Program Security

Week-2

ProgrammingFault: When a human makes a mistake, called an error, in performing some software

activity, the error may lead to a fault, or an incorrect step, command, process, or data

definition in a computer program.

• For example, a designer may misunderstand a requirement and create a design that

does not match the actual intent of the requirements analyst and the user.

Failure: a departure from the system's required behavior. It can be discovered before

or after system delivery, during testing, or during operation and maintenance.

A Flaw can be either a fault or failure, and a Vulnerability usually describes a class of

flaws, such as a buffer overflow.

Programming contd.Functional Requirements: The Functional Requirement document defines the

capabilities and functions that a System must be able to perform successfully.

Security Requirements: Types and levels of protection necessary for equipment, data,

information, applications, and facilities.

Unexpected Behaviour: The inadequacies of penetrate-and-patch led researchers to

seek a better way to be confident that code meets its security requirements. One way

to do that is to compare the requirements with the behavior.

Programming contd.Organised Design

• Top-down: is essentially the breaking down of a system to gain insight into its

compositional sub-systems.

• Bottom-up: is the piecing together of systems to give rise to grander systems, thus

making the original systems sub-systems of the emergent system.

• Waterfall Model

Programming contd.Organised Design

• CASE (Computer Aided Software Engineering) tool: it allows system developers to

create prototype screens and report generators rapidly and easily.

Language Choice

• Strongly Typed - each type of data is predefined as part of the programming language

Example: Ruby , Python and so forth.

• “structured programming”, modularity, complexity

• Analyzable and Rigorous Semantics

Nonmalicious (unintentional) Programming ErrorsBuffer-overflows

• A buffer overflow is the computing equivalent of trying to pour two liters of water

into a one-liter pitcher: Some water is going to spill out and make a mess.

• A buffer (or array or string) is a space in which data can be held. A buffer resides in

memory. Because memory is finite, a buffer's capacity is finite.

Nonmalicious (unintentional) Programming ErrorsIncomplete mediation is another security problem that has been with us for decades.

Attackers are exploiting it to cause security problems.

http://www.somesite.com/subpage/userinput.asp?parm1=(808)555-1212

&parm2=2009Jan17

• Using verification techniques can reduce the problem.

Time-of-Check to Time-of-Use Errors

• Check for access permission occurs before use; condition changes between check

and use.

• The time-of-check to time-of-use (TOCTTOU) flaw can be in a scenario of Web

application that allows a user to edit pages, and also allows administrators to lock

pages to prevent editing.

Virus and Other Malicious CodeTypes (Note: terminology is nonstandard)

Virus: A virus is a program that can replicate itself and pass on malicious code to other

nonmalicious programs by modifying them. Eg. Transient and Resident Virus.

Worms: A worm is a program that spreads copies of itself through a network.

Difference between a worm and a virus is that a worm operates through networks,

and a virus can spread through any medium.

A Trojan horse is malicious code that, in addition to its primary effect, has a second,

nonobvious malicious effect.

Virus and Other Malicious CodeTypes (Note: terminology is nonstandard)

Trapdoor/backdoor: a program features that allows others to gain access other than

obvious or direct means.

Logic bomb: malicious code that is triggered or detonated or goes off when a specified

condition is met. A time bob is a logic bomb that whose trigger is a time or data

Virus and Other Malicious CodeTransmission

• links

• email

• executable code in data files (macros, autorun code, helper applications)

Gaining Control

Virus and Other Malicious CodeExecution

• one-time

• on system startup or reboot

• on every activation of a program

• on an event

Recognition

• signature, patterns

• polymorphic, viruses

• encrypted viruses

Targeted (intentional) Malicious CodeTrapdoor: undocumented entry point to a program, for example, developers do this

during testing.

Salami attacks: “small thin slices” – typical example involve interest calculations. Small

amounts of money (pennies) are accumulated elsewhere.

Rootkits: It is a piece of malicious code that goes to great lengths not to be discovered

or, if discovered and removed, to reestablish itself whenever possible.

• The name rootkit refers to the code's attempt to operate as root, the superprivileged

user of a Unix system.

Privilege escalation attack is a means for malicious code to be launched by a user with

lower privileges but run with higher privileges.

Targeted (intentional) Malicious Code

• Interface Illusion – fake websites

• Keystroke loggers – retain copies of all keys presses.

• Man-In-The-Middle Attack – a program interjects itself between two the programs –

e.g. user-input and application results.

• Covert channels – programs that leak information

Controls• Depend in part on means of transmission of malicious code

• Some controls are not fool proof:

- programming environment

- testing (absence of flaws in testing does not imply absence of flaws in code)

• “vetting” or clearing programmers; using only programmers from a particular nation

or having a particular certification

- everyone makes human mistakes at some time

- even well-vetted individuals can be malicious

- programmers have method and opportunity; motive is hard to control

completely

Controls• Software development (programming environment and practices) controls

• testing (many types)

• program structure

• mutual suspicion

• genetic diversity

• Confined execution environment

• See many operating system confinement approaches in Chapter 3.

Thank You !