-mouse: anti-malware
software vulnerabilitiesmemory management related
bonus topics:“safe” languagesweb browser security
61
![Page 63: Defense against the Dark Arts Overview / Terminologycr4bd/4630/S2017/slides/... · 2017. 1. 18. · adinjection(2) 5%ofGoogle-accessingclients(2014) >90%usingcodefromVC-backedfirmSuperFish:](https://reader035.fdocuments.us/reader035/viewer/2022071005/5fc2aa4c8f667161f4406a3a/html5/thumbnails/63.jpg)
Conclusion
malware: “evil” softwareoriginally — thrill? proof of concept?commonly — monetary motives
vulnerabilities:exploitable unintended program behavior
62