Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where...

Lecture 14 Overview

Program Flaws

• Taxonomy of flaws:– how (genesis)– when (time)– where (location)

• the flaw was introduced into the system

2CS 450/650 Lecture 14: Program Flaws

Security Flaws by Genesis• Genesis– Intentional

• Malicious: Trojan Horse, Trapdoor, Logic Bomb, Worms, Virus

• Non-malicious

– Inadvertent• Validation error• Domain error• Serialization error• Identification/authentication error• Other error


Flaws by time

• Time of introduction– During development• Requirement/specification/design• Source code• Object code

– During maintenance

– During operation


Flaws by Location

• Location– Software• Operating system: system initialization, memory

management, process management, device management, file management, identification/authentication, other• Support tools: privileged utilities, unprivileged utilities• Application

– Hardware


Malware Evolution• 1980s

– Malware for entertainment (pranks)

– 1983: “virus”– 1988: Internet Worm

• 1990s– Malware for social status /

experiments– 1990: antivirus software

• Early 2000s– Malware to spam

• Mid 2000s– Criminal malware

CS 450/650 Lecture 14: Program Flaws 6

Lecture 15

Malicious Codes

CS 450/650

Fundamentals of Integrated Computer Security

Slides are modified from Csilla Farkas and Brandon Phillips

Kinds of Malicious Codes

• Virus: a program that attaches copies of itself into other programs. – Propagates and performs some

unwanted function– Viruses are not programs– Definition from RFC 1135: A virus is a piece of code

that inserts itself into a host [program], including operating systems, to propagate. It cannot run independently. It requires that its host program be run to activate it.

8CS 450/650 Lecture 15: Malicious Codes

Kinds of Malicious Code• Worm: a program that propagates copies of

itself through the network. – Independent program. – May carry other code, including

programs and viruses. – Definition from RFC 1135: A worm is a program that

can run independently, will consume the resources of its host [machine] from within in order to maintain itself and can propagate a complete working version of itself on to other machines.


Kinds of Malicious Code

• Rabbit/Bacteria: make copies of themselves to overwhelm a computer system's resources– Denying the user access to the resources

• Logic/Time Bomb: programmed threats that lie dormant for an extended period of time until they are triggered– When triggered, malicious code is executed


Kinds of Malicious Code• Trojan Horse: secret, undocumented routine

embedded within a useful program – Execution of the program results in execution of

secret code• Trapdoor: secret, undocumented entry point

into a program, used to grant access without normal methods of access authentication

• Dropper: Not a virus or infected file– When executed, it installs a virus into memory, on

to the disk, or into a file11CS 450/650 Lecture 15: Malicious Codes

Malware Proliferation

(Microsoft Security Intelligence Report 6)

CS 450/650 Lecture 15: Malicious Codes 12

Malware Families


Regional Threat Categories(Microsoft Security Intelligence Report 6)


Virus Lifecycle

• Dormant phase: the virus is idle– not all viruses have this stage

• Propagation phase: the virus places an identical copy of itself into other programs of into certain system areas

• Triggering phase: the virus is activated to perform the function for which it was created

• Execution phase: the function is performed– The function may be harmless or damaging


Virus Types

• Parasitic virus: – Attaches itself to a file and replicates when the

infected program is executed– most common form

• Memory resident virus: – lodged in main memory as part of a resident

system program– Virus may infect every program that executes


Virus Types

• Boot Sector Viruses:– Infects the boot record and spreads when system

is booted– Gains control of machine before the virus

detection tools– Very hard to notice

• Macro Virus:– virus is part of the macro associated with a

document17CS 450/650 Lecture 15: Malicious Codes

Virus Types

• Stealth virus: – A form of virus explicitly designed to hide from

detection by antivirus software

• Polymorphic virus: – A virus that mutates with every infection making

detection by the “signature” of the virus difficult


How Viruses Append

19

Original

program

virus

Original

program

virus

Virus appended to program

+ =

CS 450/650 Lecture 15: Malicious Codes

How Viruses Append

20

Original

program

virus

Original

program

Virus-1

Virus surrounding a program

+ =

Virus-2


How Viruses Append

21

Original

program

virus

Original

program

Virus-1

Virus integrated into program

+ =

Virus-2

Virus-3Virus-4


How Viruses Gain Control

• Virus V has to be invoked instead of target T– V overwrites T– V changes pointers from T to V


High risk virus properties

• Hard to detect• Hard to destroy• Spread infection widely• Can re-infect• Easy to create • Machine independent


Virus Signatures

• Storage pattern– Code always located on a specific address– Increased file size

• Execution pattern

• Transmission pattern

• Polymorphic Viruses


Antivirus Approaches

• Detection: – determine infection and locate the virus

• Identification: – identify the specific virus

• Removal: – remove the virus from all infected systems, so the

disease cannot spread further

• Recovery: – restore the system to its original state


Preventing Virus Infection

• Prevention:– Good source of software installed – Isolated testing phase– Use virus detectors

• Limit damage:– Make bootable diskette– Make and retain backup copies important

resources


Nyxem Email Virus

• Estimate of total number of infected computers is between 470K and 945K

• At least 45K of the infected computers were also compromised by other forms of spyware or botware

• Spread


Worm• Self-replicating (like virus)• Objective: system penetration (intruder)• Phases: dormant, propagation, triggering, and

execution • Propagation:– Searches for other systems to infect

• e.g., host tables

– Establishes connection with remote system– Copies itself to remote system– Execute


Code-Red Worm• On July 19, 2001, more than 359,000 computers connected to the Internet

were infected with the Code-Red (CRv2) worm in less than 14 hours

• Spread


Sapphire/Slammer Worm

• was the fastest computer worm in history– doubled in size every 8.5 seconds– infected more than 90 percent of vulnerable ~75K

hosts within 10 minutes.


Witty Worm

• reached its peak activity after approximately 45 minutes– at which point the majority of vulnerable hosts

had been infected

• World• USA


Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where...

Documents

Transcript of Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where...