Chapter Two

Computer Threat
Malicious Code
 Examples are
- Viruses - Logic bomb
- Worms - Bacteria or Rabbit
- Trojan horses
- Spywares and Adwares
- A NonVirus Virus or a Hoax
Virus
 “A program fragment that replicates and hides itself inside
other programs usually without your knowledge.”
 Similar to a biological virus: replicates and spreads by its
own
 Damage varies on what the writer thinks

2
Malicious Code /Cont…
Worm
 An independent program that reproduces by copying itself
from one computer to another (usually through networks)
 It often creates denial of service
 Note: the classification of a malware as a virus or a worm
is not universally agreed upon
Trojan Horse
 Ancient Greek tale of the city of Troy and the wooden
horse which was full of soldiers
 A Trojan horse, appearing to be benign software, may
secretly download a virus or some other type of malware
on to your computers
 The program does what the user expects but it does
more, unnoticed by the user

3
Malicious Code /Cont…
Spyware
 “A software that literally spies on what you do on your
computer”
Examples
 Cookies: Any data that the cookie saves can be retrieved by any
website, so your entire Internet browsing history can be tracked
 Key Loggers: a computer program that records every keystroke
made by a computer user, in order to gain access to passwords
and other confidential information
Legal Uses of Spyware
 Employers may use spyware as a means of monitoring
employee use of company technology
 Parents may use this type of software on their home computer
to monitor the activities of their children on the Internet to
protect their children from online predators
4
Malicious Code /Cont…
Most software based attacks are commonly called Viruses: How
do viruses work?
Infection (Mechanisms)
 First, the virus should search for and detect objects to infect
 Installation into the infectable object
o Writing on the boot sector
o Scan the computer for connections to a network, then
copy itself to other machines on the network to which the
infected computer has access
o Read your email address book and email itself to everyone
in your address book
o Add some code to executable programs
o Add some code to initialization/auto-executable programs
o Write a macro in a word file, etc.
 The term virulent is a measure of how rapidly the infection
spreads and how easily it infects new targets 5
Malicious Code /Cont…
Trigger Mechanisms
 Date
 Number of infections
 First use
Effects (or Payload): It can be anything
 In general, once a virus is on a system, it can do anything that
any legitimate program can do
 Displaying a message
 Deleting files
 Formatting the hard disk
 Overloading the processor/memory
 Changing system settings
 etc.
6
Malicious Code /Cont…
Method: design of a virus
 Detection module: detects programs that are already
infected
 Infection module: copies the virus code into non-infected
programs
 Damage module: contains the malware proper
 Conditions module: makes the actions mentioned
dependent on certain condition
• Camouflage module: tries to avoid detection by anti-virus
software

7
Anti-Virus
There are
 Generic solutions: e.g., Integrity checking
 Virus specific solutions: e.g., Looking for known viruses
Three categories
 Scanners: to look for a signature (or pattern) that matches a known
virus
 Activity monitors: If the program behaves in a way consistent with
virus activity
 Change detection software
Functions of anti-viruses
 Identification of known viruses
 Detection of suspected viruses
 Blocking of possible viruses
 Disinfection of infected objects
 Deletion and overwriting of infected objects
8
Anti-Virus /Cont…
Tips for Avoiding Viruses and Spyware
 Use a virus scanner such as McAfee, Norton, Kaspersky,
AVG, etc.
 If you are not sure about an e-mail attachment, do not open
it
 Do not believe “security alerts” that are sent to you. For
instance, Microsoft does not send out alerts in this manner
Check antivirus websites regularly; You can read more about
any virus, past or current, at the following websites:
 www.f-secure.com/virus-info/virus-news/
 www.cert.org/nav/index_red.html
 http://securityresponse.symantec.com/
 http://vil.nai.com/vil/

9
Classes of Attack
Three classes of attack that are commonly found in today's
network environment
Access Attacks
 An attempt to access another user account or network
device through improper means
 A network administrator is responsible for ensuring that
only authorized users access the network.
 The four types of access attacks are
- password attacks - port redirection
- trust exploitation - man-in-the-middle attacks.

