ADOBE READER… AGAIN - III

JBIG2 exploit: infections without a click

Select a thumbnail view.
Hover a mouse over a document.
Do nothing: the Windows Desktop Search
(if not de-activated) will find it and open!

CSC662
COMPUTER SECURITY

AN OVERVIEW

These slides are prepared from Matt Bishop‘s slide, Ahmad Al-
Mulhem‘s and Dr Adnan Gutub‘s lecture slide Version 2.0

1
 COMPUTER SECURITY…
What is computer security?
Protection of computer systems and their services
from unauthorized modification, destruction, or
disclosure
Why is it important?
Computer systems are important in our life (mission-
critical, business, banks, . . . etc).
Information is power and money.
Why is it difficult?
Computer systems are growing in complexity and
usage.
People make mistakes

WHY COMPUTER SYSTEMS

SO UNSECURE?
Growing complexity of computer systems
large number of components, complex interaction
High competition
short “time-to-market”, high ROI
Leveraging of risks through high connectivity
worm outbreaks, botnets
Slow incident response
“incident hiding”, manual handling
Human error

What can go wrong will go wrong!

2
 HUMAN ERROR - EMAIL

HUMAN ERROR – ADOBE READER I

3
HUMAN ERROR – ADOBE READER II

HUMAN ERROR –
LESSONS LEARNED
Users make errors
elaborate social engineering design
time pressure
Significant monetary motivation
Business efficiency via Internet

4
 ADOBE READER… AGAIN - I

ADOBE READER… AGAIN - II

JBIG2 exploit: a timeline
Exploit discovered: ???
First public warnings: 19-20.02
Adobe Reader 9.0 patched: 10.03
Adobe Reader 8.1.3 patched: 18.03
Adobe Reader Linux patched: 26.03
Recognition by antivirus system as of
mid-April 2009: 6/39 (15.39%)

5
ADOBE READER… AGAIN - IV
JBIG2 exploit: potential threats
Start a keylogger
Start a botnet (zombie) client
Download further code from a remote site

COMPUTER SECURITY
INSTRUMENTS
Prevention
stop attackers from violating security policy
Detection
discover attackers’ violation of security policy
Recovery/Reaction
Prevent or end attack, assess and repair
damage
continue to function correctly even if attack
succeeds

6
 POLICIES & MECHANISMS
Security policy – a statement of what is, and
what is not, allowed
Policy says: formal or informal - legal or illegal
This defines “security” for the site/system/etc.
Security mechanism - a method, tool, or
procedure for enforcing a security policy.
Mechanisms enforce policies – can be non
technical (ID proof)
Composition of policies
If policies conflict, discrepancies may create
security vulnerabilities

POLICIES & MECHANISMS –

AN EXAMPLE
Copying homework files are prohibited -
system provide security mechanism to
prevent others from reading users files
Scenario:
Ali does not use the secure method.
Omar copies Ali’s files.
Does Ali’s failure to protect his files authorize
Omar to copy them?
If Omar looks into Ali’s files without copying, is it
a security violation?

7
 ASSUMPTIONS & TRUSTS
Underlie all aspects of security
Opening a door lock requires a key?
Policies
Unambiguously & clearly partition system states
into “secure & non-secure” states
Correctly capture security requirements not
allowing the system to enter in “non-secure”
state
Mechanisms
Assumed to enforce policy
Support mechanisms work correctly

TYPE OF MECHANISMS

SECURE PRECISE BROAD

set of reachable states set of secure states

8
 ASSURANCE
Assurance - A basis of “how much” one
can trust a system
Specification
Requirements analysis
Statement of desired functionality
Design
How system will meet specification
Implementation
Programs/systems that carry out design
Medication for example….

TYING UP TOGETHER

9
TYING UP TOGETHER - OTHERS

KEY POINTS
Policy defines security
Mechanisms enforce security
Confidentiality
Integrity
Availability
Trust and knowing assumptions
Importance of assurance
The human factor

10
Thank You

11