Scribd
Upload
80 views

Program Security

The document discusses software security and program flaws. It covers buffer overflows, which occur when a program writes data to a buffer without checking the length, potentially overwriting adjacent memory and enabling attacks. It also discusses incomplete mediation and race conditions as other common program flaws that can create security risks if exploited.

Uploaded by

RAJ TAPASE
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
80 views

Program Security

The document discusses software security and program flaws. It covers buffer overflows, which occur when a program writes data to a buffer without checking the length, potentially overwriting adjacent memory and enabling attacks. It also discusses incomplete mediation and race conditions as other common program flaws that can create security risks if exploited.

Uploaded by

RAJ TAPASE
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 126

Software and Security

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Objectives
 To present importance of security at system level
 To define and discuss components of the systems
involved and level of security associated with each
of them
 To provide overview of malicious programs
 To describe commonly known malicious programs
like virus, worm, Trojans, logic bombs etc.
 To present an overview of IDS
 To discuss firewalls and their classifications
System
 Comprises of computing and communication
environment over which developers have some
control
 System components
o Security relevant- crucial components to which
malfunction or penetration can lead to security
violations.
 E.g. OS and computer hardware examples
o Others- Objects that system controls and protects
 Programs (not processes), data, terminal, modem
 Security perimeter- line of demarcation between
security relevant and other components
User, trust and trusted systems
 User- a person whose information system
protects and whose access to information
is controlled by system
 User is trusted with some confidential
information.
 System security needs to have trust in
security related components inside the
security perimeter.
 Trust in systems is built using techniques
of identification and authentication.
System and trusted program

Part 4  Software 5
Why Software?
 Why is software as important to security
as crypto, access control and protocols?
 Virtually all of information security is
implemented in software
 If your software is subject to attack, your
security is broken
o Regardless of strength of crypto, access
control or protocols
 Software is a poor foundation for security

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Bad Software
 Bad software is everywhere!
 NASA Mars Lander (cost $165 million)
o Crashed into Mars
o Error in converting English and metric units of measure
 Denver airport
o Buggy baggage handling system
o Delayed airport opening by 11 months
o Cost of delay exceeded $1 million/day
 MV-22 Osprey
o Advanced military aircraft
o Lives have been lost due to faulty software

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Software Issues
“Normal” users Attackers
 Find bugs and flaws  Actively look for
by accident bugs and flaws
 Hate bad software…  Like bad software…
 …but must learn to
 …and try to make it
live with it
misbehave
 Must make bad
 Attack systems thru
software work
bad software

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Complexity
 “Complexity is the enemy of security”, Paul
Kocher, Cryptography Research, Inc.
system Lines of code (LOC)
Netscape 17,000,000
Space shuttle 10,000,000
Linux 1,500,000
Windows XP 40,000,000
Boeing 777 7,000,000

 A new car contains more LOC than was required


to land the Apollo astronauts on the moon

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Lines of Code and Bugs
 Conservative estimate: 5 bugs/1000 LOC
 Do the math
o Typical computer: 3,000 exe’s of 100K each
o Conservative estimate of 50 bugs/exe
o About 150k bugs per computer
o 30,000 node network has 4.5 billion bugs
o Suppose that only 10% of bugs security-critical
and only 10% of those remotely exploitable
o Then “only” 4.5 million critical security flaws!

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Software Security Topics
 Program flaws (unintentional)
o Buffer overflow
o Incomplete mediation
o Race conditions
 Malicious software (intentional)
o Viruses
o Worms
o Other breeds of malware

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Program Flaws
 An error is a programming mistake
o To err is human
 An error may lead to incorrect state: fault
o A fault is internal to the program
 A fault may lead to a failure, where a
system departs from its expected behavior
o A failure is externally observable

error fault failure

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Example
char array[10];
for(i = 0; i < 10; ++i)
array[i] = `A`;
array[10] = `B`;
 This program has an error
 This error might cause a fault
o Incorrect internal state
 If a fault occurs, it might lead to a failure
o Program behaves incorrectly (external)
 We use the term flaw for all of the above

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Secure Software
 In software engineering, try to insure that
a program does what is intended
 Secure software engineering requires that
the software does what is intended…
 …and nothing more
 Absolutely secure software is impossible
o Absolute security is almost never possible!
 How can we manage the risks?

