Title: Virus
1Virus
2Memory-resident virus
Runs whenever certain interrupts occur.
3Encrypted virus
To conceal signature.
4Unix address space
Low address
Program
Statically allocated data
Stack
High address
5Procedure call
E.g., finger aabbcc
aa bb cc
Buffer area allocated by called fingerd (512
bytes)
Return address
PC?
ret
para2
para1
Stack
High address
6Buffer overflow
E.g., finger aabbzz
aa bb cc
zz
Malicious program (binary)
Return address
PC?
zz
para2
para1
Stack
7Epidemic
rsh attack
Worm proper
finger attack
Bootstrap
sendmail attack
Upload request
Worm proper
Infested machine
New victim
8Firewall location
Internet
Intranet
Intranet
- Packet filter
- and/or
- - Application gateway
9Typical configurations
DMZ
10(a) Filtering router
Mail server (port25)
Filtering router
Internet
Intranet
11Filtering router implementation
12(b) Filtering router and Bastion host
Bastion host
Internet
Protected Intranet
Router only permits traffic to/from bastion host
13(c) Demilitarized Zone (DMZ)
Modem access
Bastion host
Protected intranet
inside router
Internet
outside router
Web server
DMZ
14HTTP proxy
15Local HTTP proxy
Proxy Server
(B) HTTP
(A) Proxy HTTP
www.company.com80
Client
- is configured to use proxy HTTP via (B).
(B) Sends GET page.html to http//www.company.com/
on behalf of (A).
16RMI thru firewall
HTTP server
RMI server port
client_stub
POST data to www.company.com80/cgi-bin/
java-rmi.cgi?forwardltrmiServerPortgt
17 Private network
18Hybrid network
19Virtual private network
20Addressing in a VPN
21Tunneling
22Virtual Private Network (VPN)
Internet
Intranet B
Intranet A
Tunneling
Router RA
Router RB
200 Data
RB
Station 200
Station 100
encrypted