Unit 2

PROGRAM SECURITY
 Topics to be covered
• Secure programs,
• Non malicious Program Errors,
• Viruses and other malicious code
• Types of viruses
• Attack mechanism of viruses
• Targeted Malicious Code
• Controls Against Program Threats.
 Program related issues
• Malicious program errors
• Non-malicious program flaws
 Non malicious program errors
• Buffer overflow
• Incomplete mediation
• Time-of-check to time-of-use errors
 Buffer overflow
• char sample[10] sets aside ten bytes of
memory
sample[10]=‘A’;
sample[i]=‘A’;
• All program and data resides in memory
during execution, sharing the space with the
OS, other code and resident routines
 Buffer overflow
• If the extra character overwrites user’s data, it
may affect the program’s results but not other
programs
• If it overflows into the user’s program area,
and overwrites an instruction to be executed
the machine will try to execute 0x41
 Places
where a
Buffer
Can
Overflow
 Security Implications

• The attacker may replace code in system space

by other instructions which will cause control
to be transferred to the attacker with OS
privileges
• The attacker could replace the return address
 Incomplete mediation

• http://www.somesite.com/subpage/userinput&p
aram1=(808)555-212 &param2=2002Jan01
• What if param2 were 1800Jan01?
Or 1800Feb30? Or 2048Min32? Or
1Aardvark2Many?
• A routine could fail on a data type error
• Receiving program generates wrong result
• The receiving program might have a default
condition
• Any suggestions??
 Incomplete mediation-Solution

􀂄Anticipate potential problems

􀂅Client side validation
􀂅Restrict choices to valid ones
􀂄BUT, the user could still edit the URL
􀂄The server has no way to tell if the URL
was edited or came from the web form
Exploited less often than buffer overflows
but easily exploitable
 Time-to-check to time-of-use
errors
􀂄Involves synchronization
􀂄Modern OS’s and processors usually change the
order of instruction execution to increase
performance
􀂄Instructions that appear to be adjacent may not be
executed immediately after each other, because of
intentionally changed order or the effects of other
processes in concurrent execution
 Time-to-check to time-of-use
errors
􀂄Every requested access must be governed by an
access policy stating who is allowed access what,
then the request must be mediated by an access
policy enforcement agent
􀂄An incomplete mediation problem occurs if the access
is not checked universally
 Time-to-check to time-of-use
errors
• A person draws thirteen Rs 10 notes from his
pocket, carefully counts them and places them
in front of the seller.
• When the seller turns around to make his bill,
he takes back one Rs 10 note, hands over the
stack of notes, takes his buy and leaves
 Time-to-check to time-of-use
errors
An application requests access to a file and
passes a data structure. The mediator stores
the filename locally & checks for access rights.
While the mediator checks for access, the user
may modify the locally stored file name and
gain access to a different file
Data Structure for File Access.

Modified Data.
 Security Implication

􀂄Checking one action and performing another is an

example of ineffective access control
Solutions??
􀂅Digital signatures and certificates. Time-of-check is
when someone signs and time-of-use is when anyone
verifies the signature. If the private key is exposed,
the key must be revoked (for Image use
Watermarking …DEMO)
 Viruses and other malicious code

• Much of the work done by programs is invisible to

users. How can you tell if a game program does
nothing in addition to its expected interaction with
you?
• Malicious people can make programs serve as
vehicles to access and change data and other
programs
• Unanticipated or undesired effects in program parts
 Malicious code-possibilities

􀂄 Write a message to the screen

􀂄 Stopping a running program
􀂄 Generating a sound
􀂄 Erasing a stored file
􀂄 Lie dormant until some event triggers the
code
 Formal Definition
Any code which
• modifies or destroys data,
• steals data ,
• allows unauthorized access Exploits or
damages a system,
• and does something that user did not intend
to do, is called malicious code
 Kinds of Malicious code