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Program Flaws
 Program flaws are unintentional
o But still create security risks
 We’ll consider 3 types of flaws
o Buffer overflow (smashing the stack)
o Incomplete mediation
o Race conditions
 Many other flaws can occur
 These are most common

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Buffer Overflow

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Typical Attack Scenario
 Users enter data into a Web form
 Web form is sent to server
 Server writes data to buffer, without
checking length of input data
 Data overflows from buffer
 Sometimes, overflow can enable an attack
 Web form attack could be carried out by
anyone with an Internet connection

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Buffer Overflow
int main(){
int buffer[10];
buffer[20] =
37;}
 Q: What happens when this is executed?
 A: Depending on what resides in memory
at location “buffer[20]”
o Might overwrite user data or code
o Might overwrite system data or code

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Simple Buffer Overflow
 Consider boolean flag for authentication
 Buffer overflow could overwrite flag
allowing anyone to authenticate!
Boolean flag
buffer
F OU R S C … T
F

 In some cases, attacker need not be so


lucky as to have overflow overwrite flag
Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Memory Organization
 low
 Text == code text address

 Data == static variables data


 Heap == dynamic data heap
 Stack == “scratch paper” 
 SP
o Dynamic local variables
o Parameters to functions 
stack  high
o Return address
address

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Simplified Stack Example
low 

void func(int a, int :


:
b){
char buffer[10];
}  SP
void main(){ buffer
 return
 SP
func(1, 2); ret address
} a  SP

high  b  SP

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Smashing the Stack
low 

 What happens if :
??? :
buffer overflows?
 Program “returns”  SP
to wrong location buffer
ret… NOT!
 SP
A crash is likely overflow
ret
overflow
a  SP

high  b  SP

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Smashing the Stack
low 
 Trudy has a
:
better idea… :
 Code injection
 Trudy can run  SP
evil code
code of her
 SP
choosing! ret
ret
 SP
a
high  b  SP

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Smashing the Stack
:
:
 Trudy may not know
NOP
o Address of evil code :
o Location of ret on stack NOP
 Solutions evil code
o Precede evil code with ret
NOP “landing pad” ret  ret
o Insert lots of new ret :
ret
:
:
Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Stack Smashing Summary
 A buffer overflow must exist in the code
 Not all buffer overflows are exploitable
o Things must line up just right
 If exploitable, attacker can inject code
 Trial and error likely required
o Lots of help available online
o Smashing the Stack for Fun and Profit, Aleph One
 Also heap overflow, integer overflow, etc.
 Stack smashing is “attack of the decade”

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Stack Smashing Example
 Program asks for a serial number that the
attacker does not know
 Attacker does not have source code
 Attacker does have the executable (exe)

 Program quits on incorrect serial number


Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Example
 By trial and error, attacker discovers an
apparent buffer overflow

 Note that 0x41 is “A”


 Looks like ret overwritten by 2 bytes!

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Example
 Next, disassemble bo.exe to find

 The goal is to exploit buffer overflow


to jump to address 0x401034
Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Example
 Find that 0x401034 is “@^P4” in ASCII

 Byte order is reversed? Why?


 X86 processors are “little-endian”

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Example
 Reverse the byte order to “4^P@” and…

 Success! We’ve bypassed serial number


check by exploiting a buffer overflow
 Overwrote the return address on the stack

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Example
 Attacker did not require access to
the source code
 Only tool used was a disassembler to
determine address to jump to
 Can find address by trial and error
o Necessary if attacker does not have exe
o For example, a remote attack

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Example
 Source code of the buffer overflow
 Flaw easily
found by
attacker
 Even without
the source
code!

