Dilla University

College of Engineering and Technology

School of Computing and Informatics
Computer Science Program
Computer Network Security

Dilla University
 CHAPTER TWO
Program Security Overview

By:Shewangizaw Liulseged
 OBJECTIVES
To learn the concept of secure programming
Programming errors with security implications:
buffer overflows, incomplete access control
Malicious code: viruses, worms, Trojan horses
Controls against malicious code and vulnerabilities
Controls against program flaws in execution
 PROGRAM SECURITY
Why we need security at the program level?
Because programs constitute most to a computing system and
Protecting programs is the heart of computer security.
All kinds of programs, from apps via OS, DBMS, networks
How can we achieve it?
Issues:
1. How do we keep programs free from flaws?
2. How do we protect computing resources against programs that
contain flaws?
 SECURE PROGRAMS
Security implies some degree of trust that the program
enforces expected confidentiality, integrity, and
availability.
What is “Program security?”
Depends on who you ask
user -fit for his task
programmer -passes all “his/her” tests
manager -conformance to all specs
 FAULT TOLERANCE TERMINOLOGIES
Bug–mistake in interpreting a requirement, syntax error
Error–human made mistake , may lead to a fault
Fault–misinterpreted requirements may lead to several faults in the
coding and testing phases. Seen by “insiders” (e.g., programmers)
Failure-system malfunction caused by fault, can be discovered
before or after system delivery. Seen by “outsiders” (e.g.,
independent testers, users)
Error/fault/failure example:
Programmer’s indexing error, leads to buffer overflow fault
Buffer overflow fault causes system crash (a failure)
 FIXING FAULTS
Software that has many faults early on is likely to have many
others still waiting to be found.
Earlier paradigm to judge s/w security: penetrate and patch
Red Team /Tiger Team tries to crack s/w
If software withstands the attack => security is good
• Is this true?-Rarely.
Too often developers try to quick-fix problems discovered by
Tiger Team
 FIXING FAULTS
Quick patches often introduce new faults due to:
Pressure –causing narrow focus on fault, not context
Non-obvious side effects
Fixing one problem often caused a failure somewhere else
system performance requirements not allowing for security
overhead
 UNEXPECTED BEHAVIOR
Compare program requirements with behavior to identify program
security flaws
Flaw is either a fault or failure
Vulnerability is a class of flaws (e.g. buffer overflows)
Therefore we categorize the faults into inadvertent human errors and
intentionally induced faults.
There are 2 reasons for not addressing all program security flaws:
Program controls apply at the level of the individual program and programmer.
Programmer concentrates on “Should do” checklist and least bother about “shouldn’t
do” checklist.
Programming and software engineering techniques evolve more rapidly than
computer security techniques.
 TYPES OF FLAWS
Intentional
Malicious
Non malicious
Inadvertent
Validation error (incomplete / inconsistent) : permission checks
Domain error : controlled access to data
Serialization and aliasing: program flow order
Inadequate identification and authentication : basis for authorization
Boundary condition violation : failure on first and last case
 VIRUSES AND OTHER MALICIOUS CODE
Work done by a program is invisible to users and they will not
be aware of any malicious activity.
Example:
1. When is the last time you saw a bit?
2. Do you know in what format a document file is stored?
3. If a document is stored on a disk, can you tell the exact location where is it
residing?
4. Which programs execute when we start our computer and how they are
executed?

We cannot answer these question properly, since we don’t see

computer data directly.
 MALICIOUS CODE
Malicious code executes just like any other program on the system. But,
it is written to exploit the vulnerabilities of a system/software.
Malicious code can change: data and other programs.
Malicious can do anything like writing a message to the screen, stopping
a running program, erasing a stored record etc. or sometimes malicious
code will not do anything at all and stay dormant in the system.
Dormant malicious code just needs a triggerto become active.
Malicious codes are not new to computers, they have been in existence
for the past few decades.
 KINDS OF MALICIOUS CODE
Malicious code or Rouge code is the general name for
unanticipated and undesired effects in programs.
Agent is the writer of the program or the person who causes its
distribution.
Virus is a program that can replicate itself and pass onto other
non malicious programs.
Virus can be: transient or resident
Transient virus has a life that depends on the life of its host.
Resident virus located itself in the memory and will be active in the system even
after the attached program ends.
 KINDS OF MALICIOUS CODE
Trojan horse is an unauthorized program that performs functions unknown
to the user.
Trojan horse gets installed along with an infected legitimate program.
Effects of a Trojan horse: Deleting, editing files, transmitting files to intruders,
installing malicious code that can gain network access, privilege elevation attacks etc.

