Scribd Logo
Upload

Welcome to Scribd!

  • Program Security

    Uploaded by

    Atro Suoic
    33 views32 pages
    about program security

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    about program security

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    33 views32 pages

    Program Security

    Uploaded by

    Atro Suoic
    about program security

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 32

    PROGRAM DATA &

    SECURITY
    Viruses and other Malicious Code

    Group 1 Presents

    PROGRAM SECURITY
    Programming errors with security implications-buffer
    overflows, incomplete access control
    Malicious code-viruses, worms, Trojan horses
    Program development controls against malicious code
    and vulnerabilities-software engineering principles and
    practices
    Controls to protect against program flaws in executionoperating system support and administrative controls

    SECURE PROGRAMS
    Security implies some degree of trust that the program
    enforces
    expected
    availability.

    confidentiality,

    integrity,

    and

    FIXING FAULTS
    Software that has many faults early on is likely to have many others still

    waiting to be found.
    Early computer security work used penetrate and patch method where
    analysts searched for and repaired faults (tiger team)
    Often patch efforts made system less secure:
    Pressure to repair encourages a narrow focus on the fault and not its
    context.
    Fixing the fault often introduces side effects.
    Fault not fixed properly cause it will cause performance problems.

    UNEXPECTED BEHAVIOR
    Compare program requirements with behavior to identify program

    security flaws
    Flaw is either a fault or failure
    Vulnerability is a class of flaws (e.g. buffer overflows)
    Need to determine how to prevent harm caused by possible flaws
    Program security flaws can derive from any kind of software fault.
    Inadvertent human flaws
    Malicious, intentionally induced flaws

    UNEXPECTED BEHAVIOR
    Hindrances for eliminating program security flaws
    How do we test for what a program shouldnt do?
    Programming and software engineering techniques evolve more
    rapidly than computer security techniques

    PROGRAM FLAWS
    Include

    everything from a misunderstanding of program


    requirements to a one-character error in coding or even in typing,
    from failures of two programs piece to interact compatibility through
    a shared interface to code intended to do harm.

    TYPES OF FLAWS
    Intentional
    Malicious
    Nonmalicious

    Inadvertent
    Validation error (incomplete /

    inconsistent)
    Domain error
    Serialization and aliasing
    Inadequate identification and
    authentication
    Boundary condition violation
    Other exploitable logic errors

    VIRUSES
    Are the prime example of non-specific malicious code:
    they are not directed specifically at any one system or
    user.

    A program that can pass on malicious code to other


    nonmalicious program by modifying them.

    MALICIOUS CODE
    Can be a program or part of a program.
    A software that gives partial to full control of your
    computer to do whatever the malware creator
    wants

    Malicious code has been around since the 70s

    KINDS OF MALICIOUS CODE


    Malicious code or rogue program
    the general name for unanticipated or undesired
    effects in programs or program parts, caused by an
    agent intent or damage.

    CODE TYPE

    CHARACTERISTIC

    Virus

    Attaches itself to program and propagates copies of


    itself to other program.

    Trojan horse

    Contains unexpected, additional functionality

    Logic bomb

    Trigger action when condition occurs

    Time bomb

    Trigger action when specified time occurs

    Trapdoor

    Allow unauthorized access to functionality

    Worm

    Propagates copies of itself through a network

    Rabbit

    Replicates itself without limit to exhaust resource

    WAYS VIRUSES
    ARE ATTACHED

    APPENDED VIRUSES
    virus code is inserted before first instruction, last
    virus instruction points to first program instruction

    VIRUSES THAT SURROUND A PROGRAM

    An alternative to the attachment is a virus


    that runs the original program but has control
    before and after its execution.

    INTEGRATED VIRUSES AND REPLACEMENT

    A virus might replace some of its target,


    integrating itself into the original code of the
    target.

