Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download chapter 3
Document related concepts
no text concepts found
Transcript
CHAPTER 3 PROGRAM SECURITY 3.1 Non-Malicious Code and Malicious Code 3.1.1 Non-malicious code • Unintentional • Caused from a mistake done by a human such as programmers and developers • Many such errors cause program malfunction but do not lead to more serious security vulnerabilities 3.1 Non-Malicious Code and Malicious Code 3.1.2 Malicious code • Rogue program • General name for unanticipated or undesired effects in programs or program parts, caused by an agent intent on damage • Behaves in an unexpected ways • It can do anything any other program can such as writing a message on a computer screen, stopping a running program, generating a sound or erasing a stored file • Malicious code runs under the user’s authority but without the user’s permission or even knowledge 3.2 Non-Malicious Program Errors Three classic error types: • Buffer overflow • Incomplete mediation • Time-of-check to time-of-use (TOCTTOU) 3.2 Non-Malicious Program Errors 3.2.1 Buffer Overflows • A buffer: space in which data can be held • Resides in memory; because memory is finite, a buffer’s capacity is finite • For this reason, the programmer must declare the buffer’s maximum size so that the compiler can set aside that amount of space • Example: char sample[10]; -> compiler set aside 10 bytes to store this buffer sample[10] = ‘A’ -> the subscript is out of bound, we have a problem 3.2 Non-Malicious Program Errors 3.2.2 Incomplete Mediation Consider the previous example from previous slide: http://www.somesite.com/subpage/userinput.asp?parm1=(808)5551212&parm2=2009Jan17 • • • • The two parameters looks like a telephone number and a date The question now: What would happen if parm2 were submitted as 1800Jan01? Or 1800Feb30? Or 2048Min32 or Ardvark2Many? One way to produce the problem is to try to anticipate them 3.2 Non-Malicious Program Errors 3.2.3 Time-of-Check to Time-of-Use (TOCTTOU) • Involves synchronization • Access control is a fundamental part of computer security • Every requested access must be governed by an access policy stating who is allowed access to what; then the request must be mediated by an access-policy-enforcement agent • But an incomplete mediation problem occurs when access is not checked universally • TOCTTOU flaw concerns mediation that is performed with a “bait and switch” in the middle • Also known as serialization or synchronization flaw 3.2 Non-Malicious Program Errors 3.2.4 Combinations of Non-malicious Program Flaws • An attacker may begin a three-pronged attack by using a buffer overflow to disrupt all execution of arbitrary code on a machine • The attacker then logs in as the new user and exploits an incomplete mediation flaws as common building blocks • Clever attacker uses flaws as common building blocks to build a complex attack 3.3 Virus and Other Malicious Code 3.3.1 Why worry about Malicious Code? Malicious code can do much (harm) • It can do anything any other program can such as writing a message on a computer screen, stopping a running program, generating a sound or erasing a stored file • Or it can do nothing at all right now; it can be planted to lie dormant, undetected, until some event triggers the code to act • Malicious code runs under the user’s authority but without the user’s permission or even knowledge 3.3 Virus and Other Malicious Code 3.3.2 Kinds of Malicious Code • Malicious code/rogue program is the general name for unanticipated or undesired effects in programs or programs parts, caused by an agent intent on damage • The agent is the writer of the program or the person who causes its distribution • A virus is a program that can pass on malicious code to other non-malicious programs by modifying them • A virus can be either transient or resident 3.3 Virus and Other Malicious Code 3.3.2.1 Transient virus • Has a life that depends on the life of its host; • the virus runs when its attached program executes and terminates when its attached program ends 3.3.2.1 Resident virus • Locates itself in memory; • Then it can remain active or be activates as a standalone program, even after its attached program ends 3.3 Virus and Other Malicious Code 3.3.2.3 Types of Malicious Code Code Type Characteristics Virus Attaches itself to program and propagates copies of itself to other program Trojan horse Contains unexpected, additional functionality Logic bomb Triggers action when condition occurs Time bomb Triggers action when specified time occurs Trapdoor Allows unauthorized access to functionality Worm Propagates copies of itself through a network Rabbit Replicates itself without limit to exhaust resources 3.3 Virus and Other Malicious Code 3.3.3 How Viruses Attach 3.3.3.1 Appended Viruses – A program virus attaches itself to a program, then whenever the program is run, the