1. Malicious Logic and Defenses

2. Malicious Logic Trojan Horse – A Trojan horse is a program with an overt (documented or known) effect and covert (undocumented or unknown) effects. – A Propagating Trojan horse is a Trojan horse that creates a copy of itself – Example of Trojan horse is the game animal. – The central idea is that the Trojan horse modifies the compiler to insert itself into specific programs, including future version of the compiler itself.

3. Malicious Logic Computer Viruses – When Trojan horse can propagate freely and insert a copy of itself into another file, it becomes a computer virus. – A computer virus is a program that insert itself into one or more files and then performs some action. – The first phase in which the virus insert itself into a file is called the insertion phase and the second phase, in which it perform some action, is called the execution phase. – Computer viruses have no covert purpose it only have overt purpose which is to infect and execute

4. Malicious Logic Types of Computer Viruses – Boot Sector Infectors A boot sector injector is a virus that insert itself into the boot sector of a disk. – Executable Infector An executable infector is a virus that infects executable program. Generally.exe,.com files are infected by this virus. – Multipartite viruses A multipartite virus is one that can infect either boot sector or applications.

5. Malicious Logic – TSR Viruses A terminate and stay resident (TRS) virus is one that stays active in the memory after application has been terminated. TSR virus can be boot sector or executable infectors. – Stealth Virus Stealth viruses are viruses that conceal the infection of files. – Encrypted viruses An encrypted virus is one that enciphers all the virus code except for a small decryption routine

6. Malicious Logic – Polymorphic Virus A polymorphic virus is a virus that changes its form each time it inserts itself into another program. – Macro Virus A macro virus is a virus composed of a sequence of instructions that is interpreted, rather than executed directly. This type of virus can execute on any system that can interpret the instruction. It can infect either executable or data files.

7. Malicious Logic Computer Worms – Computer worm is a program that copies itself from one computer to another computer. Other Forms of Malicious Logic – Rabbits and Bacteria A Bacterium or a rabbit is a program that absorbs all of some class of resource. Creates DOS attacks. – Logic Bombs A logic bombs is a program that performs an action that violates the security policy when some external event occurs.

8. Defenses Defending against malicious logic takes advantage of several different characteristics of malicious logic to detect or to block, its execution. Sandboxing – Sandboxing are Virtual machines implicitly restrict process right. – Common implementation of this approach is to restrict the program by modifying it. – Special instructions inserted into the object code cause traps whenever an instruction violates the security policy. – The executable dynamically loads libraries, special libraries with the desired restrictions replace the standard libraries.

9. Defenses Information flow metrics – This approach is to limit the distance a virus can spread. Reducing the rights – The user can reduce her/his associated protection domain when running a suspect program. – It follows the principle of least privilege. Malicious logic altering files Proof-carrying code Notion of trust

10. Introduction to Virtual Machine Virtual Machine(VM) structure – A VM runs on a virtual monitor. – Monitor virtualizes the resources of the underlying system and presents to each VM the illusion that it and it alone is using the hardware. Virtual machine monitor(VMM) – The VMM runs at the highest level of privilege. – Keeps track of the state of each VM just as an ordinary Operating System keeps track of the state of its processes. – When a privileged instruction is executed, the hardware cause a trap to the VMM. – The monitor services the interrupt and restores the state of the caller.