CS363Week 6 - Monday
Last time
What did we talk about last time? Quantum cryptography Non-malicious program errors
Questions?
Assignment 2
Project 2
Non-malicious program errors
Incomplete mediation
Incomplete mediation happens with a system does not have complete control over the data that it processes
Example URL: http://www.security.com/query.php?date=2012March20
Wrong URL: http://www.security.com/query.php?date=2000Hyenas
The HTML generates the URL, but the URL can be entered manually
Incomplete mediation security For a website, a carelessly altered
URL might just mean a 404 error For a program, bad data could cause
any number of faults and failures Malicious attackers could change
data or mount an SQL injection attack to destroy or reveal database internals
Values should always be checked and sanitized
Bobby Tables
File CommandMyFile.txt Change byte 4 to
'A'
File CommandYourFile.txt Delete file
Time-of-check to time-to-use It seems like things happen instantly in a computer Many operations, especially those on files, may be
put into a queue of work Imagine you give the OS a data structure with this
command:
After it is authorized but before it can be executed, you change it to:
Undocumented access point A program might have a way to access
its private internal data These access points are called
backdoors or trapdoors During development, these backdoors
can be really useful for debugging In production, they cause a security risk,
either because the developers can have control they shouldn't or because other attackers can exploit the backdoor
General programming errors Integer overflow and underflow
Someone ordered -2 billion oranges? Unterminated C-style string
A C-style string ends with the null character ('\0') Without the null character, string processing
functions might keep reading (or writing) into memory
Race conditions In multi-threaded environments, data can be
updated by multiple threads, leading to inconsistent (and unpredictable) results
Case Study: Therac-25
Therac-25 background Therac-25 was a radiation therapy machine built by
the Atomic Energy of Canada Limited It was the successor to the Therac-6 and Therac-20
machines The machine had low power and high power modes The low power mode shot a beam directly at the
patient The high power mode created X-rays by shooting
the beam at a target, spread these X-rays with a flattening filter, shaped the beam with movable blocks, and tested the strength of the beam with an X-ray ion chamber
Tragedies
In some situations, the high power beam was activated without the spreader in place
The software and hardware systems did not catch this particular problem
Over 100 times the intended dose was given
At least 2 people died and there were at least 6 overdoses total
Software bugs actually kill people!
Direct causes A certain unusual combination of keystrokes
had to happen within 8 seconds There were no hardware interlocks to prevent
the problem if the user overrode the error code
Error codes were not well-documented and were displayed as a number
Software was reused from previous models that did have hardware interlocks
Arithmetic overflow caused safety checks to fail in some cases
Indirect causes
The software/hardware combination had never been tested before use
Personnel did not believe complaints due to confidence in the system
Code was not independently reviewed
Errors were easily overridden
Malicious Code
Malicious code Obviously, it’s a problem It’s very difficult to stop
You never really know what’s getting installed on your computer
You’re downloading thousands of files from the Internet every day
Even if you had the source code for every program, could you catch all the dangerous stuff?
Malicious code has been around since at least 1970
Terminology Malicious code (or a rogue program) is our
blanket term for any code that has undesirable effects that were intentionally designed
The agent is the person who writes the code A virus is a program that can replicate itself
and add malicious code to nonmalicious programs A transient virus runs when its host program is
running A resident virus lives in memory and can be
active anytime
Viruses Terminology is inconsistent Popular culture tends to call everything a virus Sometimes we will too, but here are some other terms:
Almost all of these are, by definition, Trojan horses Worms differ from viruses primarily because they spread across networks
Type Characteristics
Virus Attaches itself to a program and propagates copies of itself to other programs
Trojan horse Contains unexpected, additional functionalityLogic bomb Triggers action when condition occursTime bomb Triggers action when specified time occursTrapdoor Allows unauthorized access to functionality
Worm Propagates copies of itself through a networkRabbit Replicates itself without limit to exhaust resources
How viruses attach
A virus is not dangerous unless it is active
Just having an infected file on your hard drive won’t cause a problem unless it is accessed
But files get opened all the time Programs call other programs Just previewing files can be dangerous E-mail programs open attachments
automatically How do these viruses infect code?