10
Classes of Attack /Cont…
Password attacks
 It might sound like a good idea to keep your passwords
simple or to write them down, both practices are highly
discouraged.
 The goal is to make it harder for someone to find or guess
your password; therefore, password integrity is necessary
Trust exploitation
 Trust exploitation can occur in one of two ways:
o Reliance on the trust a client has in a server
o Reliance on the trust the server has in the client

11
Classes of Attack /Cont…
Port redirection
 Port redirection is a form of trust exploitation in which
the untrustworthy source uses a machine with access
to the internal network to pass traffic through a port
on the firewall or access control list (ACL).
Man-in-the-Middle Attacks
 A man-in-the-middle attack happens when a hacker
eavesdrops or listens for network traffic and
intercepts a data transmission.

12
Classes of Attack /Cont…
Reconnaissance Attacks
 The hacker surveys a network and collects data for a future
attack.
 Important information that can be compiled during a
reconnaissance attack includes the following:
o Ports open on a server
o Ports open on a firewall
o IP addresses on the host network
o Hostnames associated with the IP addresses
 The four common method used for reconnaissance attacks
are:
- packet sniffers - port scans
- ping sweeps - information queries.
13
Classes of Attack /Cont…
Packet Sniffers
 A packet sniffer may also be called a network analyzer,
packet analyzer, or Ethernet sniffer.
 The packet sniffer may be either a software program or a
piece of hardware with software installed in it that
captures traffic sent over the network, which is then
decoded and analyzed by the sniffer.
 Sniffers can also be planted at an institution’s router and
copy all packets going to/from the organization
 A common software program available today is
Wireshark, formerly known as Ethereal.

14
Classes of Attack /Cont…
Note: sniffer programs are two-edged!
 Attacker uses them for eavesdropping
 Defender uses them for defense purposes: intrusion
detection
Ping Sweeps
 Ping enables you to validate that an IP address exists
and can accept requests by sending an echo request
and then waiting for an echo reply.
 A ping sweep tool can send an echo request to
numerous host IP addresses at the same time to see
which host(s) respond(s) with an echo reply.

15
Classes of Attack /Cont…
Port Scans
 A port scanner is a software program that surveys a
host network for open ports. Because ports are
associated with applications, the hacker can use the
port and application information to determine a way
to attack the network
 These programs can be used by a third party to audit
a network as well as being used by a hacker for
malicious intent.
Information Queries
 Information queries can be sent via the Internet to
resolve hostnames from IP addresses or vice versa.
One of the most commonly used queries is nslookup.

16
Classes of Attack /Cont…
Denial of Service (DoS) Attacks
 DoS attacks are often implemented by a hacker as a means
of denying a service that is normally available to a user or
organization.
 For example, users might be denied access to email as the
result of a successful DoS attack.
 The denial may occur at the source (by preventing the
server from obtaining the resources needed to perform its
function), at the destination (by blocking the
communications from the server), or along the
intermediate path (by discarding messages from either the
client or the server, or both

17
Classes of Attack /Cont…
 DoS can also be in the form of a distributed DoS (DDoS)
attack, TCP SYN attack, or smurf attack.
Distributed DoS (DDoS)
 With distributed DoS, multiple systems are compromised
to send a DoS attack to a specific target. The
compromised systems are commonly called zombies or
slaves. As a result of the attack, the targeted system
denies service to valid users.

Slave
Slave

"start
attack"
Slave Victim
Attacker

Slave botnet
Slave 18
Classes of Attack /Cont…
TCP SYN attack
 In a TCP SYN attack, a SYN request is sent to a device with
a spoofed source IP address.
 The attacking system does not acknowledge the resulting
SYN-ACK, which causes the session connection queues to
fill up and stop taking new connection requests.
Smurf Attack
 With a smurf attack, multiple broadcast ping requests are
sent to a single target from a spoofed IP address.

