Defense Against the Dark Arts Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: Types.

Slides:



Advertisements
Similar presentations
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.1 Malicious Logic.
Advertisements

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-1 Chapter 12: Design Principles Overview Principles –Least Privilege –Fail-Safe.
Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Programming Types of Testing.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #19-1 Chapter 19: Malicious Logic What is malicious logic Types of malicious.
CS526: Information Security Chris Clifton November 25, 2003 Malicious Code.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-1 Chapter 19: Malicious Logic What is malicious logic Types of malicious logic.
Malicious Logic What is malicious logic Types of malicious logic Defenses Computer Security: Art and Science © Matt Bishop.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
________________ CS3235, Nov 2002 Viruses Adapted from Pfleeger[Chap 5]. A virus is a program [fragment] that can pass on malicious code [usually itself]
Protection. Goals of Protection Operating system consists of a collection of objects, hardware or software Each object has a unique name and can be accessed.
Bilkent University Department of Computer Engineering
Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Chapter 14: Protection.
Chapter 9 Security Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.
1 Malicious Logic CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 25, 2004.
Linux Security.
Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
Page 19/4/2015 CSE 30341: Operating Systems Principles Raid storage  Raid – 0: Striping  Good I/O performance if spread across disks (equivalent to n.
Operating Systems Protection & Security.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Silberschatz and Galvin  Operating System Concepts Module 20: Security The Security Problem Authentication Program Threats System Threats Threat.
Chapter 3 Controlling Files. Chapter 3 Overview The file system and file access rights Executable files Computer viruses and malware Policies for file.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 2: System Structures.
© G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal Models.
Controlling Files Richard Newman based on Smith “Elementary Information Security”
Operating Systems 1 K. Salah Module 6.0: Security and Protection  Types of misuse: –1. Accidental –2. Intentional –Protection is to prevent either accidental.
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
1 Higher Computing Topic 8: Supporting Software Updated
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly, but erroneously.
CE Operating Systems Lecture 3 Overview of OS functions and structure.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development 3.
© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Memory: Relocation.
Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 18: Protection Goals of Protection Objects and Domains Access Matrix Implementation.
G53SEC 1 Reference Monitors Enforcement of Access Control.
Operating Systems Lecture November 2015© Copyright Virtual University of Pakistan 2 Agenda for Today Review of previous lecture Hardware (I/O, memory,
Malicious Logic What is malicious logic Types of malicious logic Defenses Computer Security: Art and Science © Matt Bishop.
Malicious Logic What is malicious logic Types of malicious logic Defenses Computer Security: Art and Science © Matt Bishop.
14.1/21 Part 5: protection and security Protection mechanisms control access to a system by limiting the types of file access permitted to users. In addition,
CprE 458/558: Real-Time Systems
Malicious Logic and Defenses. Malicious Logic Trojan Horse – A Trojan horse is a program with an overt (documented or known) effect and covert (undocumented.
Operating Systems Security
Computer Systems Viruses. Virus A virus is a program which can destroy or cause damage to data stored on a computer. It’s a program that must be run in.
Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.
Understand Permissions LESSON Security Fundamentals.
14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Protection.
Design Principles and Common Security Related Programming Problems
Fall 2008CS 334: Computer SecuritySlide #1 Design Principles Thanks to Matt Bishop.
June 1, 2004Computer Security: Art and Science © Matt Bishop Slide #13-1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe.
VMM Based Rootkit Detection on Android
June 1, 2004© Matt Bishop [Changed by Hamid R. Shahriari] Slide #13-1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe.
Introduction to Computer Programming Concepts M. Uyguroğlu R. Uyguroğlu.
Software Engineering Algorithms, Compilers, & Lifecycle.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
Chapter 19. Malicious Logic
Techniques, Tools, and Research Issues
12: Security The Security Problem Authentication Program Threats
Memory Management Tasks
Chapter 22: Malicious Logic
Operating Systems Lecture 3.
Security.
Operating System Concepts
Operating System Concepts
Malicious Program and Protection
Presentation transcript:

Defense Against the Dark Arts Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: Types of Defense

Types of Defense Distinguish between data, instructions Reducing Protection Domain Inhibit sharing Detect altering of files Detect actions beyond specifications Analyze statistical characteristics Coming up: Data vs. Instructions 2222

