Download slides - cse.sc.edu

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
Document related concepts

Unix security wikipedia , lookup

Mobile security wikipedia , lookup

Malware wikipedia , lookup

Antivirus software wikipedia , lookup

Computer virus wikipedia , lookup

Transcript 
CSCE 522
Lecture 12
Program Security
Malicious Code
Reading

Reading for this lecture:
Required:
– Pfleeger: Ch. 3
Recommended:
– USC Technology Services – Antivirus Protection,
https://www.uts.sc.edu/itsecurity/antivirus.shtml
CSCE 522 - Farkas
2
Program Flaws
Taxonomy of flaws:
– how (genesis)
– when (time)
– where (location)
the flaw was introduced into the system
CSCE 522 - Farkas
3
Security Flaws by Genesis

Genesis
– Intentional


Malicious: Trojan Horse, Trapdoor, Logic Bomb, Worms,
Virus
Non-malicious
– Inadvertent





Validation error
Domain error
Serialization error
Identification/authentication error
Other error
CSCE 522 - Farkas
4
Secure Software

Software provides functionality
 Functionality comes with certain risks
 Software security aims to manage risk
 Security is always a secondary concern
 Security achievement is hard to evaluate
when nothing bad happens
CSCE 522 - Farkas
5
Application of Touchpoints
External Review
3. Penetration Testing
6. Security Requirements
2. Risk Analysis
5. Abuse cases
Requirement and
Use cases
Architecture
and Design
CSCE 522 - Farkas
1. Code Review
4. Risk-Based
(Tools)
Security Tests
2. Risk Analysis
Test Plans
Code
Tests and
Test Results
7. Security
Operations
Feedback from
the Field
6
Web Applications

Attacker:
– Download the site’s code for offline study
– Mapping the site  functionality and
vulnerabilities
– Experiment with site  response to supplied
data

Several vulnerabilities exist from corrupting
sites, applications, servers, to other clients
CSCE 522 - Farkas
7
OWASP Top 10 2013
Vulnerabilities











A1-Injection
A2-Broken Authentication and Session Management
A3-Cross-Site Scripting (XSS)
A4-Insecure Direct Object References
A5-Security Misconfiguration
A6-Sensitive Data Exposure
A7-Missing Function Level Access Control
A8-Cross-Site Request Forgery (CSRF)
A9-Using Components with Known Vulnerabilities
A10-Unvalidated Redirects and Forwards
https://www.owasp.org/index.php/Category:OWASP_Top_Ten
_2013_Project
CSCE 522 - Farkas
8
Malware
CSCE 522 - Farkas
9
Kinds of Malicious Codes

Virus: a program that attaches copies of
itself into other programs. Propagates and
performs some unwanted function. Viruses
are not programs - they cannot run on their
own.
 Bacteria: make copies of themselves to
overwhelm a computer system's resources.
Denying the user access to the resources.
CSCE 522 - Farkas
10
Kinds of Malicious Code

Worm: a program that propagates copies of
itself through the network. Independent
program. May carry other code, including
programs and viruses.
 Trojan Horse: secret, undocumented
routine embedded within a useful program.
Execution of the program results in
execution of secret code.
CSCE 522 - Farkas
11
Kinds of Malicious Code

Logic bomb, time bomb: programmed threats
that lie dormant for an extended period of time
until they are triggered. When triggered,
malicious code is executed.
 Trapdoor: secret, undocumented entry point into
a program, used to grant access without normal
methods of access authentication.
 Dropper: Not a virus or infected file. When
executed, it installs a virus into memory, on to the
disk, or into a file.
CSCE 522 - Farkas
12
Virus
Virus lifecycle:
1. Dormant phase: the virus is idle. (not all
viruses have this stage)
2. Propagation phase: the virus places an identical
copy of itself into other programs of into certain
system areas.
3. Triggering phase: the virus is activated to
perform the function for which it was created.
4. Execution phase: the function is performed.
The function may be harmless or damaging.
CSCE 522 - Farkas
13
Virus Types

Parasitic virus: most common form.
Attaches itself to a file and replicates when
the infected program is executed.
 Memory resident virus: lodged in main
memory as part of a resident system
program. Virus may infect every program
that executes.
CSCE 522 - Farkas
14
Virus Types

Boot Sector Viruses:
– Infects the boot record and spreads when
system is booted.
– Gains control of machine before the virus
detection tools.
– Very hard to notice
– Carrier files: AUTOEXEC.BAT,
CONFIG.SYS,IO.SYS
CSCE 522 - Farkas
15
Virus Types