Appended viruses A virus can be designed so that it
starts running before the real program does Machine code for the virus is inserted
before the machine code for the beginning of the program
After the virus runs, it transfers control to the real program
The real program runs as if nothing happened
This kind of virus is easy to write It is also relatively easy to catch for
antivirus software
Program Code
Virus Code
+
Program CodeVirus Code
Surrounding or integrating Another possibility is viruses that surround a program,
gaining control before and after execution The code may not be at the beginning and end of the executable,
but that’s how the control flow works Viruses can also be spread throughout the code
Program Code
Virus Code
+
Program CodeVirus Code
A
Virus Code
B
Program Code
Virus Code
+
Infected Program Code
Document viruses
According to the book, the most common form of virus is a document virus
A document virus is an infected document (instead of an executable file)
Nevertheless, the macros that can be stored in Word, Excel, Access, and other similar complex documents are powerful enough to cause just as much damage as any other virus
Where Viruses Live
The perfect virus If you are making a virus, the following
characteristics are ideal: Hard to detect Difficult to destroy or deactivate Spreads infection widely Capable of reinfecting its host or other programs Easy to create Machine and OS independent
It’s difficult to make a virus that meets all these criteria
One-time execution
Many viruses will be executed just once
This could be on running a pirated (and infected) file
One of the most common avenues of attack is through an e-mail attachment
Boot sector viruses The boot sector is the part of a hard drive
that says what code to load to start your OS The details are technical, but a boot sector
virus is one that is stored in the chain of code that starts up your whole computer
A virus that can start this early can circumvent or disable antivirus
It has complete control over your system It is also not obvious from the file system
Memory resident viruses Some programs start up and then never
really die They are low level parts of the OS that need
to keep running Sometimes called TSR (terminate and stay
resident) Because these programs are always
running, they are an attractive home for a virus
Even if you delete the original infected file, the memory resident virus can replace it
Somewhere else… As with everything in security, the
assumption is that attackers do not play by the rules
A virus does not have to live where we expect it to
A few other places that are sensible: Applications Libraries Compilers (infect programs as you create them) Antivirus software
Virus Signatures
A fundamental problem with looking for Trojan horses Ken Thompson's seminal paper Reflections on
Trusting Trust: He added a backdoor to the Unix login program Too easy to trace, so he added a backdoor to the C
compiler to insert the backdoor in any program called login
Too easy to trace, so he added a backdoor in the compiler compiler to insert code that would insert the backdoor in any program called login
And so on, and so on… You can’t trust anything you didn’t completely
create yourself Some amount of trust is necessary
Virus signatures
Viruses are difficult to detect, but we can still classify them by the way they change code or the way they execute
We call these tell-tale signs a signature
Antivirus programs work by searching for certain signatures in code
Storage patterns At simplest, this is just a particular string of code in
the binary Often this code is at the beginning of a program so
that it gets control immediately Craftier viruses will put themselves other places
that get jumped to early in execution An antivirus program can check:
The size of a file The functioning of the code compared to some standard It can look for suspicious execution patterns (weird JUMP
commands) The program against a hash digest for the program
Execution patterns
Viruses are also suspicious because of the way they execute
The virus should: Spread infection Avoid detection Cause harm
How do these behaviors look like normal programs?
