Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCE 522 Lecture 12 Program Security Malicious Code.

Published byJonas Hodges Modified over 8 years ago

Similar presentations

Presentation on theme: "CSCE 522 Lecture 12 Program Security Malicious Code."— Presentation transcript:

1 CSCE 522 Lecture 12 Program Security Malicious Code

2 CSCE 522 - Farkas2 Reading Reading for this lecture: Required: – Pfleeger: Ch. 3 Recommended: – USC Computing Services – Virus Information Center – L. Constantin, Eastern European cybercriminals trump Asian counterparts, researchers say, http://www.computerworld.com/s/article/9231563/Easte rn_European_cybercriminals_trump_Asian_counterpart s_researchers_say?taxonomyId=82&pageNumber=1 http://www.computerworld.com/s/article/9231563/Easte rn_European_cybercriminals_trump_Asian_counterpart s_researchers_say?taxonomyId=82&pageNumber=1

3 CSCE 522 - Farkas3 Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system

4 CSCE 522 - Farkas4 Security Flaws by Genesis Genesis – Intentional Malicious: Trojan Horse, Trapdoor, Logic Bomb, Worms, Virus Non-malicious – Inadvertent Validation error Domain error Serialization error Identification/authentication error Other error

5 CSCE 522 - Farkas5 Flaws by time Time of introduction – During development Requirement/specification/design Source code Object code – During maintenance – During operation

6 CSCE 522 - Farkas6 Flaws by Location Location – Software Operating system: system initialization, memory management, process management, device management, file management, identification/authentication, other Support: privileged utilities, unprivileged utilities Application – Hardware

7 CSCE 522 - Farkas7 Slammer Worm The Slammer worm (Sapphire worm) was the fastest worm in history – Start: Saturday, Jan. 25, 2003 – Doubled in size every 8.5 seconds at its peak – Infected more than 90 percent of the vulnerable hosts within 10 minutes using a vulnerability in Microsoft's SQL Server – Total infected: more than 75,000 hosts – Flooded networks all over the world, caused disruptions to financial institutions, ATMs, and even an election in Canada – http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/etc/map s.html http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/etc/map s.html

8 CSCE 522 - Farkas8 History 1982: Elk Cloner 1983: “virus” 1988: Internet Worm 1990: antivirus software 2000s: virus mitigation

9 CSCE 522 - Farkas9 Kinds of Malicious Codes Virus: a program that attaches copies of itself into other programs. Propagates and performs some unwanted function. Viruses are not programs - they cannot run on their own. Bacteria: make copies of themselves to overwhelm a computer system's resources. Denying the user access to the resources.

10 CSCE 522 - Farkas10 Kinds of Malicious Code Worm: a program that propagates copies of itself through the network. Independent program. May carry other code, including programs and viruses. Trojan Horse: secret, undocumented routine embedded within a useful program. Execution of the program results in execution of secret code.

11 CSCE 522 - Farkas11 Kinds of Malicious Code Logic bomb, time bomb: programmed threats that lie dormant for an extended period of time until they are triggered. When triggered, malicious code is executed. Trapdoor: secret, undocumented entry point into a program, used to grant access without normal methods of access authentication. Dropper: Not a virus or infected file. When executed, it installs a virus into memory, on to the disk, or into a file.

12 CSCE 522 - Farkas12 Virus Virus lifecycle: 1. Dormant phase: the virus is idle. (not all viruses have this stage) 2. Propagation phase: the virus places an identical copy of itself into other programs of into certain system areas. 3. Triggering phase: the virus is activated to perform the function for which it was created. 4. Execution phase: the function is performed. The function may be harmless or damaging.

13 CSCE 522 - Farkas13 Virus Types Parasitic virus: most common form. Attaches itself to a file and replicates when the infected program is executed. Memory resident virus: lodged in main memory as part of a resident system program. Virus may infect every program that executes.

14 CSCE 522 - Farkas14 Virus Types Boot Sector Viruses: – Infects the boot record and spreads when system is booted. – Gains control of machine before the virus detection tools. – Very hard to notice – Carrier files: AUTOEXEC.BAT, CONFIG.SYS,IO.SYS

15 CSCE 522 - Farkas15 Virus Types Stealth virus: a form of virus explicitly designed to hide from detection by antivirus software. Polymorphic virus: a virus that mutates with every infection making detection by the “signature” of the virus difficult.

16 CSCE 522 - Farkas16 How Viruses Append Original program virus Original program virus Virus appended to program +=

17 CSCE 522 - Farkas17 How Viruses Append Original program virus Original program Virus-1 Virus surrounding a program += Virus-2

18 CSCE 522 - Farkas18 How Viruses Append Original program virus Original program Virus-1 Virus integrated into program += Virus-2 Virus-3 Virus-4

19 CSCE 522 - Farkas19 How Viruses Gain Control Virus V has to be invoked instead of target T. – V overwrites T – V changes pointers from T to V High risk virus properties: – Hard to detect – Hard to destroy – Spread infection widely – Can re-infect – Easy to create – Machine independent

20 CSCE 522 - Farkas20 Virus Signatures Storage pattern – Code always located on a specific address – Increased file size Execution pattern Transmission pattern Polymorphic Viruses

21 CSCE 522 - Farkas21 Antivirus Approaches Detection: determine infection and locate the virus. Identification: identify the specific virus. Removal: remove the virus from all infected systems, so the disease cannot spread further. Recovery: restore the system to its original state.

