![Chapter No 3 Computer Network Security
Written by Engr. Muhammad Waseem 1
Program security
Two types of program flaws
Non-malicious program flaws
Malicious program flaws
Non malicious program errors
Being human, programmers and other developers make many mistakes, most of which are
unintentional and non-malicious. Many such errors cause program malfunctions but do not lead to
more serious security vulnerabilities.
Buffer overflows
Incomplete mediation
Time-of-check to time-of-use errors
Buffer overflow
A buffer overflow is the computing equivalent of trying to pour two liters of water into a one-
liter pitcher: Some water is going to spill out and make a mess. And in computing, what a mess these
errors have made.
A buffer (or array or string) is a space in which data can be held. A buffer resides in memory. Because
memory is finite, a buffer's capacity is finite. For this reason, in many programming languages the
programmer must declare the buffer's maximum size so that the compiler can set aside that amount of
space.
The computer equivalent of trying to pour two litre of water into a one-litre pitcher
A buffer is a space in which data can be held
Since memory is finite, so is the buffer
The programmer must declare the buffer size
char sample[10] sets a side ten bytes of memory
The compiler sets aside 10 bytes to store this buffer, one byte for each of the ten elements of the array,
sample[0] through sample[9]. Now we execute the statement
sample[10]=‘A’;
sample[i]=‘A’;
All program and data are in memory during execution, sharing the space with the OS, other
code and resident routines
If the extra character overwrites user’s data, it may affect the program’s results but not other
programs
If it overflows into the user’s program area, and overwrites an instruction to be executed the
machine will try to execute 0x41
Security implications
If the buffer overflows into system code space, the attacker merely inserts overflow data that
correspond to the machine code for instructions. The attacker may make use of the stack pointer or the
return register. Sub procedures calls are handled with a stack, a data structure in which the most recent
item inserted is the next one removed (last arrived, first served).An alternative style of buffer overflow](https://image.slidesharecdn.com/unit2-programsecurity-220706101237-2e010bc7/85/unit-2-program-security-pdf-1-320.jpg)
unit 2 -program security.pdf
- 1. Chapter No 3 Computer Network Security Written by Engr. Muhammad Waseem 1 Program security Two types of program flaws Non-malicious program flaws Malicious program flaws Non malicious program errors Being human, programmers and other developers make many mistakes, most of which are unintentional and non-malicious. Many such errors cause program malfunctions but do not lead to more serious security vulnerabilities. Buffer overflows Incomplete mediation Time-of-check to time-of-use errors Buffer overflow A buffer overflow is the computing equivalent of trying to pour two liters of water into a one- liter pitcher: Some water is going to spill out and make a mess. And in computing, what a mess these errors have made. A buffer (or array or string) is a space in which data can be held. A buffer resides in memory. Because memory is finite, a buffer's capacity is finite. For this reason, in many programming languages the programmer must declare the buffer's maximum size so that the compiler can set aside that amount of space. The computer equivalent of trying to pour two litre of water into a one-litre pitcher A buffer is a space in which data can be held Since memory is finite, so is the buffer The programmer must declare the buffer size char sample[10] sets a side ten bytes of memory The compiler sets aside 10 bytes to store this buffer, one byte for each of the ten elements of the array, sample[0] through sample[9]. Now we execute the statement sample[10]=‘A’; sample[i]=‘A’; All program and data are in memory during execution, sharing the space with the OS, other code and resident routines If the extra character overwrites user’s data, it may affect the program’s results but not other programs If it overflows into the user’s program area, and overwrites an instruction to be executed the machine will try to execute 0x41 Security implications If the buffer overflows into system code space, the attacker merely inserts overflow data that correspond to the machine code for instructions. The attacker may make use of the stack pointer or the return register. Sub procedures calls are handled with a stack, a data structure in which the most recent item inserted is the next one removed (last arrived, first served).An alternative style of buffer overflow