    HOMES FOR VIRUSES


    THE WRITER MAY WANT A VIRUS WITH THESE QUALITIES:

    Hard to detect

    Hard to destroy or deactivate


    Spreads infection widely
    Can re-infect
    Easy to create
    Machine independent (and operating system independent)

    HOW VIRUSES ATTACK


    A virus is attached to a program
    The virus is activated by executing the program
    Most common viruses today are attached to e-mail; when
    the attachment is opened, virus is active

    BOOT SECTOR VIRUSES


    A special case of virus attachment, but a fairly popular one. The
    operating system has to start with code that copies it form disk to
    memory an)d transfers control to it; this copying is called bootstrap
    (often boot) load because the operating system pulls itself into
    memory by its bootstrap. The firmware does its control transfer by
    reading a fixed number of bytes from a fixed location on the
    disk(called the boot sector) to a fixed address in memory and then
    jumping to that address.

    MEMORY-RESIDENT VIRUSES
    For every frequently used parts of the
    operating system, and a few specialized user
    programs, it would take too long to reload
    the program each time it was needed. Such
    code remains in memory and is called
    resident code.

    DOCUMENT (MACRO) VIRUS


    A virus that is part of the macro associated with a
    document.

    Virus that spread through e-mail attachments, discs,


    networks, modems, and the Internet and is notoriously
    difficult to detect

    VIRUS SIGNATURES
    Each of these characteristics is a telltale pattern, called
    signature that can be found. The signature of a virus is
    important for creating a program called a virus scanner
    that can automatically detect and in some cases remove
    viruses.

    STORAGE PATTERN
    A virus may attach itself to a file, in which case the
    files size grows, or the virus may obligate all or
    part of the underlying program, in which case the
    programs size does not change, but the programs
    functioning is impaired.

    ANTIVIRUS SOFTWARE

    Virus Signature (virus scanner looks for signatures)


    Storage Patterns (virus scanner looks for suspicious patterns)

    Execution Patterns
    Transmission Patterns
    Polymorphic Viruses
    An antivirus that can change its appearance

    PREVENTING VIRUS INFECTION


    The only way to prevent infection by a virus is not to share executable code with
    an infected source.

    Techniques for building a reasonably safe community for electronic contract include :

    Use only commercial software acquired from reliable, well-established vendors.


    Test all new software on an isolated computer.
    Make bootable diskette and store if safety.

    Make and retain backup copies of executable system files.


    Use virus detector regularly.

    VIRUS EFFECT
    Attach to executable program

    HOW IT IS CAUSE
    -

    Modify file directory


    Write to executable program file
    Modify directory
    Rewrite data
    Append to data
    Append data to self
    Intercept interrupt by modifying interrupt handler address table
    Load self in non-transient memory area

    Intercept interrupt
    Intercept operating system call
    Modify system file
    Modify ordinary executable program
    Intercept system calls that would reveal self and salsify result
    Classify self as hidden file

    Spread infection

    Infect boot sector


    Infect system program
    Infect ordinary program
    Infect data ordinary program reads to control its execution

    Prevent deactivation

    Activate before deactivating program and block deactivation


    Store copy to re infect after deactivation

    Attach to data or control file

    Remain in memory
    Infect disks

    Conceal itself

    TRUTHS AND MISCONCEPTIONS


    ABOUT VIRUSES
    Viruses can infect only Microsoft Windows systems FALSE
    Viruses can modify hidden or read-only files TRUE
    Viruses can appear only in data files, or only in Word documents, or

    only in programs FALSE


    Viruses spread only on disks or only in e-mail FALSE
    Viruses cannot remain in memory after a COLD BOOT TRUE
    Viruses cannot infect hardware TRUE
    Viruses can be malevolent, benign, or benevolent - TRUE

    TARGETED MALICIOUS CODE


    Trapdoor is a secret, undocumented entry point to a module.
    Salami Attack (Ex. Interest computation) occur in programs that
    compute about money.

    Covert Channels: programs that leak information (Ex. Hide data in output)
    Storage Channels pass information by using presence or absence
    of objects in storage

    Timing Channels pass information using the speed at which things


    happen

    CONTROLS AGAINST PROGRAM THREATS


    Prevent Threats during software development
    o Modularity security analysts must be able to understand each
    component as an independent unit and be assured of its limited
    effect on other components

    o Encapsulation minimize interfaces to reduce covert channels


    o Information hiding components will have limited effect on
    other components

    You might also like