lecture 14 overview l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Lecture 14 Overview PowerPoint Presentation
Download Presentation
Lecture 14 Overview

Loading in 2 Seconds...

play fullscreen
1 / 31

Lecture 14 Overview - PowerPoint PPT Presentation


  • 161 Views
  • Uploaded on

Lecture 14 Overview. Program Flaws. Taxonomy of flaws: how (genesis) when (time) where (location) the flaw was introduced into the system. Security Flaws by Genesis. Genesis Intentional Malicious: Trojan Horse, Trapdoor, Logic Bomb, Worms, Virus Non-malicious Inadvertent

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Lecture 14 Overview' - kieve


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
program flaws
Program Flaws
  • Taxonomy of flaws:
    • how (genesis)
    • when (time)
    • where (location)
  • the flaw was introduced into the system

CS 450/650 Lecture 14: Program Flaws

security flaws by genesis
Security Flaws by Genesis
  • Genesis
    • Intentional
      • Malicious: Trojan Horse, Trapdoor, Logic Bomb, Worms, Virus
      • Non-malicious
    • Inadvertent
      • Validation error
      • Domain error
      • Serialization error
      • Identification/authentication error
      • Other error

CS 450/650 Lecture 14: Program Flaws

flaws by time
Flaws by time
  • Time of introduction
    • During development
      • Requirement/specification/design
      • Source code
      • Object code
    • During maintenance
    • During operation

CS 450/650 Lecture 14: Program Flaws

flaws by location
Flaws by Location
  • Location
    • Software
      • Operating system: system initialization, memory management, process management, device management, file management, identification/authentication, other
      • Support tools: privileged utilities, unprivileged utilities
      • Application
    • Hardware

CS 450/650 Lecture 14: Program Flaws

malware evolution
Malware Evolution
  • 1980s
    • Malware for entertainment (pranks)
    • 1983: “virus”
    • 1988: Internet Worm
  • 1990s
    • Malware for social status / experiments
    • 1990: antivirus software
  • Early 2000s
    • Malware to spam
  • Mid 2000s
    • Criminal malware

CS 450/650 Lecture 14: Program Flaws

lecture 15 malicious codes

Lecture 15Malicious Codes

CS 450/650

Fundamentals of

Integrated Computer Security

Slides are modified from Csilla Farkas and Brandon Phillips

kinds of malicious codes
Kinds of Malicious Codes
  • Virus: a program that attaches copies of itself into other programs.
    • Propagates and performs some unwanted function
    • Viruses are not programs
    • Definition from RFC 1135: A virus is a piece of code that inserts itself into a host [program], including operating systems, to propagate. It cannot run independently. It requires that its host program be run to activate it.

CS 450/650 Lecture 15: Malicious Codes

kinds of malicious code
Kinds of Malicious Code
  • Worm: a program that propagates copies of itself through the network.
    • Independent program.
    • May carry other code, including programs and viruses.
    • Definition from RFC 1135: A wormis a program that can run independently, will consume the resources of its host [machine] from within in order to maintain itself and can propagate a complete working version of itself on to other machines.

CS 450/650 Lecture 15: Malicious Codes

kinds of malicious code10
Kinds of Malicious Code
  • Rabbit/Bacteria: make copies of themselves to overwhelm a computer system's resources
    • Denying the user access to the resources
  • Logic/Time Bomb: programmed threats that lie dormant for an extended period of time until they are triggered
    • When triggered, malicious code is executed

CS 450/650 Lecture 15: Malicious Codes

kinds of malicious code11
Kinds of Malicious Code
  • Trojan Horse: secret, undocumented routine embedded within a useful program
    • Execution of the program results in execution of secret code
  • Trapdoor: secret, undocumented entry point into a program, used to grant access without normal methods of access authentication
  • Dropper: Not a virus or infected file
    • When executed, it installs a virus into memory, on to the disk, or into a file

CS 450/650 Lecture 15: Malicious Codes

malware proliferation
Malware Proliferation

(Microsoft Security Intelligence Report 6)‏

CS 450/650 Lecture 15: Malicious Codes

malware families
Malware Families

CS 450/650 Lecture 15: Malicious Codes

regional threat categories
Regional Threat Categories

(Microsoft Security Intelligence Report 6)‏

CS 450/650 Lecture 15: Malicious Codes

virus lifecycle
Virus Lifecycle
  • Dormant phase: the virus is idle
    • not all viruses have this stage
  • Propagation phase: the virus places an identical copy of itself into other programs of into certain system areas
  • Triggering phase: the virus is activated to perform the function for which it was created
  • Execution phase: the function is performed
    • The function may be harmless or damaging

