Software Vulnerabilities and Malware CS 432 Security in
Software Vulnerabilities and Malware CS 432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University
Section Overview n Program flaws n Buffer overflows n Malware Taxonomy n Virus Techniques and Detection n Worms
References n Security in Computing, 4 th Ed. n Chapter 3
Software Flaw Classifications n n n Inadequate Authentication and Authorization Serialization Errors Data Isolation Errors Bounds Checking Errors Validation Error n n n Incomplete Inconsistent Exploitable Logic Errors
It’s a bug’s life… U. S. Navy Capt. Grace Hopper finds first computer bug in August, 1945 From Hopper’s logbook Source: History of Computing Virginia Tech
Computer Bugs Bug (n): An unwanted and unintended property of a program or piece of hardware, esp. one that causes it to malfunction. * Security related issues n Coredumps n Unauthorized access *Source: The New Hackers Dictionary
Stack Buffer Overflows Process Code (Text) x = 5; call func(x); print x; Data char x[8]; Stack nop; Local variable a exec(/bin/sh); nop; Return Address Pointer Return address n Func() Args
Buffer Overflow Prevention n n Bounds Checking!!! Virtual Machines / Sandboxing Compiler “Canaries” Memory Protection Non-executable stack/heap page tagging n Executable/Library Randomization n n Metasploit Framework
Incomplete Mediation n Failure to make sure input data makes “sense” Injection attacks? Fixes Data sanity checks n Controlled input methods (i. e. forms using pulldown boxes) n
NRL Taxonomy n n Developed in 1992 How did the flaw enter the system? Where did it enter the system? Where in the system is it manifest?
Type of Flaw Intentional Non Malicious Time/Logic Bombs Trojan Horse Non Replicating Trapdoor Replicating Covert Channel Other Storage Timing Source: Computer Security: Art and Science By Matt Bishop
Time of Flaw Time of Introduction Maintenance Development Operation Requirement Specs/Design Source Code Object Code Source: Computer Security: Art and Science By Matt Bishop
Location of Flaw Software Operating System Application System Initialization Memory Mgmt Process Mgmt/Sched Device Mgmt File Mgmt Ident/Auth Other/ Unknown Hardware Support Privileged Utilities Unprivileged Utilities Source: Computer Security: Art and Science By Matt Bishop
Logic Bombs n n n One of the earliest forms of malware Code embedded in a good program Explodes under special circumstances Date/Time (Time Bombs) n Missing employee information n Other “triggers” n
Backdoors n n Code to allow unauthorized access to a restricted resource. Causes n n Forgotten debugging or testing code Code intentionally left for testing or maintenance Code intentionally left to allow covert access after the program goes into production Almost always undocumented
Intruder Backdoors n n n Created (privileged) accounts Use of schedulers to regain access Remote Control tools BO 2 K/Netbus/Sub. Seven n Netcat n Virtual Network Computing (VNC) n n Bots & Rootkits
Botnet Uses n n n Distributed Denial of Service (DDo. S) Attacks Spamming Sniffing Traffic Keylogging Spreading of other Malware Web Advert Clicking Source: Computer Security: Principles and Practice By William Stallings and Lawrie Brown
Rootkits n n Replace programs, libraries, or kernel modules Classifications Persistent n Memory Based n User Mode (Modify returned data) n Kernel Mode (System Calls) n
Trojan Horses n n Code that is supposed to do one thing but actually does something else. Examples “Login” programs n AIDS Information Disk (1989) n Whack-A-Mole (Netbus) n Sony XCP (Rootkit) n e. Li. Te. Wrap and other Wrappers n
Adware/Spyware n n Advertiser supported software Installed along with target application Pops up advertisement windows Sends data back to third party Adware: Asks permission n Spyware: Doesn’t ask permission n
Salami Attacks n n Financial Organizations prime target Methods of attack Collection of round off errors n Shaving very small amounts of money from many accounts n n Hard to detect
Viruses n n Code which attaches to other programs Actions n n n Infects other programs Runs “logic bomb” style code Can be: n n n Memory Resident Run at same time as infected program Run when infected data file is loaded (Macro)
Parasitic Viruses Before Infection Program Code After Infection (Basic) Virus Code Program Code
Parasitic Virus Structure Signature Infect another executable Trigger event occurred? Payload
Compression Viruses Before Infection Program Code After Infection (Basic) Virus Compressed Program Code
Boot Sector Virus Boot Sector Normal Boot Loader Boot Sector After Infection Boot Virus Loader Code Other Sectors System Initialization Boot Loader
Stealth Viruses Memory Interrupt Modified Interrupt Handler n User System Call Interrupt Vector 0 Supervisor Trap n Interrupt Vector n-1 Interrupt Vector n Interrupt vector table
Polymorphic Viruses Before Infection Program Code After Infection Mutation Engine Crypto Encrypted Compressed Program Code Virus Code Program Code
Armored Viruses n n n Anti-Disassembly Anti-Debugging Anti-Heuristics Anti-Emulation Anti-Goat
Other Virus Types n n n Slow Viruses Multipartite Viruses Companion Viruses Retro Viruses Phage Viruses
Macro Viruses n n n Macro Language part of “Office Suites” Virus is a macro saved in document Spreads to Suite when infected file is opened (global macros infected) All open documents infected when saved Virus damage limited by macro language capabilities
Hoax Viruses n n n Not really virus Email warnings sent FUD (Fear, Uncertainty, and Doubt) leads to further propagation Goodtimes Virus (1994) Virus Hoax Pages
Virus Sources n n n Internet downloads Email/IM USB Keys Vendors Virus Toolkits Virus Creation Laboratory (VCL) n VBS Worm Generator n
Virus Symptoms n File/Directory changes n n Slower system operation Reduction of resources n n n Date/Time Size Memory Disk space Bad sectors Unusual messages Application crashes
Virus Detection n Signature scans n n Heuristic scans n n Fingerprints based on virus samples Can detect and clean/quarantine on open request Keep signature database current!!! Looks for common virus behavior (i. e. writing to a. exe file) Assigns weights based on each characteristic found If total exceeds threshold, mark as virus Integrity Checkers (i. e. Tripwire) n n n Take one-way hash of on newly installed system Periodically recompute hashs and compare to original Non-matches considered compromises
Worms and Rabbits n Worms n n Applications which propagate themselves via a network by exploiting service vulnerabilities Morris Internet Worm (1988) Code Red, Nimda, SQL Slammer, MSBlast, etc. (2001 -2004) Rabbits n n Applications which replicate as much as they can to use up available resources Resources n n Disk Space Memory
2007 Malware Breakdown Source: X-Force 2007 Trend Statistics IBM Internet Security Systems
Modular Code Design n Code Module Does only one task n Reusable n Easier to understand test n n Encapsulation Minimal data sharing n Few, well defined interfaces n n Information Hiding – “Black Box”
Program Development n n n Detailed Specs Peer Reviews & Walkthroughs Independent Testing Revision Control Systems Coding Standards!!!
Testing n n n Module Testing Integration Testing Function Testing Performance Testing Acceptance Testing Regression Testing
Time Storage Covert Channel Create(1) Interval 1 Service Program Delete(0) Interval 2 Service Program Interval 3 01 Leave Deleted(0) Protected Data Exists? File Yes: 1 Exists? File No: 0 Exists? No: 0 Spy’s Program
Detecting Covert Channels n Shared Resource Matrix Lock File Protected Data Service Program Spy’s Program R M R R R § Information Flow Method § Analysis of all inputs and outputs to a routine § Create dependency diagram
- Slides: 42