Coming up: Example: Duff and UNIX Data vs. Instructions Malicious logic is both Virus: written to an EXE program (data); then executes (instructions) Approach: treat “ data ” and “ instructions ” as separate types, and require certifying authority to approve conversion Keys are assumption that certifying authority will not make mistakes and assumption that tools, supporting infrastructure used in certifying process are not corrupt 3333 Distinguish between data, instructions Reducing Protection Domain Inhibit sharing Detect altering of files Detect actions beyond specifications Analyze statist ical characteristics

Coming up: Reducing Protection Domain Example: Duff’s UNIX Observation: users with execute permission usually have read permission, too So files with “ execute ” permission have type “ executable ” ; those without it, type “ data” Executable files can be altered, but type immediately changed to “ data ” Implemented by turning off execute permission Certifier can change them back So virus can spread only if run as certifier 4444 Distinguish between data, instructions Reducing Protection Domain Inhibit sharing Detect altering of files Detect actions beyond specifications Analyze statist ical characteristics

Coming up: Example: ACLs and C-Lists Reducing Protection Domain Application of principle of least privilege Basic idea: remove rights from process so it can only perform its function Warning: if that function requires it to write, it can write anything But you can make sure it writes only to those objects you expect 55 Lets see an example… 55 Distinguish between data, instructions Reducing Protection Domain Inhibit sharing Detect altering of files Detect actions beyond specifications Analyze statist ical characteristics

Coming up: Karger’s Scheme Example: ACLs and C-Lists s 1 needs to run p 2 p 2 contains Trojan horse So s 1 needs to ensure p 12 (subject created when s 1 runs p 2 ) can ’ t write to f 3 Ideally, p 12 has capability { (s 1, p 2, x ) } so no problem In practice, p 12 inherits s 1 ’ s rights—bad! Note s 1 does not own f 3, so can ’ t change its rights over f 3 Solution: restrict access by others 66 F1P2F3 S1(Owns)WXW S2(Owns)RWXR 66 Distinguish between data, instructions Reducing Protection Domain Inhibit sharing Detect altering of files Detect actions beyond specifications Analyze statist ical characteristics

Coming up: Guardians, Watchdogs Karger ’ s Scheme Base it on attribute of subject, object combo Interpose a knowledge-based subsystem to determine if requested file access reasonable Sits between kernel and application Example: UNIX C compiler Reads from files with names ending in “.c ”, “.h ” Writes to files with names beginning with “ /tmp/ctm ” and assembly files with names ending in “.s ” When subsystem invoked, if C compiler tries to write to “.c ” file, request rejected 77 Generically, this is a watchdog… 77 Distinguish between data, instructions Reducing Protection Domain Inhibit sharing Detect altering of files Detect actions beyond specifications Analyze statist ical characteristics

Coming up: Sandboxing Guardians, Watchdogs System intercepts request to open file Program invoked to determine if access is to be allowed These are guardians or watchdogs Effectively redefines system (or library) calls 8888 Distinguish between data, instructions Reducing Protection Domain Inhibit sharing Detect altering of files Detect actions beyond specifications Analyze statist ical characteristics

Coming up: Multilevel Policies Sandboxing Sandboxes Basically a virtual machine that has ability to restrict rights: Modify program by inserting instructions to cause traps when violation of security policy Replace dynamic load libraries with instrumented routines 9999 Distinguish between data, instructions Reducing Protection Domain Inhibit sharing Detect altering of files Detect actions beyond specifications Analyze statist ical characteristics

Coming up: Detect Alteration of Files Multilevel Policies Put programs at the lowest security level, all subjects at higher levels By *-property, nothing can write to those programs By ss-property, anything can read (and execute) those programs Example: DG/UX system All executables in “ virus protection region ” below user and administrative regions Distinguish between data, instructions Reducing Protection Domain Inhibit sharing Detect altering of files Detect actions beyond specifications Analyze statist ical characteristics Carrying this idea to its extreme would result in isolation of each protected domain. Because sharing would not be possible, no viruses could propagate. Unfortunately, the usefulness of such systems would be minimal.