19
Program flaws /Buffer Overflows
 A buffer (or array or string) is a space in which data
can be held
 A buffer resides in memory
 Because memory is finite, a buffer's capacity is finite
 in many programming languages the programmer
must declare the buffer's maximum size
o Then the compiler can set aside that amount of
space

20
Program flaws /Buffer Overflows
Example
– char sample[10];
– One byte for elements sample[0] through sample[9]
– Now we execute the statement:
• sample[10] = 'B';
– The subscript 10 is out of bounds
• The compiler can detect it during the compilation
• However, if the statement were
– sample[i] = 'B';
– we could not identify the problem until i was set
during execution
• The problem's occurrence depends on what is adjacent
to the array sample
21
Program flaws /Buffer Overflows
Example
– suppose each of the ten elements of the array sample is
filled with the letter A and the erroneous reference uses
the letter B, as follows:
for (i=0; i<10; i++)
sample[i] = 'A';
sample[10] = 'B'

22
Program flaws /Buffer Overflows
So there are four cases to consider in deciding where the
'B' goes

23
Program flaws /Buffer Overflows
 If the extra character overflows into the user's data space
– It simply overwrites an existing variable value
• perhaps affecting the program's result
• but affecting no other program or data
 In the second case, the 'B' goes into the user's program area
– If it overlays an already executed instruction
• no effect
– If it overlays an instruction that is not yet executed
• the machine will try to execute an instruction with
operation code 0x42
– the internal code for the character 'B‘

24
Program flaws /Buffer Overflows
 Spilling over into system data or code areas produces
similar results to those for the user's space: computing
with a faulty value or trying to execute an improper
operation.

25
Program flaws /Time-of-Check, Time-of-Use
 TOCTTOU (“TOCK-too”) errors
 Also known as “race condition” errors
These errors occur when the following happens:
 User requests the system to perform an action
 The system verifies the user is allowed to perform the
action
 The system performs the action

26
Program flaws /Time-of-Check, Time-of-Use
Example
 A particular Unix terminal program is setuid (runs with
superuser privileges) so that it can allocate terminals to
users (a privileged operation)
 It supports a command to write the contents of the
terminal to a log file
 It first checks if the user has permissions to write to the
requested file; if so, it opens the file for writing
 The attacker makes a symbolic link: logfile -> file she
owns
 Between the “check” and the “open”, she changes it:
logfile -> /etc/passwd

27
Program flaws /Time-of-Check, Time-of-Use
The problem
 The state of the system changed between the check for
permission and the execution of the operation
 The file whose permissions were checked for writeability by
the user (file she owns) wasn’t the same file that was later
written to (/etc/passwd)
o Even though they had the same name (logfile) at different
points in time
 Q: Can the attacker really “win this race”?
 A: Yes

28
Program flaws /Time-of-Check, Time-of-Use
Defenses against TOCTTOU errors
 When performing a privileged action on behalf of
another party, make sure all information relevant to the
access control decision is constant between the time of
the check and the time of the action (“the race”)
o Keep a private copy of the request itself so that the
o request can’t be altered during the race
o Where possible, act on the object itself, and not on
some level of indirection
 e.g. Make access control decisions based on
filehandles, not filenames
 If that’s not possible, use locks to ensure the object
is not changed during the race

29
Program flaws /Incomplete mediation
 Incomplete mediation occurs when the application accepts
incorrect data from the user
 Users sometimes mistype data in web forms
– Phone number: 51998884567
– Email: iang#cs.uwaterloo.ca
 The web application needs to ensure that what the user has
entered constitutes a meaningful request
 This is called mediation

30
Program flaws /Incomplete mediation
Client-side mediation
 You’ve probably visited web sites with forms that do
client-side mediation
o When you click “submit”, Javascript code will first run
validation checks on the data you entered
o If you enter invalid data, a popup will prevent you from
submitting it
Related issue: client-side state
 Many web sites rely on the client to keep state for them
 They will put hidden fields in the form which are passed
back to the server when the user submits the form