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Stack Smashing Prevention
 1st choice: employ non-executable stack
o “No execute” NX bit (if available)
o Seems like the logical thing to do, but some real
code executes on the stack (Java does this)
 2nd choice: use safe languages (Java, C#)
 3rd choice: use safer C functions
o For unsafe functions, there are safer versions
o For example, strncpy instead of strcpy

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Stack Smashing Prevention
low 
:
 Canary :
o Run-time stack check
o Push canary onto stack
o Canary value:
buffer
 Constant 0x000aff0d
overflow
canary 
 Or value depends on ret
overflow
ret
a
high  b
Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Microsoft’s Canary
 Microsoft added buffer security check
feature to C++ with /GS compiler flag
 Uses canary (or “security cookie”)
 Q: What to do when canary dies?
 A: Check for user-supplied handler
 Handler may be subject to attack
o Claimed that attacker can specify handler code
o If so, “safe” buffer overflows become
exploitable when /GS is used!

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Buffer Overflow
 The “attack of the decade” for 90’s
 Will be the attack of the decade for 00’s
 Can be prevented
o Use safe languages/safe functions
o Educate developers, use tools, etc.
 Buffer overflows will exist for a long time
o Legacy code
o Bad software development

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Incomplete Mediation

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Input Validation
 Consider: strcpy(buffer, argv[1])
 A buffer overflow occurs if
len(buffer) < len(argv[1])
 Software must validate the input by
checking the length of argv[1]
 Failure to do so is an example of a more
general problem: incomplete mediation

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Input Validation
 Consider web form data
 Suppose input is validated on client
 For example, the following is valid
http://www.things.com/orders/final&custID=112&
num=55A&qty=20&price=10&shipping=5&total=205
 Suppose input is not checked on server
o Why bother since input checked on client?
o Then attacker could send http message
http://www.things.com/orders/final&custID=112&
num=55A&qty=20&price=10&shipping=5&total=25

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Incomplete Mediation
 Linux kernel
o Research has revealed many buffer overflows
o Many of these are due to incomplete mediation
 Linux kernel is “good” software since
o Open-source
o Kernel  written by coding gurus
 Tools exist to help find such problems
o But incomplete mediation errors can be subtle
o And tools useful to attackers too!

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Race Conditions

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Race Condition
 Security processes should be atomic
o Occur “all at once”
 Race conditions can arise when security-
critical process occurs in stages
 Attacker makes change between stages
o Often, between stage that gives authorization,
but before stage that transfers ownership
 Example: Unix mkdir

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
mkdir Race Condition
 mkdircreates new directory
 How mkdir is supposed to work

mkdir
1. Allocate
space
2. Transfer
ownership

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
mkdir Attack
 The mkdir race condition
mkdir
1. Allocate
space
3. Transfer
ownership

2. Create link to
password file

 Not really a “race”


o But attacker’s timing is critical
Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Race Conditions
 Race conditions are common
 Race conditions may be more prevalent
than buffer overflows
 But race conditions harder to exploit
o Buffer overflow is “low hanging fruit” today
 To prevent race conditions, make security-
critical processes atomic
o Occur all at once, not in stages
o Not always easy to accomplish in practice

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Malware

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Malicious software
 Programs which try to subvert expected
operation of secured and benign codes
 Most common categories-
o Worms
o Viruses
o Logic bombs
o Trojans
o Spyware
o adware
Malicious Software
 Malware is not new…
 Fred Cohen’s initial virus work in 1980’s
o Used viruses to break MLS systems
 Types of malware (lots of overlap)
o Virus  passive propagation
o Worm  active propagation
o Trojan horse  unexpected functionality
o Trapdoor/backdoor  unauthorized access
o Rabbit  exhaust system resources

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Worms
 Run independently
 Propagate a full working version of itself to
other machines
 Analogous to parasites which live inside a
host and use its resources for its existence
 Classified by primary method they use for
transport
o IM Worms
o Email worms
Virus
 Cannot run independently
 Need host program to
run and activate them
 A computer virus has-
o Infection mechanism
o Payload Virus pseudocode
o Trigger infect();
if trigger( )
then payload();
Where do Viruses Live?
 Just about anywhere…
 Boot sector
o Take control before anything else
 Memory resident
o Stays in memory
 Applications, macros, data, etc.
 Library routines
 Compilers, debuggers, virus checker, etc.
o These are particularly nasty!