􀂄 Virus
􀂄 Trojan horse
􀂄 Logic bomb or Time Bomb
􀂄 Backdoor/Trapdoor
􀂄 Worm
􀂄 Rabbit
Malicious Code Taxonomy
Threats divided into two categories
• Independents: are self contained programs
that can be scheduled and run by the OS
• Needs host program: are essentially fragments
of programs that cannot exist independently
of some actual application program, utility or
system program.
 Virus
• A program that can pass on malicious code to
other non malicious programs by modifying
them
• Virus can be
– Transient : life depends on the life of it’s
host: the virus runs when the host does
– Resident : virus locates itself in memory
 How viruses attach
• A virus will do nothing and will not spread unless it is
executed.
• There are many ways to ensure that a virus is
executed
• A setup program may call dozens or even hundreds
of other programs, on the distribution disk, already
residing on the computer, or resident in memory
• Human intervention is necessary to start the process
 How viruses attach
• Email attachments
• The virus code can be embedded in an
executable file attachment
 How viruses attach
• Appended viruses
• Viruses that surround a program
• Integrated virus and replacements
 Appended viruses
• Usually a virus inserts a copy of itself before
the first executable instruction in a Program
• Simple and usually effective
• Typically the user does not notice the effects
of the virus since the program does its job as
usual
  Virus Appended to a Program.
 Viruses that surround a program

• Has control before and after a program execution

• A virus presence may be given away by the file
size of the program, so the virus writer may
infect the file listing display program to regain
control after the file listing is generated but
before it is displayed
  Virus Surrounding a Program.
Integrated viruses & replacements

• Virus replaces some of its target

• Virus writer has to know the exact structure of
the program
• Could replace the entire target
  Virus Integrated into a Program.
 More Secure !!!
• Most popular!
• Implemented within a formatted document,
which contains not only data, but also
commands, such as formulae, formatting
controls and links etc
• User sees only the contents of the document,
so the virus writers includes the virus in the
commands part of the document
 How viruses gain control
• A virus has to be invoked instead of the target
• The virus has to either seem to be the target, or has
to push the target out of the way and become a
substitute
• A virus could replace a target by assuming its name
• The virus can overwrite the target on disk
• The virus can change the pointers in the file tables
so that the virus is located instead of the target
 Virus Completely Replacing a Program.
 Desirable qualities in viruses

• Hard to detect
• Not easily destroyed
• Spreads widely
• Reinfect its home program or other programs
• Easy to create
• Machine independent and OS independent
 Homes for viruses

• One time execution

• Boot sector viruses
• Memory-resident viruses
• Other homes
 One-time execution

• Majority of viruses today execute only once,

spreading their infection and causing their
effect in that one execution
• A virus often arrives as an email attachment of
a document virus and is executed just by
opening it.
 Boot sector viruses

• The boot sector contains a boot loader to load

the particular OS into memory and run it
• To accommodate large boot loaders, chaining
is used
• The virus may break the chain anywhere and
insert itself
• Appeal: virus gains control early, when no
detection tool is running, and is invisible to file
listing
  Boot Sector Virus Relocating Code.
 Memory resident viruses

• Some portions of the OS and a few specialized

user programs would take too long to reload
each time they are needed, so they are kept in
memory and are called resident code
• e.g., routines that interpret keys pressed on
the keyboard, error control, alarm clock
• Virus get attached to resident code
 Other homes for viruses

• Application macros
• Libraries
• Compilers, linkers
• Runtime monitors, runtime debuggers
• Anti-virus
 Virus signatures
• A virus can not be completely invisible code must be stored
somewhere and must be in memory
• A virus executes in a particular way and uses a certain method
to spread
• Each of these characteristics yields a pattern called a signature
• Virus signatures are important for creating a program called
as virus scanner.
• When the scanner recognizes a known virus pattern , it can
then block the virus, inform the user and deactivate or
remove the virus.
• Virus scanner is effective only if it is been kept up to date with
the latest information on current virus.
 Storage Patterns

• The start of the virus code becomes a

detectable signature because the virus portion
of an infected program is invariant
• The virus scanner can use a code or checksum
to detect changes to a file
• It can also check for suspicious code such as a
JUMP instruction as the first instruction of a
program
 Recognizable Patterns in Viruses.
 Transmission patterns

• Viruses can travel during the boot process

• Virus travel is not confined to any single
medium or execution pattern
– E.g: virus can arrive on a diskette or from a
network connection, travel during its host
execution to a hard disk boot sector, reemerge
next time the host computer is booted, and
remain in memory to infect other diskettes as they
are accessed.
 Polymorphic viruses
• Virus signature is the most reliable way to
detect a virus
• A clever virus writer can cause something
other than specific strings to be in portions
where a virus scanner would look for those
strings
• Suggestions?
• A virus that can change its appearance is
polymorphic virus
 Polymorphic viruses
• Two-form polymorphic virus can be handled
easily as two independent viruses.
• so the virus writer will want a large or
unlimited number of forms
• A polymorphic virus has to randomly
reposition all parts of itself and randomly
change all fixed data
• A virus may randomly insert superfluous
instructions or interchange the order
throughout its code
 Polymorphic viruses