31
Program flaws /Incomplete mediation
Problem: what if the user
o Turns off Javascript?
o Edits the form before submitting it? (Greasemonkey)
o Writes a script that interacts with the web server instead
of using a web browser at all?
o Connects to the server “manually”?
(telnet server.com 80)
 Note that the user can send arbitrary (unmediated) values to
the server this way
 The user can also modify any client-side state

32
Program flaws /Incomplete mediation
Example
 At a bookstore website, the user orders a copy of the
course text. The server replies with a form asking the
address to ship to. This form has hidden fields storing
the user’s order
o <input type="hidden" name="isbn"value="0-13-
239077-9"><input
type="hidden"name="quantity“value="1"><input
type="hidden" name="unitprice“value="111.00">
 What happens if the user changes the “unitprice” value
to “50.00” before submitting the form?

33
Program flaws /Incomplete mediation
Defences against incomplete mediation
 Client-side mediation is an OK method to use in order to
have a friendlier user interface, but is useless for
security purposes.
 You have to do server-side mediation, whether or not
you also do client-side.
 For values entered by the user:
o Always do very careful checks on the values of all
fields
o These values can potentially contain completely
arbitrary 8-bit data (including accented chars, control
chars, etc.) and be of any length
 For state stored by the client:
o Make sure client has not modified the data in any
way 34
Controls Against Program Threats/Flaws
Development controls
 Limit software development activities, making it harder
for a developer to create malicious (or inadvertent)
programs
 Produce better software
Operating system controls
 Limit access to computing system objects and provides
safe sharing of information among programs
Administrative controls
 Limit the kinds of actions people can take
 Improve system usability, reusability, and maintainability

35
Development controls
 Modularity – security analysts must be able to
understand each component as an independent unit
and be assured of its limited effect on other
components
 Encapsulation – the developer of one module should
not need to know how a different module is
implemented
 Information hiding – components will have limited
effect on other components
 Hazard Analysis – set of systematic techniques to
expose potentially hazardous system states
 Testing – unit testing, integration testing, function
testing, performance testing, acceptance testing,
installation testing, regression testing

36
Development controls /Cont…
 Good Design
– Using a philosophy of fault tolerance
– Have a consistent policy for handling failures
– Capture the design rationale and history
– Use design patterns
 Prediction – predict the risks involved in building and
using the system
 Static Analysis – Use tools and techniques to examine
characteristics of design and code to see if the
characteristics warn of possible faults
 Configuration Management – control changes during
development and maintenance

37
Operating system controls
 Trusted Software – code has been rigorously developed and
analyzed
o Functional correctness
o Enforcement of integrity
o Limited privilege
o Appropriate confidence level
 Mutual Suspicion – assume other program is not trustworthy
 Confinement – limit resources that program can access
 Access Log – list who access computer objects, when, and for
how long

38
Administrative Controls
 Standards of Program Development
o Standards of design
o Standards of documentation, language, and coding style
o Standards of programming
o Standards of testing
o Standards of configuration management
o Security Audits
 Separation of Duties

39
Database security
A list of requirements for database security.
Physical database integrity.
 The data of a database are immune to physical problems,
such as power failures, and someone can reconstruct the
database if it is destroyed through a catastrophe.
Logical database integrity.
 The structure of the database should be preserved.
 With logical integrity of a database, a modification to the
value of one field does not affect other fields.
Element integrity.
 The data contained in each element are accurate.

40
Database security /Cont…
Auditability
 It is possible to track who or what has accessed (or modified)
the elements in the database.
Access control
 A user is allowed to access only authorized data, and different
users can be restricted to different modes of access (such as
read or write).
User authentication
 Every user is positively identified, both for the audit trail and
for permission to access certain data.
Availability
 Users can access the database in general and all the data for
which they are authorized.

41
 Ten Most Critical Web Application Security Vulnerabilities
(http://www.owasp.org)
 Invalidated Parameters
 Broken Access Control
 Broken Account and Session Management
 Cross-Site Scripting Flaws
 Buffer Overflows
 Command Injection Flaws
 Error Handling Problems
 Insecure Use of Cryptography
 Remote Administration Flaws
 Web and Application Server Misconfiguration

42
Question
?

43