Program Security Malicious Code Program Security Malicious Code
CSCE Farkas2 Reading Required: – Denning Chapter 10 Recommended: – USC Computing Services – Virus Information Center – Ukrainian computer systems attacked by sophisticated malware with "Russian roots, Homeland Security News Wire, March 10, 2014, ukrainian-computer-systems-attacked-by-sophisticated-malware- with-russian-rootshttp:// ukrainian-computer-systems-attacked-by-sophisticated-malware- with-russian-roots – NSA planted sleeper malware in 50,000 computer networks, Homeland Security News Wire, Dec. 11, 2013, planted-sleeper-malware-in computer-networks planted-sleeper-malware-in computer-networks
Who needs to be aware of malware? CSCE Farkas3
Slammer Worm January 25, 2003, 75,000 victims within 10 minutes Buffer overflow exploitation of Microsoft SQL Server and Desktop Engine database Used UDP packets to propagate Code: 376 bytes (fit within a single packet) Demo: ml ml Interesting read: Moore et al. Inside the Slammer Worm, IEEE Security and Privacy, 2003, CSCE Farkas4
Program Logic Program logic: is used to model the programming language instructions carried out by the computer when the program is executed (blue print) CSCE Farkas5 Logic Model Program Statements
CSCE Farkas6 Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system Interesting read: Landwehr et al. A Taxonomy of Computer Program Security Flaws with Examples, NRL, 1993, uterProgramSecurityFlawswithExamples%5BLandwehr93%5 D.pdf uterProgramSecurityFlawswithExamples%5BLandwehr93%5 D.pdf
CSCE Farkas7 Security Flaws by Genesis Genesis – Intentional Malicious: Trojan Horse, Trapdoor, Logic Bomb, Worms, Virus Non-malicious – Inadvertent Validation error Domain error Serialization error Identification/authentication error Other error
CSCE Farkas8 Flaws by time Time of introduction – During development Requirement/specification/design Source code Object code – During maintenance – During operation
CSCE Farkas9 Flaws by Location Location – Software Operating system: system initialization, memory management, process management, device management, file management, identification/authentication, other Support: privileged utilities, unprivileged utilities Application – Hardware
Malware Tools to attack computer systems Assume authorized user’s identity Traditional access control becomes useless New types – Scareware: to cause shock, anxiety, or the perception of threat – Ransomware: holds computers or data hostage demanding ransom CSCE Farkas10
CSCE Farkas11 Malware History 1980: first virus written on the AppleII 1982: Elk Cloner 1983: “virus” 1984: experiment shows virus can spread BLP didn’t control virus spread 1988: Internet Worm 1990: antivirus software 2000s: virus mitigation
CSCE Farkas12 Kinds of Malicious Codes Virus: a program that attaches copies of itself into other programs. – Propagates and performs some unwanted function – Not programs - they cannot run on their own. Bacteria: make copies of themselves – Overwhelm a computer system's resources
CSCE Farkas13 Kinds of Malicious Code Worm: a program that propagates copies of itself through the network. – Independent program – May carry other code, including programs and viruses. Trojan Horse: secret, undocumented routine embedded within a useful program. – Execution of the program results in execution of secret code.
CSCE Farkas14 Kinds of Malicious Code Logic bomb, time bomb: programmed threats that lie dormant for an extended period of time until they are triggered. – When triggered, malicious code is executed. Trapdoor: secret, undocumented entry point into a program – Used to grant access without normal methods of access authentication Dropper: Not a virus or infected file. – When executed, it installs a virus into memory, on to the disk, or into a file.
CSCE Farkas15 Virus Virus lifecycle: 1. Dormant phase: the virus is idle. (not all viruses have this stage) 2. Propagation phase: the virus places an identical copy of itself into other programs of into certain system areas. 3. Triggering phase: the virus is activated to perform the function for which it was created. 4. Execution phase: the function is performed. The function may be harmless or damaging.
