Presentation is loading. Please wait.

Presentation is loading. Please wait.

Program Security Malicious Code Program Security Malicious Code.

Published byVivien McBride Modified over 8 years ago

Similar presentations

Presentation on theme: "Program Security Malicious Code Program Security Malicious Code."— Presentation transcript:

1 Program Security Malicious Code Program Security Malicious Code

2 CSCE 522 - Farkas2 Reading Required: – Denning Chapter 10 Recommended: – USC Computing Services – Virus Information Center – Ukrainian computer systems attacked by sophisticated malware with "Russian roots, Homeland Security News Wire, March 10, 2014, http://www.homelandsecuritynewswire.com/dr20140310- ukrainian-computer-systems-attacked-by-sophisticated-malware- with-russian-rootshttp://www.homelandsecuritynewswire.com/dr20140310- ukrainian-computer-systems-attacked-by-sophisticated-malware- with-russian-roots – NSA planted sleeper malware in 50,000 computer networks, Homeland Security News Wire, Dec. 11, 2013, http://www.homelandsecuritynewswire.com/dr20131211-nsa- planted-sleeper-malware-in-50-000-computer-networks http://www.homelandsecuritynewswire.com/dr20131211-nsa- planted-sleeper-malware-in-50-000-computer-networks

3 Who needs to be aware of malware? CSCE 522 - Farkas3

4 Slammer Worm January 25, 2003, 75,000 victims within 10 minutes Buffer overflow exploitation of Microsoft SQL Server and Desktop Engine database Used UDP packets to propagate Code: 376 bytes (fit within a single packet) Demo: http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/etc/maps.ht ml http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/etc/maps.ht ml Interesting read: Moore et al. Inside the Slammer Worm, IEEE Security and Privacy, 2003, http://cseweb.ucsd.edu/~savage/papers/IEEESP03.pdf http://cseweb.ucsd.edu/~savage/papers/IEEESP03.pdf CSCE 522 - Farkas4

5 Program Logic Program logic: is used to model the programming language instructions carried out by the computer when the program is executed (blue print) CSCE 522 - Farkas5 Logic Model Program Statements

6 CSCE 522 - Farkas6 Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system Interesting read: Landwehr et al. A Taxonomy of Computer Program Security Flaws with Examples, NRL, 1993, http://cwe.mitre.org/documents/sources/ATaxonomyofComp uterProgramSecurityFlawswithExamples%5BLandwehr93%5 D.pdf http://cwe.mitre.org/documents/sources/ATaxonomyofComp uterProgramSecurityFlawswithExamples%5BLandwehr93%5 D.pdf

7 CSCE 522 - Farkas7 Security Flaws by Genesis Genesis – Intentional Malicious: Trojan Horse, Trapdoor, Logic Bomb, Worms, Virus Non-malicious – Inadvertent Validation error Domain error Serialization error Identification/authentication error Other error

8 CSCE 522 - Farkas8 Flaws by time Time of introduction – During development Requirement/specification/design Source code Object code – During maintenance – During operation

9 CSCE 522 - Farkas9 Flaws by Location Location – Software Operating system: system initialization, memory management, process management, device management, file management, identification/authentication, other Support: privileged utilities, unprivileged utilities Application – Hardware

10 Malware Tools to attack computer systems Assume authorized user’s identity  Traditional access control becomes useless New types – Scareware: to cause shock, anxiety, or the perception of threat – Ransomware: holds computers or data hostage demanding ransom CSCE 522 - Farkas10

11 CSCE 522 - Farkas11 Malware History 1980: first virus written on the AppleII 1982: Elk Cloner 1983: “virus” 1984: experiment shows virus can spread BLP didn’t control virus spread 1988: Internet Worm 1990: antivirus software 2000s: virus mitigation

12 CSCE 522 - Farkas12 Kinds of Malicious Codes Virus: a program that attaches copies of itself into other programs. – Propagates and performs some unwanted function – Not programs - they cannot run on their own. Bacteria: make copies of themselves – Overwhelm a computer system's resources

13 CSCE 522 - Farkas13 Kinds of Malicious Code Worm: a program that propagates copies of itself through the network. – Independent program – May carry other code, including programs and viruses. Trojan Horse: secret, undocumented routine embedded within a useful program. – Execution of the program results in execution of secret code.

