Chapter 22 Malicious Logic Dr Wayne Summers Department

Chapter 22: Malicious Logic Dr. Wayne Summers Department of Computer Science Columbus State University Summers_wayne@colstate. edu http: //csc. colstate. edu/summers

Malicious Logic ¨ Malicious Logic - set of instructions that causes a site’s security policy to be violated – Trojan horse – program with an overt effect and a covert effect – Computer Virus - program that attaches itself to another program and attacks other software by making copies of itself • • boot sector infector executable infector multipartite Terminate and stay resident (TSR) Stealth Polymorphic Macro 2

Other Forms of Malicious Logic ¨ Computer Worm – program that copies itself from one computer (typically via the network) to another. ¨ Rabbit (bacterium) - program that absorbs all of some class of resource ¨ Logic bomb – A program that is activated or triggered after or during a certain event 3

Defenses ¨ Malicious Logic can be both data and instructions ¨ Malicious Logic can access and affect objects with a user’s protected domain by assuming the user’s rights – Limit the distance a virus can spread by defining a flow distance metric – Reduce the user’s protection domain when running suspected programs (principle of least privilege) – Use “watchdog” (guardian) program to check if access to a file is permitted 4

Defenses – Use sandbox (virtual machine) to restrict process rights – Inhibit users in different protection domains from sharing programs & data (integrity policy) – Place protected programs at lowest possible level of a multilevel security policy to keep them from writing down – Sign a file with a CRC to detect changes – Look for signatures of malicious programs – Use heuristic filters to block malicious programs (intrusion detection) 5