22 CSCE 522 - Farkas22 Preventing Virus Infection Prevention: Good source of software installed Isolated testing phase Use virus detectors Limit damage: Make bootable diskette Make and retain backup copies important resources

23 CSCE 522 - Farkas23 Worm Self-replicating (like virus) Objective: system penetration (intruder) Phases: dormant, propagation, triggering, and execution Propagation: – Searches for other systems to infect (e.g., host tables) – Establishes connection with remote system – Copies itself to remote system – Execute

24 CSCE 522 - Farkas24 Covert Channel - Trojan Horse John Spy Only John is permitted to access the document MS Word Document Spy’s Document copy TH install copy

25 CSCE 522 - Farkas25 Covert Channel Need: Two active agents – Sender (has access to unauthorized information) – e.g., TH in MS Word – Receiver ( reads sent information) – e.g., program creating the copy Encoding schema – How the information is sent – e.g., File F exists  0 File F is does not exist  1 Synchronization – e.g., when to check for existence of F

26 CSCE 522 - Farkas26 Storage Covert Channels Based on properties of resources Examples: – File locks – Delete/create file – Memory allocation

27 CSCE 522 - Farkas27 Timing Covert Channel Time is the factor – how fast Examples: – Processing time – Transmission time

28 CSCE 522 - Farkas28 Covert Channel Detection and Removal Identification: Shared resources Program code correctness Information flow analysis Removal: Total removal – may not be possible Reduce bandwidth

29 CSCE 522 - Farkas29 Next Class Network Security

Download ppt "CSCE 522 Lecture 12 Program Security Malicious Code."

Similar presentations

Computer Security Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Chapters 14 and 15 Operating Systems: Internals and Design Principles,

Computer Security Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Chapters 14 and 15 Operating Systems: Internals and Design Principles,
30/04/2015Tim S Roberts 20081 COIT13152 Operating Systems T1, 2008 Tim S Roberts.

30/04/2015Tim S Roberts COIT13152 Operating Systems T1, 2008 Tim S Roberts.
Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.

Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.
Chapter 3 (Part 1) Network Security

Chapter 3 (Part 1) Network Security
A Taxonomy of Computer Program Security Flaws C. E. Landwehr, A. R. Bull, J. P. McDermott and W.S. Choi -- Presented by: Feng Hui Luo ACM Computing Surveys,

A Taxonomy of Computer Program Security Flaws C. E. Landwehr, A. R. Bull, J. P. McDermott and W.S. Choi -- Presented by: Feng Hui Luo ACM Computing Surveys,
Lecture 14 Program Flaws CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Csilla Farkas and Brandon Phillips.

Lecture 14 Program Flaws CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Csilla Farkas and Brandon Phillips.
ITMS- 3153 Information Systems Security 1. Malicious Code Malicious code or rogue program is the general name for unanticipated or undesired effects in.

ITMS Information Systems Security 1. Malicious Code Malicious code or rogue program is the general name for unanticipated or undesired effects in.
Chapter 14 Computer Security Threats

Chapter 14 Computer Security Threats
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
________________ CS3235, Nov 2002 Viruses Adapted from Pfleeger[Chap 5]. A virus is a program [fragment] that can pass on malicious code [usually itself]

________________ CS3235, Nov 2002 Viruses Adapted from Pfleeger[Chap 5]. A virus is a program [fragment] that can pass on malicious code [usually itself]
Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Copyright © 1995-2009 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
Lecture 15 Overview. Kinds of Malicious Codes Virus: a program that attaches copies of itself into other programs. – Propagates and performs some unwanted.

Lecture 15 Overview. Kinds of Malicious Codes Virus: a program that attaches copies of itself into other programs. – Propagates and performs some unwanted.
Chap 3: Program Security.  Programming errors with security implications: buffer overflows, incomplete access control  Malicious code: viruses, worms,

Chap 3: Program Security.  Programming errors with security implications: buffer overflows, incomplete access control  Malicious code: viruses, worms,
1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
Viruses and Worms By: Olga Bibas. Malicious Programs are perhaps the most sophisticated threats to computer systems. These threats can be divided into.

Viruses and Worms By: Olga Bibas. Malicious Programs are perhaps the most sophisticated threats to computer systems. These threats can be divided into.
Video Following is a video of what can happen if you don’t update your security settings! security.

Video Following is a video of what can happen if you don’t update your security settings! security.
1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 Malicious Software.

1 Ola Flygt Växjö University, Sweden Malicious Software.

Similar presentations

Ads by Google