- 2. Chapter No 3 Computer Network Security Written by Engr. Muhammad Waseem 2 occurs when parameter values are passed into a routine, especially when the parameters are passed to a web server on the Inter-net. The attacker may replace code in system space by other instructions which will cause control to be transferred to the attacker with OS privileges The attacker could replace the return address Identify what you are trying to protect. Determine what you are trying to protect them from. Determine how likely the threats are. Implement steps that protect your assets in a cost effective manner Review the process continuously making improvements when you find a weakness Incomplete mediation Incomplete mediation is another security problem that has been with us for decades. Attackers are exploiting it to cause security problems. Failure to perform “sanity checks” on data can lead to random or carefully planned flaws. http://www.somesite.com/subpage/userinput¶m1=(808)555- 1212¶m2=2002Jan01 What if param2 were 1800Jan01? Or 1800Feb30? Or 2048Min32? Or 1Aardvark2Many? A routine could fail on a data type error Receiving program generates wrong result The receiving program might have a default condition The two parameters look like a telephone number and a date. Probably the client's (user's) web browser enters those two values in their specified format for easy processing on the server's side. What would happen if parm2 were submitted as 1800Jan01? Or 1800Feb30? Or 2048Min32? Or 1Aardvark2Many? Something would likely fail. As with buffer overflows, one possibility is that the system would fail catastrophically, with a routine's failing on a data type error as it tried to handle a month named "Min" or even a year (like 1800) which was out of range. Another possibility is that the receiving program would continue to execute but would generate a very wrong result. (For example, imagine the amount of interest due today on a billing error with a start date of 1 Jan 1800.) Then again, the processing server might have a default condition, deciding to treat 1Aardvark2Many as 3 July 1947. The possibilities are endless. Time-to-check to time-of-use errors Its Involves in synchronization. Modern OSs and processors usually change the order of instruction execution to increase performance. Instructions that appear to be adjacent may not be executed immediately after each other, because of intentionally changed order or the effects of other processes in concurrent execution.
- 3. Chapter No 3 Computer Network Security Written by Engr. Muhammad Waseem 3 we want to make sure that only those who should access an object are allowed that access Every requested access must be governed by an access policy stating who is allowed access to what, then the request must be mediated by an access policy enforcement agent An incomplete mediation problem occurs if the access is not checked universally. It is also known as a serialization or synchronization flaw. A person draws five $20 bills from his pocket, carefully counts them and places them in front of the seller. When the seller turns around to make his bill, he takes back one $20 bill, hands over the stack of bills, takes his buy and leaves An application request access to a file and passes a data structure. The mediator stores the filename locally and checks for access rights. While the mediator checks for access, the user may modify the locally stored file name and gain access to a different file The problem is called a time-of-check to time-of-use flaw because it exploits the delay between the two times. That is, between the time the access was checked and the time the result of the check was used, a change occurred, invalidating the result of the check. Security implication Checking one action and performing another is an example of ineffective access control. We must be wary whenever there is a time lag, making sure that there is no way to corrupt the check's results during that interval. Solutions: Digital signatures and certificates. Time-of-check is when someone signs and time-of-use is when anyone verifies the signature. If the private key is exposed, the key must be revoked Failures due to non-malicious flaws ARPANET had hard coded 347 as the size of the node table When a host’s node table reached 348, it crashed Viruses and other malicious code Malicious code can be a program or part of a program; a program part can even attach itself to another (good) program so that malicious effect occurs whenever the good program runs.occurs whenever the good program runs. Much of the work done by programs is invisible to users. How can you tell if a game program does nothing in addition to its expected interaction with you? Malicious people can make programs serve as vehicles to access and change data and other programs Unanticipated or undesired effects in program parts Example of Malicious code-possibilities Write a message to the screen Stopping a running program Generating a sound Erasing a stored file Kinds of malicious code Virus
- 4. Chapter No 3 Computer Network Security Written by Engr. Muhammad Waseem 4 Trojan horse Logic bomb Backdoor Worm Rabbit Code Type Characteristics Virus Attaches itself to program and propagates copies of itself to other programs Trojan horse Contains unexpected, additional functionality Logic bomb Triggers action when condition occurs Time bomb Triggers action when specified time occurs Trapdoor Allows unauthorized access to functionality Worm Propagates copies of itself through a network Rabbit Replicates itself without limit to exhaust resource Virus A program that can pass on malicious code to other non-malicious programs by modifying them Virus can be transient or resident Transient virus’s life depends on the life of its host: the virus runs when the host does A resident virus locates itself in memory A program that pass on malicious code to other non malicious (program) by modifying them. Infects a program by attaching the program . A good program, once infected becomes a carrier and infects other program.