How do they look abnormal? It’s not easy to tell…
Polymorphic viruses Because virus scanners try to match strings in machine
code, virus writers design polymorphic viruses that change their appearances
No-ops, code that doesn’t have an impact on execution, can be used for simple disguises
Clever viruses can break themselves apart and hide different parts in randomly chosen parts of code Similar to code obfuscation
Advanced polymorphic viruses called encrypting viruses encrypt parts of themselves with randomly chosen keys A scanner would have to know to decrypt the virus to detect it
Virus scanners cannot catch everything
Virus effects and causesVirus Effect Virus Cause
Attach to executable program Modify file directory Write to executable program
fileAttach to data or
control file Modify directory Rewrite data
Append to data Append data to self
Remain in memory Intercept interrupt
by modifying interrupt handler address table
Load self in nontransient memory area
Infect disks Intercept interrupt Intercept OS system
call Modify system file Modify ordinary executables
Conceal self Intercept system calls Classify self as hidden file
Spread infection Infect boot sector Infect system
program
Infect ordinary program Infect data ordinary program
reads
Prevent deactivation Activate before
deactivating program
Store copy to reinfect after deactivation
Prevention of infection It is impossible to prevent infection entirely Some guidelines:
Use only commercial software acquired from reliable, well-established vendors
Test all new software on an isolated computer Open attachments only when you know them to be
safe Make a recoverable system image and store it safely Make and retain backup copies of executable system
files Use virus detectors regularly and update them daily
Truths and misconceptions Viruses can infect only Microsoft
Windows systems Viruses can modify hidden and read-
only files Viruses can appear only in data files
or only in programs Viruses spread only on disks or only
through e-mail Viruses cannot remain in memory
after a power cycle Viruses can be malevolent, benign, or
benevolent
False
True
False
False
True, but so what?True
Virus Case Studies
Brain virus The Brain virus is one of the oldest known
It changed the label of disks it attacked to “BRAIN” It was written by two brothers from Pakistan
It copies itself to the boot sector in MS-DOS It rewrites the system interrupt for disk
reading so that it controls reads If you try to look at the boot sector, it will lie to you
about what’s there Anytime it sees an uninfected disk, it infects it It doesn’t otherwise do anything malicious
The Internet Worm In 1988 Robert Morris, a Cornell graduate
student, wrote an worm that infected a lot of the Internet that existed at that time
Serious connectivity issues happened because of the worm and because people disconnected uninfected system
He claimed the point was the measure the size of the Internet
The worm’s goal:1. Determine where it could spread to2. Spread its infection3. Remain undiscovered
Determining where to spread It tried to find user accounts on the host
machine It tried 432 common passwords and compared
their hash to the list of password hashes Ideally, this list should not have been visible
It tried to exploit a bug in the fingerd program (using a buffer overflow) and a trapdoor in the sendmail mail program Both were known vulnerabilities that should
have been patched
Spreading infection Once a target was found, the worm would
send a short loader program to the target machine
The program (99 lines of C) would compile and then get the rest of the virus
It would use a one-time password to talk to the host
If the host got the wrong password, it would break connection
This mechanism was to prevent outsiders from gaining access to the worm’s code
Remain undiscovered
Any errors in transmission would cause the loader to delete any code and exit
As soon as the code was successfully transmitted, the worm would run, encrypt itself, and delete all disk copies
It periodically changed its name and process identifier so that it would be harder to spot
What happened The worm would ask machines if they were already
infected Because of a flaw in the code, it would reinfect
machines 1 out of 7 times Huge numbers of copies of the worm started filling
infected machines System and network performance dropped
Estimates of the damage are between $100,000 and $97 million Morris was fined $10,000 and sentenced to 400 hours of
community service The CERT was formed to deal with similar problems
Code Red
Code Red appeared in 2001 It infected a quarter of a million systems
in 9 hours It is estimated that it infected 1/8 of the
systems that were vulnerable It exploited a vulnerability by
creating a buffer overflow in a DLL in the Microsoft Internet Information Server software
It only worked on systems running an MS web server, but many machines did by default
Versions
The original version of Code Red defaced the website that was being run
Then, it tried to spread to other machines on days 1-19 of a month
Then, it did a distributed denial of service attack on whitehouse.gov on days 20-27
Later versions attacked random IP addresses
It also installed a trap door so that infected systems could be controlled from the outside
Upcoming
Next time…
Review for exam
Reminders
Read section 3.2 Finish Assignment 2
Due tonight! Start on Project 2