How virus works begin if spread-condition then begin for some set of target files do begin if target is not infected then determine where to place virus instructions copy virus instructions into target alter target to execute added instructions endif endfor endif perform some action go to beginning of infected program end CSCE Farkas16
CSCE Farkas17 Virus Types Parasitic virus: most common form. Attaches itself to a file and replicates when the infected program is executed. Memory resident virus: lodged in main memory as part of a resident system program. Virus may infect every program that executes.
CSCE Farkas18 Virus Types Boot Sector Viruses: – Infects the boot record and spreads when system is booted. – Gains control of machine before the virus detection tools. – Very hard to notice – Carrier files: AUTOEXEC.BAT, CONFIG.SYS,IO.SYS Brain virus for the IBM PC (first reported 1987)
Virus Types Executable Infectors: infects executable programs – Jerusalem (Israeli) virus: executes on Friday, 13 th if year is NOT 1987 – destruction Multipartite Virus: can infect either boot sector or applications TSR virus: terminate and stay resident. Stay resident in memory after the application has terminated CSCE Farkas19
CSCE Farkas20 Virus Types Stealth virus: explicitly designed to hide from detection by antivirus software. Polymorphic virus: mutates with every infection making detection by the “signature” of the virus difficult. Encrypted virus: avoid detection by encrypting virus code except the decryption routine
Theory of Computer Viruses It is undecidable whether an arbitrary program contains a computer virus. CSCE Farkas21
CSCE Farkas22 How Viruses Gain Control Virus V has to be invoked instead of target T. – V overwrites T – V changes pointers from T to V High risk virus properties: – Hard to detect – Hard to destroy – Spread infection widely – Can re-infect – Easy to create – Machine independent
True or False: 1. Viruses can infect only Microsoft windows systems 2. Viruses can modify “hidden” or “read-only” files 3. Viruses spread only on disks or only in 4. Viruses cannot infect hardware 5. Viruses can be malevolent, benign, or benevolent. CSCE Farkas23
Defenses Detect Block Execution – Behavior monitoring – Reduced rights of users – Sandboxing – Suspicious modifications – Proof-carrying code CSCE Farkas24
CSCE Farkas25 Detection: Virus Signatures Storage pattern – Code always located on a specific address – Increased file size Execution pattern Transmission pattern Polymorphic Viruses
CSCE Farkas26 Antivirus Approaches Detection: determine infection and locate the virus. Identification: identify the specific virus. Removal: remove the virus from all infected systems, so the disease cannot spread further. Recovery: restore the system to its original state.
CSCE Farkas27 Preventing Virus Infection Prevention: Good source of software installed Isolated testing phase Use virus detectors – Top 10 antivirus detection 2014, Limit damage: Make bootable diskette Make and retain backup copies important resources
CSCE Farkas28 Worm Self-replicating (like virus) Objective: system penetration (intruder) Phases: dormant, propagation, triggering, and execution Propagation: – Searches for other systems to infect (e.g., host tables) – Establishes connection with remote system – Copies itself to remote system – Execute
CSCE Farkas29 Covert Channel - Trojan Horse John Spy Only John is permitted to access the document MS Word Document Spy’s Document copy TH install copy
CSCE Farkas30 Covert Channel Need: Two active agents – Sender (has access to unauthorized information) – e.g., TH in MS Word – Receiver ( reads sent information) – e.g., program creating the copy Encoding schema – How the information is sent – e.g., File F exists 0 File F is does not exist 1 Synchronization – e.g., when to check for existence of F
CSCE Farkas31 Storage Covert Channels Based on properties of resources Examples: – File locks – Delete/create file – Memory allocation
CSCE Farkas32 Timing Covert Channel Time is the factor – how fast Examples: – Processing time – Transmission time
CSCE Farkas33 Covert Channel Detection and Removal Identification: Shared resources Program code correctness Information flow analysis Removal: Total removal – may not be possible Reduce bandwidth