• A simple variety of polymorphic virus uses

encryption under different keys to make stored
form of virus different .
• These virus are called encrypting viruses.
• To avoid detection, not every copy of a
polymorphic virus has to be different.
 Prevention of virus infection
• Use only commercial software acquired from
reliable, well established vendors.
• Test all new s/w on an isolated computer.
• Open attachment only when you know them to be
safe.
• Make a recoverable system image & store it safely.
• Make and back up copies of executable system
files.
• Use virus detectors regularly and update them
daily.
 TARGETED MALICOUS CODE : Trapdoors

• An undocumented entry point into a Module

• Inserted during code development, perhaps to
test the module, or to provide hooks by which
to connect future modifications, or
enhancements, or to allow access if the module
should fail in the future
 Trapdoors-Examples
• Programs are prepared in modules,
• Each module is tested in “unit testing” and
then integrated and tested in “integration
testing”, to see how they function as they send
messages and data from one to the other .
• Rather than paste all modules together in a big
bang approach, the modules are grouped into
several logical clusters of a few components
each.
 Trapdoors-Examples

• Each cluster is tested in a way that allows

testers to control and understand what might
make a component or its interface fail
• During component testing, the tester cannot
use the surrounding routines that prepare
input or work with output, so they write
“stubs” and “drivers” to inject data in and
extract results
 Trapdoors-Examples

• These stubs and drivers are later discarded

because they are replaced by the actual
components
• The programmers embed debugging code into
suspicious components to control stubs or
invoke debugging code, the programmer
embeds special control sequences in the
component’s design, specifically to support
testing
  Stubs and Drivers.
 Trapdoors-Examples

• Command insertion is a recognized testing

practice
• If left in place after testing, the extra
commands can become a problem
• The Internet Worm spreads itself due to such
kind of a trapdoor in an email program
• Poor error checking is another source of
trapdoors
 Trapdoors-Examples

• Not all possible Opcode values represent

machine instructions. The undefined Opcodes
may implement peculiar instructions either for
testing, or because of an oversight
• Trapdoors can be useful for system auditing or
testing, but they must be documented and
access must be protected
 Trapdoors-Causes

• Trapdoors can persist in programs because the

developer: forgot to remove them.
• Intentionally left it there for testing
• Intentionally left it for maintenance
 Salami attack
• Salami is odd bits of meat and fat fused
together in a sausage or salami
• A salami attack merges bits of seemingly
inconsequential data to yield powerful results
• e.g., programs often discard small amounts of
money in their computations. The amounts
may be deposited into the programmer’s bank
Account, Annual Interest calculated upto two
digits
Solution:
e.g. D-Mart, Petrol Pumps (set amount in
advance……)
 Covert channels
programs that leak information

• Programs that communicate information to

people who shouldn’t receive it.
• The communication accompanies other
perfectly proper communications
e.g. a student may communicate correct
answer choices by coughing once for ‘a’,
clearing her throat for ‘b’ and so on
• One way for the programmer to have a covert
channel is to write to a file, print it out
Figure 3-11  Covert Channel Leaking Information.
 Covert channels

• If the programmer is not close to the machine,

he can provide a Trojan horse with the
program, which transmits the data
• A programmer should not have access to data
once the program is in operation
 How to create covert channels

• subtle channels:
ways to communicate data values covertly.
A printed report would be too obvious.
• Testing: access to the real data
Encode data values into a different report format report
by varying the format of the o/p.
• Heading would not be noticed:
• Total -> Totals = 1bit covert channel- (fig)
Figure 3-12  Covert Channels.
 How to create covert channels
• Storage channels:
Service program and the spy need a common
timing source broken into intervals
• pass information by using the presence or
absence of objects in storage.
e.g., lock or not lock a file to signal one bit of
information
Other ways would be consume disk quota by
creating large size file, Existence of file/resource of
a particular name (no need a access to a file) fig –
signaling 100 by toggling
Figure : File Lock Covert Channel.
Figure:   File Existence Channel Used to Signal 100.
 Conclusion
• Service program and spy need access to a
shared resource and a shared sense of time
• Common in multi-user environment
• Shared time available ? Program need access to
current system time : to set timers, to record
event time, synchronize activities
• 1bit transfer at a time is slow? 1bit per ms :
never noticed but easily handled by two
processes…..not easy to find
 Covert channels

