Virus

1
Virus
2
Memory-resident virus
Runs whenever certain interrupts occur.
3
Encrypted virus
To conceal signature.
4
Unix address space
Low address
Program
Statically allocated data
Stack
High address
5
Procedure call
E.g., finger aabbcc
aa bb cc

Buffer area allocated by called fingerd (512
bytes)
Return address
PC?
ret
para2
para1
Stack
High address
6
Buffer overflow
E.g., finger aabbzz
aa bb cc
zz

Malicious program (binary)
Return address
PC?
zz
para2
para1
Stack
7
Epidemic
rsh attack
Worm proper
finger attack
Bootstrap
sendmail attack
Upload request
Worm proper
Infested machine
New victim
8
Firewall location
Internet
Intranet
Intranet

• Packet filter
• and/or
• - Application gateway

9
Typical configurations
DMZ
10
(a) Filtering router
Mail server (port25)
Filtering router
Internet
Intranet
11
Filtering router implementation
12
(b) Filtering router and Bastion host
Bastion host
Internet
Protected Intranet
Router only permits traffic to/from bastion host
13
(c) Demilitarized Zone (DMZ)
Modem access
Bastion host
Protected intranet
inside router
Internet
outside router
Web server
DMZ
14
HTTP proxy
15
Local HTTP proxy
Proxy Server
(B) HTTP
(A) Proxy HTTP
www.company.com80
Client

• is configured to use proxy HTTP via (B).

(B) Sends GET page.html to http//www.company.com/
on behalf of (A).
16
RMI thru firewall
HTTP server
RMI server port
client_stub
POST data to www.company.com80/cgi-bin/
java-rmi.cgi?forwardltrmiServerPortgt
17
Private network
18
Hybrid network
19
Virtual private network
20
Addressing in a VPN
21
Tunneling
22
Virtual Private Network (VPN)
Internet
Intranet B
Intranet A
Tunneling
Router RA
Router RB
200 Data
RB
Station 200
Station 100
encrypted