Stealth virus: a form of virus explicitly
designed to hide from detection by antivirus
software.
 Polymorphic virus: a virus that mutates
with every infection making detection by
the “signature” of the virus difficult.
CSCE 522 - Farkas
16
How Viruses Append
+
virus
=
virus
Original
program
Original
program
Virus appended to program
CSCE 522 - Farkas
17
How Viruses Append
+
virus
Original
program
=
Virus-1
Original
program
Virus surrounding a program
CSCE 522 - Farkas
Virus-2
18
How Viruses Append
+
virus
Original
program
=
Virus-1
Virus-2
Original
program
Virus integrated into program
CSCE 522 - Farkas
Virus-3
Virus-4
19
How Viruses Gain Control

Virus V has to be invoked instead of target T.
– V overwrites T
– V changes pointers from T to V

High risk virus properties:
–
–
–
–
–
–
Hard to detect
Hard to destroy
Spread infection widely
Can re-infect
Easy to create
Machine independent
CSCE 522 - Farkas
20
Antivirus Approaches





Prevention: disallow the download/execution
Detection: determine infection and locate the
virus.
Identification: identify the specific virus.
Removal: remove the virus from all infected
systems, so the disease cannot spread further.
Recovery: restore the system to its original state.
CSCE 522 - Farkas
21
Preventing Virus Infection
Prevention:
 Good source of software installed
 Isolated testing phase
 Use virus detectors
Limit damage:
 Make bootable diskette
 Make and retain backup copies important
resources
CSCE 522 - Farkas
22
Virus Detection 1.

Virus Signature: needs constant update
– Storage pattern
 Code always located on a specific address
 Increased file size
– Execution pattern
– Transmission pattern
– Polymorphic Viruses
CSCE 522 - Farkas
23
Virus Detection 2.



Heuristics: monitoring files and how programs access
these files
– Suspicious access  alert
Cloud-based detection: perform virus scanning remotely
– Who do we trust?
Firewall-based detection of abnormal activities
– Not virus detection but abnormal communication
patterns
CSCE 522 - Farkas
24
Worm

Self-replicating (like virus)
 Objective: system penetration (intruder)
 Phases: dormant, propagation, triggering, and
execution
 Propagation:
–
–
–
–
Searches for other systems to infect (e.g., host tables)
Establishes connection with remote system
Copies itself to remote system
Execute
CSCE 522 - Farkas
25
Adware and Spyware

Adware: a malware designed to display
advertisements in the user’s software
– Maybe harmless or harmful

Spyware: a malware that spies on the user
– information collected from the user’s computer
and the usage
– Generally creates a system performance
degradatio
CSCE 522 - Farkas
26
Scareware

Malware:
– with malicious payloads, or of limited or no benefit
– Intend to cause shock, anxiety, or the perception of a
threat
 Rapidly increasing, high impact attacks
 Scareware warnings
– look like actual warnings from your system
– hard to close
– designed to appear legitimate
CSCE 522 - Farkas
27
Scareware
Copyright: FBI ‘Scareware’ Distributors Targeted,
http://www.fbi.gov/news/stories/2011/june/cyber_062211
CSCE 522 - Farkas
28
Ransomware

Holds a computer system, or the data it contains, hostage
against its user by demanding a ransom.
– Disable an essential system service or lock the display at system
startup
– Encrypt some of the user's personal files

Victim has to
– enter a code obtainable only after wiring payment to the attacker or
sending an SMS message
– buy a decryption or removal tool
CSCE 522 - Farkas
29
CryptoLocker Ransomware
Copyright: FBI CryptoLocker Ransomware Encrypts Users' Files,
http://www.fbi.gov/washingtondc/news-and-outreach/stories/cryptolocker-ransomwareencrypts-users-files , Nov. 2013
CSCE 522 - Farkas
30
Next Class

Network Security
CSCE 522 - Farkas
31
Related documents
IHNV (Infectious Hematopoietic Necrosis Virus) is one of the most
IHNV (Infectious Hematopoietic Necrosis Virus) is one of the most
Name______________________________________Hour 1-2 3
Name______________________________________Hour 1-2 3
Understanding viruses classwork
Understanding viruses classwork
Contagion Worksheet
Contagion Worksheet
brehlik , kapás , váczi - ITIS Cannizzaro Colleferro
brehlik , kapás , váczi - ITIS Cannizzaro Colleferro
Cool SCIENCE! - University of California, Irvine
Cool SCIENCE! - University of California, Irvine
vet_virology_symposium
vet_virology_symposium
Possible Origin of Viruses
Possible Origin of Viruses
Viruses - StantonAPBiology
Viruses - StantonAPBiology
Virus Textbook Assignment
Virus Textbook Assignment