Professional Documents
Culture Documents
PROGRAM SECURITY
Topics to be covered
• Secure programs,
• Non malicious Program Errors,
• Viruses and other malicious code
• Types of viruses
• Attack mechanism of viruses
• Targeted Malicious Code
• Controls Against Program Threats.
Program related issues
• Malicious program errors
• Non-malicious program flaws
Non malicious program errors
• Buffer overflow
• Incomplete mediation
• Time-of-check to time-of-use errors
Buffer overflow
• char sample[10] sets aside ten bytes of
memory
sample[10]=‘A’;
sample[i]=‘A’;
• All program and data resides in memory
during execution, sharing the space with the
OS, other code and resident routines
Buffer overflow
• If the extra character overwrites user’s data, it
may affect the program’s results but not other
programs
• If it overflows into the user’s program area,
and overwrites an instruction to be executed
the machine will try to execute 0x41
Places
where a
Buffer
Can
Overflow
Security Implications
• http://www.somesite.com/subpage/userinput&p
aram1=(808)555-212 ¶m2=2002Jan01
• What if param2 were 1800Jan01?
Or 1800Feb30? Or 2048Min32? Or
1Aardvark2Many?
• A routine could fail on a data type error
• Receiving program generates wrong result
• The receiving program might have a default
condition
• Any suggestions??
Incomplete mediation-Solution
Modified Data.
Security Implication
Virus
Trojan horse
Logic bomb or Time Bomb
Backdoor/Trapdoor
Worm
Rabbit
Malicious Code Taxonomy
Threats divided into two categories
• Independents: are self contained programs
that can be scheduled and run by the OS
• Needs host program: are essentially fragments
of programs that cannot exist independently
of some actual application program, utility or
system program.
Virus
• A program that can pass on malicious code to
other non malicious programs by modifying
them
• Virus can be
– Transient : life depends on the life of it’s
host: the virus runs when the host does
– Resident : virus locates itself in memory
How viruses attach
• A virus will do nothing and will not spread unless it is
executed.
• There are many ways to ensure that a virus is
executed
• A setup program may call dozens or even hundreds
of other programs, on the distribution disk, already
residing on the computer, or resident in memory
• Human intervention is necessary to start the process
How viruses attach
• Email attachments
• The virus code can be embedded in an
executable file attachment
How viruses attach
• Appended viruses
• Viruses that surround a program
• Integrated virus and replacements
Appended viruses
• Usually a virus inserts a copy of itself before
the first executable instruction in a Program
• Simple and usually effective
• Typically the user does not notice the effects
of the virus since the program does its job as
usual
Virus Appended to a Program.
Viruses that surround a program
• Hard to detect
• Not easily destroyed
• Spreads widely
• Reinfect its home program or other programs
• Easy to create
• Machine independent and OS independent
Homes for viruses
• Application macros
• Libraries
• Compilers, linkers
• Runtime monitors, runtime debuggers
• Anti-virus
Virus signatures
• A virus can not be completely invisible code must be stored
somewhere and must be in memory
• A virus executes in a particular way and uses a certain method
to spread
• Each of these characteristics yields a pattern called a signature
• Virus signatures are important for creating a program called
as virus scanner.
• When the scanner recognizes a known virus pattern , it can
then block the virus, inform the user and deactivate or
remove the virus.
• Virus scanner is effective only if it is been kept up to date with
the latest information on current virus.
Storage Patterns
• subtle channels:
ways to communicate data values covertly.
A printed report would be too obvious.
• Testing: access to the real data
Encode data values into a different report format report
by varying the format of the o/p.
• Heading would not be noticed:
• Total -> Totals = 1bit covert channel- (fig)
Figure 3-12 Covert Channels.
How to create covert channels
• Storage channels:
Service program and the spy need a common
timing source broken into intervals
• pass information by using the presence or
absence of objects in storage.
e.g., lock or not lock a file to signal one bit of
information
Other ways would be consume disk quota by
creating large size file, Existence of file/resource of
a particular name (no need a access to a file) fig –
signaling 100 by toggling
Figure : File Lock Covert Channel.
Figure: File Existence Channel Used to Signal 100.
Conclusion
• Service program and spy need access to a
shared resource and a shared sense of time
• Common in multi-user environment
• Shared time available ? Program need access to
current system time : to set timers, to record
event time, synchronize activities
• 1bit transfer at a time is slow? 1bit per ms :
never noticed but easily handled by two
processes…..not easy to find
Covert channels
• Stages
– Unit testing
– Integration testing
– Function testing
– Performance testing
– Acceptance testing
– Installation testing
– Regression testing
• Two perspective of tests
– Black box
– Clear box
Good Design
• Process activities helpful in building secure
software
– Using a philosophy of fault tolerance
– Having a consistent policy for handling failures
– Capturing the design rationale and history
– Using design patterns
• Prediction:
– We try to predict the risks involved in building and using
the system
• Static analysis
– Several aspects of design and code
• Control flow structure
• Data flow structure
• Data structure
– Configuration management
• It is important to know who is making which changes to what
and when
– Corrective changes
– Adaptive changes
– Perfective changes
– Preventive changes
• Four activities are involved in configuration
management
– Configuration identification
– Configuration control and change management
– Configuration auditing
– Status accounting
Lessons from mistakes
• As we design and build systems, we can
document our decisions
• Not only what we decided to do and why, but
also what we decided not to do and why.
• Then after the system is up and running, we
can use information abt the failures to give us
better understanding of what leads to
vulnerabilities and their exploitation.
OS controls on use of program
• Operating system can protect against some of the
design and implementation flaws
– Trusted software
• To trust any code , we base our trust on rigorous analysis and
testing looking for key characteristics
– Functional correctness.
– Enforcement of integrity.
– Limited privilege.
– Appropriate confidence level.
– Malicious suspicion
– Confinement
– Access log
Administrative controls
• Standards of program development
– Standards of design
– Standards of documentation
– Standards of programming
– Standards of testing
– Standards of configuration management.
• Separation of duties
Program controls in general
• Best is the combination of security controls
• Humans can learn from their mistakes and
shape their creations to account for
fundamental principles.
End of program security