14 CSCE 522 - Farkas14 Kinds of Malicious Code Logic bomb, time bomb: programmed threats that lie dormant for an extended period of time until they are triggered. – When triggered, malicious code is executed. Trapdoor: secret, undocumented entry point into a program – Used to grant access without normal methods of access authentication Dropper: Not a virus or infected file. – When executed, it installs a virus into memory, on to the disk, or into a file.

15 CSCE 522 - Farkas15 Virus Virus lifecycle: 1. Dormant phase: the virus is idle. (not all viruses have this stage) 2. Propagation phase: the virus places an identical copy of itself into other programs of into certain system areas. 3. Triggering phase: the virus is activated to perform the function for which it was created. 4. Execution phase: the function is performed. The function may be harmless or damaging.

16 How virus works begin if spread-condition then begin for some set of target files do begin if target is not infected then determine where to place virus instructions copy virus instructions into target alter target to execute added instructions endif endfor endif perform some action go to beginning of infected program end CSCE 522 - Farkas16

17 CSCE 522 - Farkas17 Virus Types Parasitic virus: most common form. Attaches itself to a file and replicates when the infected program is executed. Memory resident virus: lodged in main memory as part of a resident system program. Virus may infect every program that executes.

18 CSCE 522 - Farkas18 Virus Types Boot Sector Viruses: – Infects the boot record and spreads when system is booted. – Gains control of machine before the virus detection tools. – Very hard to notice – Carrier files: AUTOEXEC.BAT, CONFIG.SYS,IO.SYS Brain virus for the IBM PC (first reported 1987)

19 Virus Types Executable Infectors: infects executable programs – Jerusalem (Israeli) virus: executes on Friday, 13 th if year is NOT 1987 – destruction Multipartite Virus: can infect either boot sector or applications TSR virus: terminate and stay resident. Stay resident in memory after the application has terminated CSCE 522 - Farkas19

20 CSCE 522 - Farkas20 Virus Types Stealth virus: explicitly designed to hide from detection by antivirus software. Polymorphic virus: mutates with every infection making detection by the “signature” of the virus difficult. Encrypted virus: avoid detection by encrypting virus code except the decryption routine

21 Theory of Computer Viruses It is undecidable whether an arbitrary program contains a computer virus. CSCE 522 - Farkas21

22 CSCE 522 - Farkas22 How Viruses Gain Control Virus V has to be invoked instead of target T. – V overwrites T – V changes pointers from T to V High risk virus properties: – Hard to detect – Hard to destroy – Spread infection widely – Can re-infect – Easy to create – Machine independent

23 True or False: 1. Viruses can infect only Microsoft windows systems 2. Viruses can modify “hidden” or “read-only” files 3. Viruses spread only on disks or only in e-mail 4. Viruses cannot infect hardware 5. Viruses can be malevolent, benign, or benevolent. CSCE 522 - Farkas23

24 Defenses Detect Block Execution – Behavior monitoring – Reduced rights of users – Sandboxing – Suspicious modifications – Proof-carrying code CSCE 522 - Farkas24

25 CSCE 522 - Farkas25 Detection: Virus Signatures Storage pattern – Code always located on a specific address – Increased file size Execution pattern Transmission pattern Polymorphic Viruses

26 CSCE 522 - Farkas26 Antivirus Approaches Detection: determine infection and locate the virus. Identification: identify the specific virus. Removal: remove the virus from all infected systems, so the disease cannot spread further. Recovery: restore the system to its original state.