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Virus classification by target
 Boot sector virus
o Primary boot
o Secondary boot
 Executable file infectors
o Prepending Virus -placed at beginning,
o Appending virus- placed at end,
o Virus code is over-written or inserted into a file
 Data file infectors- macro virus
Virus classification by target
 Overwriting virus
o Do not change target file size
 Companion virus
o Do not modify infected code
o Installs itself in such a way that it gets
executed before the target code
Virus classification based on concealment

 Encryption
 Oligomorphism
 Polymorphism
 Metamorphism
Virus classification - Encryption
 Makes detection difficult
 Has a decryptor loop for decryption
and transfer of control to it
 Encryption techniques used
o Simple transformation
o Key mixing
o Substitution cipher
o Strong encryption
 Signature detection is easy
Virus classification - Oligomorphism
 uses a pool of decryptors Instead of
one; so uses varying keys
 Entire virus changes and becomes
harder to detect
 Difficulty is very marginal as anti-
virus needs to check only loop
variants
Virus classification - Polymorphism
 Almost same as Oligomorphism but has
extremely large number of decryptor
loops
 Mutation engine changes loop with every
encryption
Methods used for writing viruses
 Instruction equivalence
 Instruction sequence equivalence
 Instruction reordering
 Register renaming
 Concurrency
 Writing convoluted programs
 Inlining & outlining function calls
Virus classification - Metamorphism

 Do not have decryption loops


 Mutation engine changes for every
infection
Logic bombs
 Has typically two parts
o Payload-malicious piece of code
o Trigger- Boolean logic
 Time bombs are examples of logic
bombs

Part 4  Software 60
Trojans
 Malicious programs that perform
some harmless activities in addition
to malicious activities

Part 4  Software 61
Trojan Horse Example
 A trojan has unexpected function
 Prototype of trojan for the Mac
 File icon for freeMusic.mp3:

 For a real mp3, double click on icon


o iTunes opens
o Music in mp3 file plays
 But for freeMusic.mp3, unexpected results…

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Trojan Example
 Double click on freeMusic.mp3
o iTunes opens (expected)
o “Wild Laugh” (probably not expected)
o Message box (unexpected)

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Trojan Example
 How does freeMusic.mp3 trojan work?
 This “mp3” is an application, not data!

 This trojan is harmless, but…


 Could have done anything user can do
o Delete files, download files, launch apps, etc.

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Spyware
A software used to collect & transmit
information from victim computer
 Spywares do not replicate themselves
 Different form of trojans
 Often get downloaded when viewing some
webpage, called drive by download concept
 Examples of info gathered by spywares
 Passwords
 Credit card numbers and bank secrets
 Software license keys
Adwares
 Have similarities with spywares
 Not self-replicating
 Objective is marketing

Part 4  Software 66
Malware Detection
 Three common methods
o Signature detection
o Change detection
o Anomaly detection
 We’ll briefly discuss each of these
o And consider advantages and
disadvantages of each

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Signature Detection
 A signature is a string of bits found in
software (or could be a hash value)
 Suppose that a virus has signature
0x23956a58bd910345
 We can search for this signature in all files
 If we find the signature are we sure we’ve
found the virus?
o No, same signature could appear in other files
o But at random, chance is very small: 1/264
o Software is not random, so probability is higher

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Signature Detection
 Advantages
o Effective on “traditional” malware
o Minimal burden for users/administrators
 Disadvantages
o Signature file can be large (10,000’s)…
o …making scanning slow
o Signature files must be kept up to date
o Cannot detect unknown viruses
o Cannot detect some new types of malware
 By far the most popular detection method
Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Change Detection
 Viruses must live somewhere on system
 If we detect that a file has changed, it
may be infected
 How to detect changes?
o Hash files and (securely) store hash values
o Recompute hashes and compare
o If hash value changes, file might be
infected
o Check for oligomorphism and polymorphism
Change Detection
 Advantages
o Virtually no false negatives
o Can even detect previously unknown malware
 Disadvantages
o Many files change  and often
o Many false alarms (false positives)
o Heavy burden on users/administrators
o If suspicious change detected, then what?
o Might still need signature-based system

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Anomaly Detection
 Monitor system for anything “unusual” or
“virus-like” or potentially malicious
 What is unusual?
o Files change in some unusual way
o System misbehaves in some way
o Unusual network activity
o Unusual file access, etc., etc., etc.
 But must first define “normal”
o And normal can change!

