CSCE 522 Lecture 11 Program Security Malicious Code - PowerPoint PPT Presentation

1 / 29
About This Presentation
Title:

CSCE 522 Lecture 11 Program Security Malicious Code

Description:

Kinds of Malicious Code. Worm: a program that propagates copies of itself through ... Kinds of Malicious Code ... When triggered, malicious code is executed. ... – PowerPoint PPT presentation

Number of Views:43
Avg rating:3.0/5.0
Slides: 30
Provided by: far1
Category:

less

Transcript and Presenter's Notes

Title: CSCE 522 Lecture 11 Program Security Malicious Code


1
CSCE 522Lecture 11 Program SecurityMalicious
Code
2
Reading
  • Reading for this lecture
  • Required
  • Pfleeger Ch. 3
  • Recommended
  • USC Computing Services Virus Information Center
  • Reading for next lecture
  • Pfleeger Ch. 4.5

3
Program Flaws
  • Taxonomy of flaws
  • how (genesis)
  • when (time)
  • where (location)
  • the flaw was introduced into the system

4
Security Flaws by Genesis
  • Genesis
  • Intentional
  • Malicious Trojan Horse, Trapdoor, Logic Bomb,
    Worms, Virus
  • Non-malicious
  • Inadvertent
  • Validation error
  • Domain error
  • Serialization error
  • Identification/authentication error
  • Other error

5
Flaws by time
  • Time of introduction
  • During development
  • Requirement/specification/design
  • Source code
  • Object code
  • During maintenance
  • During operation

6
Flaws by Location
  • Location
  • Software
  • Operating system system initialization, memory
    management, process management, device
    management, file management, identification/authen
    tication, other
  • Support privileged utilities, unprivileged
    utilities
  • Application
  • Hardware

7
Slammer Worm
  • The Slammer worm (Sapphire worm) was the fastest
    worm in history
  • Start Saturday, Jan. 25, 2003
  • Doubled in size every 8.5 seconds at its peak
  • Infected more than 90 percent of the vulnerable
    hosts within 10 minutes using a vulnerability in
    Microsoft's SQL Server
  • Total infected more than 75,000 hosts
  • Flooded networks all over the world, caused
    disruptions to financial institutions, ATMs, and
    even an election in Canada
  • http//www.pbs.org/wgbh/pages/frontline/shows/cybe
    rwar/etc/maps.html

8
History
  • 1982 Elk Cloner
  • 1983 virus
  • 1988 Internet Worm
  • 1990 antivirus software
  • 2000s virus mitigation

9
Kinds of Malicious Codes
  • Virus a program that attaches copies of itself
    into other programs. Propagates and performs
    some unwanted function. Viruses are not
    programs - they cannot run on their own.
  • Bacteria make copies of themselves to overwhelm
    a computer system's resources. Denying the user
    access to the resources.

10
Kinds of Malicious Code
  • Worm a program that propagates copies of itself
    through the network. Independent program. May
    carry other code, including programs and viruses.
  • Trojan Horse secret, undocumented routine
    embedded within a useful program. Execution of
    the program results in execution of secret code.

11
Kinds of Malicious Code
  • Logic bomb, time bomb programmed threats that
    lie dormant for an extended period of time until
    they are triggered. When triggered, malicious
    code is executed.
  • Trapdoor secret, undocumented entry point into a
    program, used to grant access without normal
    methods of access authentication.
  • Dropper Not a virus or infected file. When
    executed, it installs a virus into memory, on to
    the disk, or into a file.

12
Virus
  • Virus lifecycle
  • Dormant phase the virus is idle. (not all
    viruses have this stage)
  • Propagation phase the virus places an identical
    copy of itself into other programs of into
    certain system areas.
  • Triggering phase the virus is activated to
    perform the function for which it was created.
  • Execution phase the function is performed. The
    function may be harmless or damaging.

13
Virus Types
  • Parasitic virus most common form. Attaches
    itself to a file and replicates when the infected
    program is executed.
  • Memory resident virus lodged in main memory as
    part of a resident system program. Virus may
    infect every program that executes.

14
Virus Types
  • Boot Sector Viruses
  • Infects the boot record and spreads when system
    is booted.
  • Gains control of machine before the virus
    detection tools.
  • Very hard to notice
  • Carrier files AUTOEXEC.BAT, CONFIG.SYS,IO.SYS

15
Virus Types
  • Stealth virus a form of virus explicitly
    designed to hide from detection by antivirus
    software.
  • Polymorphic virus a virus that mutates with
    every infection making detection by the
    signature of the virus difficult.

16
How Viruses Append


virus
virus
Original program
Original program
Virus appended to program
17
How Viruses Append


Virus-1
virus
Original program
Original program
Virus-2
Virus surrounding a program
18
How Viruses Append


virus
Original program
Original program
Virus integrated into program
19
How Viruses Gain Control
  • Virus V has to be invoked instead of target T.
  • V overwrites T
  • V changes pointers from T to V
  • High risk virus properties
  • Hard to detect
  • Hard to destroy
  • Spread infection widely
  • Can re-infect
  • Easy to create
  • Machine independent

20
Virus Signatures
  • Storage pattern
  • Code always located on a specific address
  • Increased file size
  • Execution pattern
  • Transmission pattern
  • Polymorphic Viruses

21
Antivirus Approaches
  • Detection determine infection and locate the
    virus.
  • Identification identify the specific virus.
  • Removal remove the virus from all infected
    systems, so the disease cannot spread further.
  • Recovery restore the system to its original
    state.

22
Preventing Virus Infection
  • Prevention
  • Good source of software installed
  • Isolated testing phase
  • Use virus detectors
  • Limit damage
  • Make bootable diskette
  • Make and retain backup copies important resources

23
Worm
  • Self-replicating (like virus)
  • Objective system penetration (intruder)
  • Phases dormant, propagation, triggering, and
    execution
  • Propagation
  • Searches for other systems to infect (e.g., host
    tables)
  • Establishes connection with remote system
  • Copies itself to remote system
  • Execute

24
Covert Channel - Trojan Horse
Only John is permitted to access the document
John
Document
Spys Document copy
Spy
25
Covert Channel
  • Need
  • Two active agents
  • Sender (has access to unauthorized information)
    e.g., TH in MS Word
  • Receiver ( reads sent information) e.g.,
    program creating the copy
  • Encoding schema
  • How the information is sent e.g.,
  • File F exists ? 0
  • File F is does not exist ? 1
  • Synchronization e.g., when to check for
    existence of F

26
Storage Covert Channels
  • Based on properties of resources
  • Examples
  • File locks
  • Delete/create file
  • Memory allocation

27
Timing Covert Channel
  • Time is the factor how fast
  • Examples
  • Processing time
  • Transmission time

28
Covert Channel Detection and Removal
  • Identification
  • Shared resources
  • Program code correctness
  • Information flow analysis
  • Removal
  • Total removal may not be possible
  • Reduce bandwidth

29
Next Class
  • Identification and Authentication
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "CSCE 522 Lecture 11 Program Security Malicious Code" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!