- 5. Chapter No 3 Computer Network Security Written by Engr. Muhammad Waseem 5 Trojan horse Trojans are malicious programs that perform actions that have not been authorized by the user. These actions can include: Deleting data, blocking data, Modifying data, and Copying data, disrupting the performance of computers or computer networks. A Trojan horse is malicious code that, in addition to its primary effect, has a second, nonobvious malicious effect. As an example of a computer Trojan horse, consider a login script that solicits a user’s identification and password, passes the identification information on to the rest of the system for login processing, but also retains a copy of the information for later, malicious use. Logic bomb A logic bomb is a class of malicious code that “detonates” or goes off when a specified condition occurs. A time bomb is a logic bomb whose trigger is a time or date. Backdoor A trapdoor or backdoor is a feature in a program by which someone can access the program other than by the obvious, direct call, perhaps with special privileges. For instance, an automated bank teller program might allow anyone entering the number 990099 on the keypad to process the log of everyone’s transactions at that machine. Worm A worm is a program that spreads copies of itself through a network. The primary difference between a worm and a virus is that a worm operates through networks, and a virus can spread through any medium (but usually uses copied program or data files). Additionally, the worm spreads copies of itself as a standalone program, whereas the virus spreads copies of itself as a program that attaches to or embeds in other programs. Rabbit Some literature also defines a rabbit as a virus or worm that self-replicates without bound, with the intention of exhausting some computing resources. A rabbit might create copies of itself and store them on disk, in an effort to completely fill the disk, How viruses attach Virus can attach itself to program or data by: •Appending itself, so virus code is activated when program is run. (Variation: Virus code before and after program.) •Integrating itself into program, so virus code is spread out over its target program. Integrating itself into data, e.g. as an executable text macro. A virus will do nothing and will not spread unless it is executed. There are many ways to ensure that a virus is executed A setup program may call dozens or even hundreds of other programs, on the distribution disk, already residing on the computer, or resident in memory Human intervention is necessary to start the process Email attachments The virus code can be embedded in an executable file attachment Objects such as graphics files can contain code to be executed by the editor, so they can be transmission agents for viruses
- 6. Chapter No 3 Computer Network Security Written by Engr. Muhammad Waseem 6 Appended viruses A program virus attaches itself to a program; then, whenever the program is run, the virus is activated. This kind of attachment is usually easy to program. Usually a virus inserts a copy of itself before the first executable instruction in a program. This kind of attachment is Simple and usually effective Typically the user does not notice the effects of the virus since the program does its job as usual Viruses that surround a program An alternative to the attachment is a virus that runs the original program but has control before and after a program execution. a virus writer might want to prevent the virus from being detected. If the virus is stored on disk, its presence will be given away by its file name, or its size will affect the amount of space used on the disk. A virus’ presence may be given away by the file size of the program, so the virus writer may infect the file listing display program to regain control after the file listing is generated but before it is displayed Integrated viruses and replacements When the virus replaces some of its target, integrating itself into the original code of the target. The virus writer has to know the exact structure of the original program to know where to insert which pieces of the virus. Could replace the entire target
- 7. Chapter No 3 Computer Network Security Written by Engr. Muhammad Waseem 7 Document viruses Most popular Which is implemented within a formatted document, such as a written document, a database, a slide presentation, or a spreadsheet. These documents are highly structured files that contain both data (words or numbers) and commands (such as formulas, formatting controls, links). User sees only the contents of the document, so the virus writers includes the virus in the commands How viruses gain control The virus (V) has to be invoked instead of the target (T). The virus has to either seem to be the target, or has to push the target out of the way and become a substitute A virus could replace a target by assuming its name The virus can overwrite the target on disk How viruses gain control The virus can change the pointers in the file tables so that the virus is located instead of the target Desirable qualities in viruses Hard to detect Not easily destroyed or deactivated. Spreads widely Re-infect its home program or other programs Easy to create