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Anomaly Detection
 Advantages
o Chance of detecting unknown malware
 Disadvantages
o Unproven in practice
o Trudy can make abnormal look normal (go slow)
o Must be combined with another method (such
as signature detection)
 Also popular in intrusion detection (IDS)
 A difficult unsolved (unsolvable?) problem
o As difficult as AI?
Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Intrusion Detection System
 IDS- Process of monitoring events
occurring in a system or network.
 IPS- process of detecting signs of
intrusion and attempting to stop the
intrusive efforts
 IDPS- collective system IDS & IPS
Types of intruders
 Masquerader
 Misfeasor
 Clandestine

Part 4  Software 75
Types of IDPS technologies
 Network based
o n/w segment and network & application
protocols
 Wireless
o Wireless n/w traffic, wireless protocols
 Network behavior analysis
o Unusual traffic flows, DDoS attacks, malwares
and policy violations
 Host based
Uses of IDS
 Identifying security policy problems
 Documenting existing threats to
organizations
 Deferring individuals from violating
security policies
 Preventive actions of IDPS
 IDPS change security environment
 IDPS can change attack contents
Common components of IDS

Image Courtesy: Security in Computing, Pfleeger and Pfleeger 78


Intrusion detection techniques
 Signature based detection
 Anomaly/heusristic based detection
 Stateful protocol analysis
Signature based IDS
 Use string matching as the underlying
principle
 Current packet or log entry is
matched to a list of signatures
Signature based-
Disadvantages
 Ineffective against known threats
 Cannot pair request with corresponding
response(e.g. error codes)
 Cannot detect attacks that comprise
multiple events and none of the events
contains attack indication
 Cannot remember previous requests
Anomaly based IDS
 Compares definitions of normal activities
against observed activities
 Maintains normal profile behaviors of
users, hosts, network connections or
applications
 Profiles can be static or dynamic generated
during training period
 Static profiles get outdated very soon
 Dynamic profiles get attacked by evasive
techniques to fool IDPS
Anomaly based disadvantages
 Very effective in detecting known
attack
 Suffer from false positives; treat
benign activities as malicious

Part 4  Software 83
Stateful protocol analysis
 Compares predetermined profiles of
generally accepted definitions of benign
protocol activity for each protocol against
observed ones
 Relies on vendor-developed universal
profiles that specifies how protocol should
work
 IDPS is capable of checking networks,
applications, and application protocols that
have notion of state
Stateful protocol analysis
 Canidentify unexpected sequences of
commands
 Drawback-
o Extremely resource sensitive
o Do not capture attacks those do not
violate the characteristic of generally
accepted protocol behavior
 E.g. there may be several benign requests
which create a DoS
Firewalls
A single point of defense between
two networks
 Can be simply a router/a group of
routers that is used to filter the
packets along with application level
proxy services
 Mechanisms-
o Allow
o block
Network Topology Hierarchy
 DMZ- separates the external network
perimeter and internal network
 Firewalls- placed between internet &
DMZ and DMZ & internal network
 A DMZ is simply a method of
networking arrangement, by
segregating servers that are often
accessed from the outside.
Types of Firewall
 Packet filtering firewall
 Circuit level firewall
 Application layer firewall