􀂄 Timing channels: pass information by the speed at which

things happen.
Service program and the spy need a common timing
source broken into intervals
􀂄 e.g., using or not using an assigned amount of computing
time (quantum) Identifying covert channels
􀂄 Analyzing shared resources
􀂄 Source code
Figure 3-15  Covert Timing Channel.
 Shared resource matrix

􀂄 Find all shared resources and processes that

have access to them
􀂄 Construct a matrix of resources and processes
that can access them
􀂄 Resources are rows, processes are columns
􀂄 The entries are R for can read, and M for can
modify
􀂄 Look for two rows having the M, R and M, -
arrangement
 SRM
• 1st process can pass the info to the 2nd by
reading from the 2nd Resource and signaling
the data thr’ the 1st Resource
• Add implied info flows in SRM
• Spys process can read the confidential data by
using a covert channel thr’ the file lock
channel matrix
 Controls against program threats
• Three types of controls
– Development controls
– OS controls
– Administrative controls
 Development Controls
• Development requires people who can
– Specify the system
– Design the system
– Implement the system
– Test the system
– Review the system
– Document the system
– Manage the system
– Maintain the system.
• Features of a high quality secure software
– Modularity
– Encapsulation
– Information hiding
 Modularity
• Modularization is a process of dividing a task into
subtasks.
• This division is done based on functional or logical basis.
• Each component performs a separate, independent part
of the task.
• Goal is to have each component meet 4 conditions
– Single purpose
– Small
– Simple
– independent
Figure 3-16  Modularity.
 Advantages of modularity
• Maintenance
• Understandability
• Reuse
• Correctness
• Testing
• A modular component usually has high cohesion and
low coupling.
– Cohesion means that all the elements of a component have
logical and functional reasons for being there.
– Coupling refers to degree with which a component depends
Figure 3-17  Coupling.
 Encapsulation
• Hides a component’s implementation detail ,
bit it does not necessarily mean complete
isolation.
• Many components must share information with
other components , usually with good reason.
• This sharing is carefully documented so that a
component is affected only in known ways by
the others in the system.
 Information hiding
• Is desirable,
• Developers cannot easily and maliciously alter
the components of others if they do not know
how the components work.
Figure 3-18  Information Hiding.
• Key techniques in finding real and potential
security flaws
– Peer reviews
– Hazard analysis
– Testing
– Good design
– Prediction
– Static analysis
– Configuration management
– Analysis of mistakes
 Peer reviews
• Types
– Review
– Walk through
– inspection
 Hazard Analysis
• Techniques support the identification and
management of hazards
– Hazard or operability studies(HAZOP)
– Failure modes and effects analysis(FMEA)
– Fault tree analysis(FTA)
 Testing

• Stages
– Unit testing
– Integration testing
– Function testing
– Performance testing
– Acceptance testing
– Installation testing
– Regression testing
• Two perspective of tests
– Black box
– Clear box
 Good Design
• Process activities helpful in building secure
software
– Using a philosophy of fault tolerance
– Having a consistent policy for handling failures
– Capturing the design rationale and history
– Using design patterns
• Prediction:
– We try to predict the risks involved in building and using
the system
• Static analysis
– Several aspects of design and code
• Control flow structure
• Data flow structure
• Data structure
– Configuration management
• It is important to know who is making which changes to what
and when
– Corrective changes
– Adaptive changes
– Perfective changes
– Preventive changes
• Four activities are involved in configuration
management
– Configuration identification
– Configuration control and change management
– Configuration auditing
– Status accounting
 Lessons from mistakes
• As we design and build systems, we can
document our decisions
• Not only what we decided to do and why, but
also what we decided not to do and why.
• Then after the system is up and running, we
can use information abt the failures to give us
better understanding of what leads to
vulnerabilities and their exploitation.
 OS controls on use of program
• Operating system can protect against some of the
design and implementation flaws
– Trusted software
• To trust any code , we base our trust on rigorous analysis and
testing looking for key characteristics
– Functional correctness.
– Enforcement of integrity.
– Limited privilege.
– Appropriate confidence level.
– Malicious suspicion
– Confinement
– Access log
 Administrative controls
• Standards of program development
– Standards of design
– Standards of documentation
– Standards of programming
– Standards of testing
– Standards of configuration management.
• Separation of duties
 Program controls in general
• Best is the combination of security controls
• Humans can learn from their mistakes and
shape their creations to account for
fundamental principles.
End of program security