Logic bomb is a special class of malicious code that “detonates” or goes

off when a certain condition is met. Time bomb is a logic bomb whose
trigger is time or date.
Trapdoor or backdoor is a feature in program, which provides an alternate
entry or access to the program avoiding the direct calls and perhaps with
special privileges.
 KINDS OF MALICIOUS CODE
Worm is a program that replicates itself and spreads across a
network of systems. Primary difference between a worm and a
virus is that, a worm operates through networks whereas a virus
spread through any medium.
Rabbit is a virus or a worm that replicates itself without any
bound to exhaust the computing resources of a system.
Often the term “Virus” is used to refer to any malicious code.
SUMMARY OF MALICIOUS CODE
 HOW VIRUSES WORK?
Program containing virus must be executed to spread virus or infect other
pgms
Even one pgm execution suffices to spread virus widely
Virus actions: spread / infect
Spreading–Example 1: Virus in a pgm on installation CD
User activates pgm contaning virus when he/she runs SETUP
Virus installs itself in any/all executing pgms present in memory
Virus installs itself in pgms on hard disk
From now on virus spreads whenever any of the infected pgms (from
memory or hard disk) executes
 HOW VIRUSES WORK?
Spreading –Example 2:Virus in attachment to e-mail msg
User activates pgm contaning virus (e.g. macro in MS Word)by just openingthe attachment
=> Disable automatic opening of attachments!!!
Virus installs itself and spreads
Spreading –Example 3: Virus in downloaded file
File with pgmor document(.doc, .xls, .ppt, etc.)
Document virus
Spreads via picture, document, spreadsheet, slide presentation, database, ...
 E.g., via .jpg, via MS Office documents .doc, .xls, .pptetc.
 KINDS OF VIRUSES-BASED ON THEIR WAY OF ATTACHING
1. Appended Viruses
Appends to program. Often virus code precedes the program code
execution by running its code before the 1stprogram instruction in exec
file.
Executes whenever program gets executed.
 KINDS OF VIRUSES-BASED ON THEIR WAY OF ATTACHING
2. Surrounding viruses
Surroundsprogram
Executesbefore and after infected program
• Intercepts its input/output
Erases its tracks
The “after” part might be used to mask virus
existence.
 KINDS OF VIRUSES-BASED ON THEIR WAY OF ATTACHING
3. Integrating and replacing viruses
Integrates into pgm code
Spread within infected pgms
(Replacing) virus V gainscontrolover target pgm T by:
Overwriting T on hard disk
OR
Changing pointer to T with pointer to V
• OS has File Directory
• File Directory has an entry that points to file with code for T
• Virus replaces pointer to T’s file with pointer to V’s file
In both cases actions of V replace actions of T when user executes what she
thinks is “T”
 CHARACTERISTICS OF VIRUS
Hard to detect
Not easily destroyed or deactivated
Spreads infection widely
Can re-infect programs
Easy to create
Machine and OS independent
 HOMES FOR VIRUSES
Most viruses are passed through e-mails or drive-by-downloads.
Attackers lure the victims to open the emails / click the malicious
links that enable drive-by-download.
Ways for virus to take control over program:
Overwriting the complete program
Changing the pointer to point to a virus code instead of program on the
disk.
One-time execution: majority of the viruses today execute only
once, spreading their effect in that once execution.
 BOOT SECTOR VIRUSES
When OS is started, firmware detects the hardware components present,
tests them and then transfers the control to the OS.
OS is invoked dynamically and not coded in the firmware.
OS resides on the disk. It is fetched into memory by a program called
Bootstrap.
Firmware reads fixed number of bytes from a fixed location (boot sector)
on the disk to a fixed location in the memory and jumps to that address for
execution.
Often the boot sector size will be less than 512 bytes whereas the bootstrap
loader will be of larger size.
To support this situation most of the hardware designers support
“chaining”.
 BOOT SECTOR VIRUSES
This chaining has both pros and cons.
Virus writer will simply break the chain at any point, inserts a pointer to the
virus code, and reconnects the chain later.
 MEMORY RESIDENT VIRUSES
Most of the user programs will execute, terminate and disappear making
space for other programs.
Few specialized programs are called very often and loading them each
time takes a long time. So, OS keeps such programs and resident programs
in the memory.
Ex: resident code that interprets the keys pressed on keyboard.
Resident routines are also called as “terminate and stay resident” TSR.
Viruses attach with this programs in memory so that virus gets control
whenever this program is invoked.
These viruses are also capable of modifying Windows tables (registries).
 VIRUS SIGNATURES
Viruses executes in a particular way, using certain methods leaving some
patterns.
These patterns of virus can be used to design programs like “virus
scanners”.
Patterns can be:
1. Storage patterns
2. Execution patterns
3. Transmission patterns
Symantec reports on viruses gives statistical information on viruses.
 STORAGE PATTERN
Often attached virus piece is invariant, so the start of the virus codes
becomes detectable.
Virus attaches itself to a file, increasing the size of the file.
Else, virus can obliterate the actual code, which will not increase the size of
the code but impacts the program functioning.
Virus scanner can use a code or checksum to detect changes to a file. It can
also look for suspicious statements like JUMP at the starting instruction of the
code.
 EXECUTION PATTERN
Most of the operations that a virus does are the common operations like
removing directory, modifying files etc. which are common in OS.
Damage is bounded only by the creativity of the virus’s writer.
 TRANSMISSION PATTERN
Virus travel is not confined to any single medium or execution
pattern.
A virus may come through a network, reside in disk, may get
attached to a program in execution, while executing may transfer
a copy of itself to memory staying there as a resident and etc.
These transmissions have to be observed in order to detect virus
patterns in the system.
 POLYMORPHIC VIRUSES
Virus signatures or patterns are useful for a virus scanner to detect their
existence in the systems.
Virus scanners look for such pre-defined patterns in the application code.
Intelligent virus writers can change these patterns just by sprinkling some
no-ops(jumps, adding 0 to a num, comparing with itself) to distort the
pattern.
A virus that can change its pattern/appearance is called as a polymorphic
virus.
Ex: if a virus writer has 100 bytes of code and 50 bytes of data; there can
be ‘n’ arrangements of this code using several jump statements.
 PREVENTION OF VIRUS INFECTION
Do not receive executable code from an unknown source.
But today, non executable file can have executable code, like macro’s in
docs.
Hidden extension types are another problem, which deceives the user with
a fake format.
Hiding and making the files as read-only will not prevent the attacks of
virus.
Some prevention steps possible are:
 PREVENTION OF VIRUS INFECTION
1. Use only commercial software acquired from reliable and well
established sources/vendors.
2. Use all new software on an isolated computer.
3. Open attachments only when you know them to be safe.
4. Make a recoverable system image and store it safely
5. Make and retain backup copies of executable system files.
6. Use virus detectors/scanners regularly and update them frequently with
latest virus definitions.