Part 4  Software 88
Packet filtering firewall
 Analyzes network traffic at
transport layer
 Contains rules for allowable data flow
and direction of data flow
 Rules are kept in TCP/IP kernel and
applied to any packet
 Actions
o Deny
o Permit
Factors those allow/deny data
flow through packet filters
 Physicalnetwork interface (n/w adaptor)
that packet arrives on
 Source address of data
 Destination address of data
 Type of transport layer protocol- TCP/UDP
 Transport layer source port
 Transport layer destination port
Advantages
 Faster than other technologies
 Less complicated, a single rule can
control deny or allow of packets
 Do not require client computers to be
configured specially
 They shield internal IP address from
external world by doing network
address translation
Disadvantages
 Do not understand application layer
protocols and hence cannot restrict
access to FTP services, such as PUT &
GET commands
 They are stateless, and so not
suitable for application layer
protocols
 Have no audit event generation and
alerting mechanism
Circuit level firewall
 Similar in operation as packet filtering
firewalls, but..
o Operate at session and transport layer
o Validates TCP & UDP sessions before opening a
circuit/connection, through firewall.
 Maintains a table of valid connections and
lets data pass through when session info
matches table entry
 Once session terminates, circuit is closed
and table entry is removed.
 Examines each connection
Circuit level firewall stores-
 Unique session identifier
 State of the connection, namely handshake,
established, or closing
 Sequencing information
 Source IP address
 Destination IP address
 Physical network interface through which
data arrives
 Physical network interface through which
data goes out
Advantages
 Faster than application layer firewalls
 More secured than packet filtering
firewalls
 maintain limited state information of
protocols
 Protect against packet spoofing
 They shield internal IP addresses
from external networks by n/w
address translation
Disadvantages
 Cannot restrict access to protocol
subsets other than TCP
 Have limited audit event generation
capabilities
 Cannot perform security checks on
higher level protocols

Part 4  Software 96
Application layer firewalls
 Evaluates network layer packets for valid
data at application layer before allowing a
connection
 Examines data in all network packets at
application layer and maintains complete
list of connection states and sequencing
information
 Validates other security items which
appear at application layer, such as
passwords and service requests
Application layer firewalls
 Act as proxy service to manage data
through firewall for specific service
 Dedicated to particular protocols and
provide additional security checks,
access controls and generate audit
records
 Proxy services
o Proxy server
o Proxy client
Advantages
 Enforce and understand high level
protocols, like HTTP & FTP
 Maintain info about communication
passing through firewall server:
o partial communication derived state info,
o full application derived state info,
o partial session information
o Can be used to deny access to certain
network services and allow others
Advantages..
 Capable of processing and manipulating packet
data
 Do not allow direct communication between
external servers and internal systems, thus
shields internal IP addresses from outside
network
 Transparent between user and external
network
 Provide features like HTTP object caching, URL
filtering and user authentication
 Good at generating auditing records, allowing
admins to monitor threats to the firewall
Disadvantages
 Requires replacing the native network stack on
firewall server
 Do not allow network servers to run on firewall
servers, as proxy servers use same port to listen
 Slow and thus lead to performance degradation
 Not scalable, as each network service adds onto
the number of proxy services required
 Requires modification to client procedures
 Rely on OS support and thus are vulnerable to
bugs in the system such as NIDS, TCP/IP,
WinSock, Win32 bugs
Dynamic packet filtering
firewall
Part 4  Software 103
Secure software
development

Part 4  Software 104


Software Development
 General software development model
o Specify
o Design
o Implement
o Test
o Review
o Document
o Manage
o Maintain

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Secure Software Development
 Goal: move away from “penetrate and patch”
 Penetrate and patch will always exist
o But if more care taken in development, then
fewer and less severe flaws to patch
 Secure software development not easy
 Much more time and effort required thru
entire development process
 Today, little economic incentive for this!

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Secure Software Development
 We briefly discuss the following
o Design
o Hazard analysis
o Peer review
o Testing
o Configuration management
o Postmortem for mistakes

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Design
 Careful initial design
 Try to avoid high-level errors
o Such errors may be impossible to correct later
o Certainly costly to correct these errors later
 Verify assumptions, protocols, etc.
 Usually informal approach is used
 Formal methods
o Possible to rigorously prove design is correct
o In practice, only works in simple cases

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Hazard Analysis
 Hazard analysis (or threat modeling)
o Develop hazard list
o List of what ifs
o Schneier’s “attack tree”
 Many formal approaches
o Hazard and operability studies (HAZOP)
o Failure modes and effective analysis (FMEA)
o Fault tree analysis (FTA)

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Peer Review
 Three levels of peer review
o Review (informal)
o Walk-through (semi-formal)
o Inspection (formal)
 Each level of review is important
 Much evidence that peer review is effective
 Although programmers might not like it!