- 8. Chapter No 3 Computer Network Security Written by Engr. Muhammad Waseem 8 Machine independent and OS independent Few viruses meet all these criteria. The virus writer chooses from these objectives when deciding what the virus will do and where it will reside. The challenge for the virus writer was to write code that would be executed repeatedly so that the virus could multiply. One execution is enough to ensure widespread distribution. Many viruses are transmitted by e-mail, using either of two routes. Homes for viruses One time execution Boot sector viruses Memory-resident viruses Other homes One-time execution Majority of viruses today execute only once, spreading their infection and causing their effect in that one execution A virus often arrives as an email attachment of a document virus and is executed just by opening it Boot sector viruses A given hardware platform can run many different OS The boot sector contains a boot loader to load the particular OS into memory and run it To accommodate large boot loaders, chaining is used The virus may break the chain anywhere and insert itself Appeal: virus gains control early, when no detection tool is running, and is invisible to file listing When a computer is started, control begins with firmware that determines which hardware components are present, tests them, and transfers control to an operating system. The boot sector is an especially appealing place to house a virus. The virus gains control very early in the boot process, before most detection tools are active, so that it can avoid, or at least complicate, detection. The files in the boot area are crucial parts of the operating system. Memory resident viruses Some parts of the operating system and most user programs execute, terminate, and disappear, with their space in memory being available for anything executed later. For very frequently used parts of the operating system and for a few specialized user programs, it would take too long to reload the program each time it was needed. Such code remains in memory and is called "resident" code
- 9. Chapter No 3 Computer Network Security Written by Engr. Muhammad Waseem 9 Some portions of the OS and a few specialized user programs would take too long to reload each time they are needed, so they are kept in memory and are called resident code e.g., routines that interpret keys pressed on the keyboard, error control, alarm clock Virus writers also like to attach viruses to resident code because the resident code is activated many times while the machine is running Other homes for viruses One popular home for a virus is an application program. Many applications, such as word processors and spreadsheets, have a "macro" feature, by which a user can record a series of commands and repeat them with one invocation. Such programs also provide a "start-up macro" that is executed every time the application is executed. Libraries are also excellent places for malicious code to reside. Because libraries are used by many programs, the code in them will have a broad effect. Executing code in a library can pass on the viral infection to other transmission media. Compilers, loaders, linkers, runtime monitors, runtime debuggers, and even virus control programs are good candidates for hosting viruses because they are widely shared. Application macros Libraries Compilers, linkers Runtime monitors, runtime debuggers Anti-virus Virus signatures A virus cannot be completely invisible Code must be stored somewhere and must be in memory to execute. A virus executes in a particular way and uses a certain method to spread Each of these characteristics yields a tell-tale (presence of something) pattern called a signature. A virus scanner that can automatically detect and, in some cases, remove viruses. The scanner searches memory and long-term storage, monitoring execution and watching for the signatures of viruses .When the scanner recognizes a known virus's pattern, it can then block the virus, inform the user, and deactivate or remove the virus. A virus scanner is effective only if it has been kept up-to-date Virus effects and causes Virus Effect How It Is Caused Attach to executable program Modify file directory Write to executable program file Attach to data or control file Modify directory Rewrite data Append to data Append data to self Remain in memory handler address Intercept interrupt by modifying interrupt
- 10. Chapter No 3 Computer Network Security Written by Engr. Muhammad Waseem 10 table Load self in no transient memory area Infect disks Intercept interrupt Intercept operating system call (to format disk, for example) Modify system file Modify ordinary executable program Conceal self-falsify result Intercept system calls that would reveal self and Classify self as "hidden" file Spread infection Infect boot sector Infect systems program Infect ordinary program Infect data ordinary program reads to control its execution Prevent deactivation de-activation Activate before deactivating program and block Store copy to rein fact after deactivation Execution patterns A virus writer may want a virus to do several things at the same time Spread infection Avoid detection Cause harm Most virus writers seek to avoid detection for themselves and their creations. Because a disk's boot sector is not visible to normal operations (for example, the contents of the boot sector do not show on a directory listing) One virus can erase files, another an entire disk; one virus can prevent a computer from booting, and another can prevent writing to disk. The damage is bounded only by the creativity of the virus's author Transmission patterns A virus is effective only if it has some means of transmission from one location to another. Viruses can travel During the boot process Over a network connection Host’s execution Remain in memory to infect other diskettes Since a virus can execute any instructions a program can, virus travel is not confined to any single medium or execution pattern. Polymorphic viruses The virus signature may be the most reliable way for a virus scanner to identify a virus A clever virus writer can cause something other than specific strings to be in portions where a virus scanner would look for those strings.
