CS 4235 Introduction to Information Security

1
CS 4235Introduction to Information Security

• Lecture 6 Program Security II
• Summer 2007 in Barcelona
• Ellen Zegura

2
Nonmalicious errors

• Frequently seen in code, because coders are human
  and tools are either not available, not good or
  not used
• Types
• Buffer overflows
• Incomplete mediation
• Time-of-check to Time-to-use errors
• Note that while there are solutions for new code,
  we must also worry about existing code

3
Buffer Overflow

• char sample10
• sample10 b subscript out of bounds
  ideally compiler catches this
• samplei b depends on run-time value of I
  ideally monitored during execution with warning
• Butmonitoring takes time, some languages dont
  require bound

4
Buffer Overflow

• When is there a problem? Depends what gets
  written into
• Case 1 write into your own user data (i.e., into
  another program variable)
• Case 2 write into your own code
• Case 3 write into system data
• Case 4 write into system code
• Attacker interested in Cases 3 and 4

5
Buffer Overflow Attacks

• Replace code in system space masquerade as the
  OS and execute instructions with higher
  priviledges
• Replace stack pointer to direct control to
  attacker program (as in Internet Worm)

6
Incomplete Mediation

• Example
• http//www.things.com/order.asp?custID101part55
  5Aqy20price10shipboatshipcost5total205
• http//www.things.com/order.asp?custID101part55
  5Aqy20price1shipboatshipcost5total25
• Price is passed as parameter in URL
• Exposed and open for tampering
• Solution avoid unchecked data values

7
Time-of-Check to Time-of-Use

• Synchronization flaw
• Exploits delay between time a value is checked
  and time a value is used
• Example
• provide 5 20 bills to merchant who counts
• when turns away, remove one 20
• merchant takes stack of bills and provides item
• Solutions do not expose critical params during
  loss of control use checksum ensure serial
  integrity

8
Viruses and Other Bad Code

• Virus program that can replicate itself and
  pass on malicious code
• Trojan horse e.g., password logger
• Logic or time bomb triggered on condition or
  time
• Trapdoor
• Worm
• Rabbit

9
What makes an effective virus?

• Hard to detect
• Not easily destroyed
• Spreads widely
• Easy to create
• Machine and OS independent
• Which characteristics did Internet worm have?

10
Virus Activation

• To do harm, virus program must be executed
  (obvious)
• How are users convinced to run virus code?
• Attachment to email that is opened
• Appended to start of a real program
• Surrounding a real program (control before and
  after)
• As substitute for part (or all) of real program

11
Virus Data - Symantec

• In 2005, 21,858 new instances of viruses and
  worms, compared to 11, 846 in 2004
• Distinct families of malicious code decreased
  from 335 in 2004 to 274 in 2005
• 92 of attacks use email to deliver
• 14 of attacks use p2p sharing protocols
• 13 of attacks exploit system or s/w
  vulnerability
• attack can use more than one propagation method

12
Virus Detection

• signatures
• virus scanners
• polymorphic viruses
• Witty worm detection