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Levels of Testing
 Module testing  test each small
section of code
 Component testing  test
combinations of a few modules
 Unit testing  combine several
components for testing
 Integration testing  put everything
together and test

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Types of Testing
 Function testing  verify that system
functions as it is supposed to
 Performance testing  other requirements
such as speed, resource use, etc.
 Acceptance testing  customer involved
 Installation testing  test at install time
 Regression testing  test after any change

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Other Testing Issues
 Active fault detection
o Don’t wait for system to fail
o Actively try to make it fail  attackers will!
 Fault injection
o Insert faults into the process
o Even if no obvious way for such a fault to occur
 Bug injection
o Insert bugs into code
o See how many of injected bugs are found
o Can use this to estimate number of bugs
o Assumes injected bugs similar to unknown bugs

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Software Summary
 Software flaws
o Buffer overflow
o Race conditions
o Incomplete mediation
 Malware
o Viruses, worms, etc.
 Other software-based attacks

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Not in syllabus- Given for
information
Miscellaneous Attacks

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Miscellaneous Attacks
 Numerous attacks involve software
 We’ll discuss a few issues that do not
fit in previous categories
o Salami attack
o Linearization attack
o Time bomb
o Can you ever trust software?

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Salami Attack
 What is Salami attack?
o Programmer “slices off” money
o Slices are hard for victim to detect
 Example
o Bank calculates interest on accounts
o Programmer “slices off” any fraction of a cent
and puts it in his own account
o No customer notices missing partial cent
o Bank may not notice any problem
o Over time, programmer makes lots of money!

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Salami Attack
 Such attacks are possible for insiders
 Do salami attacks actually occur?
 Programmer added a few cents to every
employee payroll tax withholding
o But money credited to programmer’s tax
o Programmer got a big tax refund!
 Rent-a-car franchise in Florida inflated gas
tank capacity to overcharge customers

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Salami Attacks
 Employee reprogrammed Taco Bell cash
register: $2.99 item registered as $0.01
o Employee pocketed $2.98 on each such item
o A large “slice” of salami!
 In LA four men installed computer chip
that overstated amount of gas pumped
o Customer complained when they had to pay for
more gas than tank could hold!
o Hard to detect since chip programmed to give
correct amount when 5 or 10 gallons purchased
o Inspector usually asked for 5 or 10 gallons!

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Linearization Attack
 Program checks for
serial number
S123N456
 For efficiency,
check made one
character at a time
 Can attacker take
advantage of this?

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Linearization Attack
 Correct string takes longer than incorrect
 Attacker tries all 1 character strings
o Finds S takes most time
 Attacker then tries all 2 char strings S
o Finds S1 takes most time
 And so on…
 Attacker is able to recover serial number
one character at a time!

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Linearization Attack
 What is the advantage of attacking serial
number one character at a time?
 Suppose serial number is 8 characters and
each has 128 possible values
o Then 1288 = 256 possible serial numbers
o Attacker would guess the serial number in
about 255 tries  a lot of work!
o Using the linearization attack, the work is
about 8(128/2) = 29 which is trivial!

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Linearization Attack
 A real-world linearization attack
 TENEX (an ancient timeshare system)
o Passwords checked one character at a time
o Careful timing was not necessary, instead…
o …could arrange for a “page fault” when next
unknown character guessed correctly
o The page fault register was user accessible
o Attack was very easy in practice

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Time Bomb
 In 1986 Donald Gene Burleson told employer
to stop withholding taxes from his paycheck
 His company refused
 He planned to sue his company
o He used company computer to prepare legal docs
o Company found out and fired him
 Burleson had been working on a malware…
 After being fired, his software “time bomb”
deleted important company data

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Time Bomb
 Company was reluctant to pursue the case
 So Burleson sued company for back pay!
o Then company finally sued Burleson
 In 1988 Burleson fined $11,800
o Took years to prosecute
o Cost thousands of dollars to prosecute
o Resulted in a slap on the wrist
 One of the first computer crime cases
 Many cases since follow a similar pattern
o Companies often reluctant to prosecute

Part 4 Software Mark Stamp’s Information Security: Principles and Practices by Mark Stamp/ Deven Shah.
Copyright  2009 Wiley India Pvt. Ltd. All rights reserved.
Thank You

Part 4  Software 126

You might also like