Coming up: Antivirus Programs Detect Alteration of Files Compute manipulation detection code (MDC) to generate signature block for each file, and save it Later, recompute MDC and compare to stored MDC If different, file has changed Example: tripwire Signature consists of file attributes, cryptographic checksums chosen from among MD4, MD5, HAVAL, SHS, CRC-16, CRC-32, etc.) Distinguish between data, instructions Reducing Protection Domain Inhibit sharing Detect altering of files Detect actions beyond specifications Analyze statist ical characteristics

Coming up: Detect Actions Beyond Spec Antivirus Programs Look for specific sequences of bytes (called “ virus signature ” in file If found, warn user and/or disinfect file Each agent must look for known set of viruses Cannot deal with viruses not yet analyzed Due in part to undecidability of whether a generic program is a virus 13 Dark Avenger #4=ad3d d75153df6c27512ad3d a46ad3dcd40 Dark Avenger #5=9d73482e3b1e a85db7436e8ab029de Dark Avenger #6=a4a58b db53ff64f5e800005e Dark Avenger #7=49cd21bbffffb448cd2181ebe700727b Dark Avenger related=c31bd e561e0e33ff8edfc5069c002e8984 Dark Evil=b8023de89eff720a8bd8e82e00b43ee8 Dark Evil=b8023de89eff720d0a8bd8e82e00b43ee8 Sample Binary Signatures Src: 12 Distinguish between data, instructions Reducing Protection Domain Inhibit sharing Detect altering of files Detect actions beyond specifications Analyze statist ical characteristics

Coming up: System Monitoring Detect Actions Beyond Spec Treat execution, infection as errors and apply fault tolerant techniques Example: break program into sequences of nonbranching instructions Checksum each sequence, encrypt result When run, processor recomputes checksum, and at each branch co-processor compares computed checksum with stored one If different, error occurred Example: System monitoring to detect trace (see next slides) Distinguish between data, instructions Reducing Protection Domain Inhibit sharing Detect altering of files Detect actions beyond specifications Analyze statist ical characteristics

System Monitoring Requirements Deep Inspection – see what’s going on inside Tamper-Resistance – not allow malware to change results Two main approaches (state of the art) Internal monitoring (e.g., API hooking, system call logging) External monitoring (e.g., traffic sniffers) 33 Coming up: API Hooking Distinguish between data, instructions Reducing Protection Domain Inhibit sharing Detect altering of files Detect actions beyond specifications Analyze statist ical characteristics

API Hooking 34 Coming up: Example: API Hooking Log Distinguish between data, instructions Reducing Protection Domain Inhibit sharing Detect altering of files Detect actions beyond specifications Analyze statist ical characteristics

Example: API Hooking Log 35 Coming up: System Call Logging Distinguish between data, instructions Reducing Protection Domain Inhibit sharing Detect altering of files Detect actions beyond specifications Analyze statist ical characteristics

System Call Logging 36 Coming up: Example System Call Log Distinguish between data, instructions Reducing Protection Domain Inhibit sharing Detect altering of files Detect actions beyond specifications Analyze statist ical characteristics

Example System Call Log 37 Coming up: N-Version Programming Distinguish between data, instructions Reducing Protection Domain Inhibit sharing Detect altering of files Detect actions beyond specifications Analyze statist ical characteristics

Coming up: Detecting Statistical Changes N-Version Programming Implement several different versions of algorithm Run them concurrently Check intermediate results periodically If disagreement, majority wins Assumptions Majority of programs not infected Underlying operating system secure Different algorithms with enough equal intermediate results may be infeasible 20 Used today for flight controllers, electronic voting and malware detection 19 Distinguish between data, instructions Reducing Protection Domain Inhibit sharing Detect altering of files Detect actions beyond specifications Analyze statist ical characteristics

Coming up: Lessons Detecting Statistical Changes Example: application had 3 programmers working on it, but statistical analysis shows code from a fourth person—may be from a Trojan horse or virus! Other attributes: more conditionals than in original; look for identical sequences of bytes not common to any library routine; increases in file size, frequency of writing to executables, etc. Denning: use intrusion detection system to detect these Distinguish between data, instructions Reducing Protection Domain Inhibit sharing Detect altering of files Detect actions beyond specifications Analyze statist ical characteristics

End of presentation Lessons Malware defense is a perplexing problem How do you tell what the user asked for is not what the user intended? Strong typing leads to separating data, instructions File scanners most popular anti-virus agents Must be updated as new viruses come out 22 21

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.