virus is activated. – Refer to Figure 3-4 page 118 3.3.3.2 Viruses That Surround a Program – Virus that runs the original program but has control before and after its execution – Refer to Figure 3-5 page 119 3.3.3.3 Integrated Viruses and Replacements – Viruses replaces some of its target and integrate itself into the original code of the target – Refer to Figure 3-6 page 120 3.3 Virus and Other Malicious Code 3.3.4 Document Viruses – It is implemented within a formatted document, such as written document, database, a slide presentation or spreadsheet 3.3 Virus and Other Malicious Code 3.3.5 Homes For Viruses The virus writer may find these qualities appealing in a virus: • It is hard to detect • It is not easily destroyed or deactivated • It spreads infection widely • It can re-infect its home program or other programs • It is easy to create • It is machine independent and operating system independent 3.3 Virus and Other Malicious Code 3.3.6 Prevention of Virus Infection There are six techniques: 1. Use only commercial software acquired from reliable, wellestablished vendors. 2. Test all new software on an isolated computer. 3. Open attachments only when you know them to be safe. 4. Make a recoverable system image and store it safely 5. Make and retain backup copies of executable system files. 6. Use virus detectors regularly and update them daily. 3.3 Virus and Other Malicious Code 3.3.7 Truth and Misconceptions about viruses • Viruses can infect only Microsoft Windows systems (False) • Viruses can modify “hidden” or “read-only” files (True) • Viruses can appear only in data files, or only in Word documents, or only in programs (False) • Viruses spread only on disks or through e-mail (False) • Viruses cannot remain in memory after a complete power off/power on reboot (True) • Viruses cannot infect hardware (True) • Viruses can be malevolent, benign, or benevolent (True) 3.4 Targeted Malicious Code 3.4.1 Trapdoor • It is an undocumented entry point to a module • Developers insert trapdoors during code development, perhaps to test the module, to provide “hooks” by which to connect future modifications or enhancements, or to allow fail in the future • Can allow a programmer access to a program once it is placed in production 3.4 Targeted Malicious Code 3.4.1 Trapdoor Causes of Trapdoors Trapdoors can persist in production programs because the developers – Forget to remove them – Intentionally leave them in the program for testing – Intentionally leave them in the program for maintenance of the finished program – Intentionally leave them in the program as a covert means of access to the component after it becomes an accepted part of a production system 3.4 Targeted Malicious Code 3.4.2 Salami Attack • A salami attack merges bits of seemingly inconsequential data to yield powerful results • Normally, salami attack when the course code of a system is too large or complex to be audited Why Salami Attacks Persist • Computer computations are notoriously subject to small errors involving rounding and truncation • It is easier for programmers and users to accept a small amount of error as natural and unavoidable 3.4 Targeted Malicious Code 3.4.3 Covert channels: Programs that leaks Information • Programs that communicate information to people who should not receive it • The communication travels unnoticed, accompanying other, perfectly proper, communications • Example: - A programmer who has direct access to data can usually just read the data and write it to another file or print it out - If, however, the programmer is one step removed from the data (outside the organizational owning the data), the programmer must figure how to get the data - One way --> to built-in Trojan horse (once the horse is enabled, it finds and transmits the data - In order to send the data to the others, the programmer has to arrange to extract the data more surreptitiously - Covert channels are a means of extracting the data clandestinely 3.5 Controls Against Program Threats 3.5.1 Development Controls It requires people to: • • • • • • • • Specify the system Design the system Implement the system Test the system Review the system Document the system Manage the system Maintain the system 3.5 Controls Against Program Threats 3.5.2 Operating System Controls on Use of Programs • A trusted software is where we know the code has been rigorously developed and analysed • To trust any program, we should look for: – Functional correctness – Enforcement of integrity – Limited privilege – Appropriate confidence level • Others include: – Mutual suspicion – Confinement – Access log 3.5 Controls Against Program Threats 3.5.3 Administrative Controls Standards of Program Development • Administrative controls can be exercised by considering the following standards of: – Design – Documentation, language and coding style – Programming – Testing – Configuration management