CS 450/650 Lecture 15: Malicious Codes

virus types
Virus Types
  • Parasitic virus:
    • Attaches itself to a file and replicates when the infected program is executed
    • most common form
  • Memory resident virus:
    • lodged in main memory as part of a resident system program
    • Virus may infect every program that executes

CS 450/650 Lecture 15: Malicious Codes

virus types17
Virus Types
  • Boot Sector Viruses:
    • Infects the boot record and spreads when system is booted
    • Gains control of machine before the virus detection tools
    • Very hard to notice
  • Macro Virus:
    • virus is part of the macro associated with a document

CS 450/650 Lecture 15: Malicious Codes

virus types18
Virus Types
  • Stealth virus:
    • A form of virus explicitly designed to hide from detection by antivirus software
  • Polymorphic virus:
    • A virus that mutates with every infection making detection by the “signature” of the virus difficult

CS 450/650 Lecture 15: Malicious Codes

how viruses append
How Viruses Append

+

=

virus

virus

Original

program

Original

program

Virus appended to program

CS 450/650 Lecture 15: Malicious Codes

how viruses append20
How Viruses Append

+

=

Virus-1

virus

Original

program

Original

program

Virus-2

Virus surrounding a program

CS 450/650 Lecture 15: Malicious Codes

how viruses append21

Virus-1

Virus-2

Virus-3

Virus-4

How Viruses Append

+

=

virus

Original

program

Original

program

Virus integrated into program

CS 450/650 Lecture 15: Malicious Codes

how viruses gain control
How Viruses Gain Control
  • Virus V has to be invoked instead of target T
    • V overwrites T
    • V changes pointers from T to V

CS 450/650 Lecture 15: Malicious Codes

high risk virus properties
High risk virus properties
  • Hard to detect
  • Hard to destroy
  • Spread infection widely
  • Can re-infect
  • Easy to create
  • Machine independent

CS 450/650 Lecture 15: Malicious Codes

virus signatures
Virus Signatures
  • Storage pattern
    • Code always located on a specific address
    • Increased file size
  • Execution pattern
  • Transmission pattern
  • Polymorphic Viruses

CS 450/650 Lecture 15: Malicious Codes

antivirus approaches
Antivirus Approaches
  • Detection:
    • determine infection and locate the virus
  • Identification:
    • identify the specific virus
  • Removal:
    • remove the virus from all infected systems, so the disease cannot spread further
  • Recovery:
    • restore the system to its original state

CS 450/650 Lecture 15: Malicious Codes

preventing virus infection
Preventing Virus Infection
  • Prevention:
    • Good source of software installed
    • Isolated testing phase
    • Use virus detectors
  • Limit damage:
    • Make bootable diskette
    • Make and retain backup copies important resources

CS 450/650 Lecture 15: Malicious Codes

nyxem email virus
Nyxem Email Virus
  • Estimate of total number of infected computers is between 470K and 945K
  • At least 45K of the infected computers were also compromised by other forms of spyware or botware
  • Spread

CS 450/650 Lecture 15: Malicious Codes

slide28
Worm
  • Self-replicating (like virus)
  • Objective: system penetration (intruder)
  • Phases: dormant, propagation, triggering, and execution
  • Propagation:
    • Searches for other systems to infect
      • e.g., host tables
    • Establishes connection with remote system
    • Copies itself to remote system
    • Execute

CS 450/650 Lecture 15: Malicious Codes

code red worm
Code-Red Worm
  • On July 19, 2001, more than 359,000 computers connected to the Internet were infected with the Code-Red (CRv2) worm in less than 14 hours
  • Spread

CS 450/650 Lecture 15: Malicious Codes

sapphire slammer worm
Sapphire/Slammer Worm
  • was the fastest computer worm in history
    • doubled in size every 8.5 seconds
    • infected more than 90 percent of vulnerable ~75K hosts within 10 minutes.

CS 450/650 Lecture 15: Malicious Codes

witty worm
Witty Worm
  • reached its peak activity after approximately 45 minutes
    • at which point the majority of vulnerable hosts had been infected
  • World
  • USA

CS 450/650 Lecture 15: Malicious Codes