27 CSCE 522 - Farkas27 Preventing Virus Infection Prevention: Good source of software installed Isolated testing phase Use virus detectors – Top 10 antivirus detection 2014, http://www.top10antivirussoftware.com/ http://www.top10antivirussoftware.com/ Limit damage: Make bootable diskette Make and retain backup copies important resources

28 CSCE 522 - Farkas28 Worm Self-replicating (like virus) Objective: system penetration (intruder) Phases: dormant, propagation, triggering, and execution Propagation: – Searches for other systems to infect (e.g., host tables) – Establishes connection with remote system – Copies itself to remote system – Execute

29 CSCE 522 - Farkas29 Covert Channel - Trojan Horse John Spy Only John is permitted to access the document MS Word Document Spy’s Document copy TH install copy

30 CSCE 522 - Farkas30 Covert Channel Need: Two active agents – Sender (has access to unauthorized information) – e.g., TH in MS Word – Receiver ( reads sent information) – e.g., program creating the copy Encoding schema – How the information is sent – e.g., File F exists  0 File F is does not exist  1 Synchronization – e.g., when to check for existence of F

31 CSCE 522 - Farkas31 Storage Covert Channels Based on properties of resources Examples: – File locks – Delete/create file – Memory allocation

32 CSCE 522 - Farkas32 Timing Covert Channel Time is the factor – how fast Examples: – Processing time – Transmission time

33 CSCE 522 - Farkas33 Covert Channel Detection and Removal Identification: Shared resources Program code correctness Information flow analysis Removal: Total removal – may not be possible Reduce bandwidth

Download ppt "Program Security Malicious Code Program Security Malicious Code."

Similar presentations

Computer Security Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Chapters 14 and 15 Operating Systems: Internals and Design Principles,

Computer Security Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Chapters 14 and 15 Operating Systems: Internals and Design Principles,
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.1 Malicious Logic.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.1 Malicious Logic.
Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.

Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.
30/04/2015Tim S Roberts 20081 COIT13152 Operating Systems T1, 2008 Tim S Roberts.

30/04/2015Tim S Roberts COIT13152 Operating Systems T1, 2008 Tim S Roberts.
Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.

Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.
Chapter 3 (Part 1) Network Security

Chapter 3 (Part 1) Network Security
A Taxonomy of Computer Program Security Flaws C. E. Landwehr, A. R. Bull, J. P. McDermott and W.S. Choi -- Presented by: Feng Hui Luo ACM Computing Surveys,

A Taxonomy of Computer Program Security Flaws C. E. Landwehr, A. R. Bull, J. P. McDermott and W.S. Choi -- Presented by: Feng Hui Luo ACM Computing Surveys,
Lecture 14 Program Flaws CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Csilla Farkas and Brandon Phillips.

Lecture 14 Program Flaws CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Csilla Farkas and Brandon Phillips.
CS526: Information Security Chris Clifton November 25, 2003 Malicious Code.

CS526: Information Security Chris Clifton November 25, 2003 Malicious Code.
ITMS- 3153 Information Systems Security 1. Malicious Code Malicious code or rogue program is the general name for unanticipated or undesired effects in.

ITMS Information Systems Security 1. Malicious Code Malicious code or rogue program is the general name for unanticipated or undesired effects in.
Chapter 14 Computer Security Threats

Chapter 14 Computer Security Threats
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
________________ CS3235, Nov 2002 Viruses Adapted from Pfleeger[Chap 5]. A virus is a program [fragment] that can pass on malicious code [usually itself]

________________ CS3235, Nov 2002 Viruses Adapted from Pfleeger[Chap 5]. A virus is a program [fragment] that can pass on malicious code [usually itself]
Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Copyright © 1995-2009 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
Lecture 15 Overview. Kinds of Malicious Codes Virus: a program that attaches copies of itself into other programs. – Propagates and performs some unwanted.

Lecture 15 Overview. Kinds of Malicious Codes Virus: a program that attaches copies of itself into other programs. – Propagates and performs some unwanted.
1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
1 Malicious Logic CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 25, 2004.

1 Malicious Logic CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 25, 2004.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Similar presentations

Ads by Google