- 11. Chapter No 3 Computer Network Security Written by Engr. Muhammad Waseem 11 A virus that can change its appearance is called a polymorphic virus (Poly means "many" and morph means "form".) Two-form virus can be treated as two independent viruses, so the virus writer will want a large or unlimited number of forms A polymorphic virus has to randomly reposition all parts of itself and randomly change all fixed data A virus may randomly intersperse harmless instructions throughout its code A simple variety of polymorphic virus uses encryption under various keys to make the stored form of the virus different. These are sometimes called encrypting viruses. Prevention of virus infection The only way to prevent the infection of a virus is not to share executable code with an infected source. This was easy to do because it was easy to tell if a file was executable or not. Today’s files are more complex, and a seemingly no executable file can contain executable. Programs are usually configured to activate this code automatically, such as open attachments. The file type is hidden in a field at the start of a file, so Windows would try to open an executable file with a non-executable extension, with the appropriate program, failing which the executable code will be run Since you cannot know which sources are infected, assume that every outside source is infected Prevention Use only software acquired from reliable and well-established vendors Test all software on an isolated computer Test the computer with a copy of an up-to-date virus scanner, created before running the suspect program. Only if the program passes these tests should it be installed on a less isolated machine. Open attachments only when you know them to be safe an attachment from an unknown source is of questionable safety. You might also distrust an attachment from a known source but with a peculiar message. Make a recoverable system image and store it safely if your system does become infected, this clean version will let you reboot securely because it overwrites the corrupted system files with clean copies. Make and retain backup copies of executable system files. This way, in the event of a virus infection, you can remove infected files and reinstall from the clean backup copies (stored in a secure, offline location, of course). Use virus detectors (often called virus scanners) regularly and update them daily Many of the virus detectors available can both detect and eliminate infection from viruses Trapdoors A trapdoor is an undocumented entry point to a module The trapdoor Inserted during code development, perhaps to test the module, or to provide hooks by which to connect future modifications, or enhancements, or to allow access if the module should fail in the future In addition to these legitimate uses, trapdoors can allow a programmer access to a program once it is placed in production.
- 12. Chapter No 3 Computer Network Security Written by Engr. Muhammad Waseem 12 Trapdoors-Examples Computing systems are complex structures, programmers usually develop and test systems in a modular manner, taking advantage of the way the system is composed of modules or components. Each small component of the system is tested first, separate from the other components, in a step called unit testing, to ensure that the component works correctly by itself. Components are tested together during integration testing, to see how they function as they send messages and data from one to the other. Rather than paste all modules together in a big bang approach, the modules are grouped into several logical clusters of a few components each Each cluster is tested in a way that allows testers to control and understand what might make a component or its interface fail. During component testing, the tester cannot use the surrounding routines that prepare input or work with output, so they write “stubs” and “drivers” to inject data in and extract results. These stubs and drivers are later discarded because they are replaced by the actual components. The programmers embed debugging code into suspicious components. To control stubs or invoke debugging code, the programmer embeds special control sequences in the component's design, specifically to support testing. Command insertion is a recognized testing practice, if left in place after testing, the extra commands can become a problem. The Internet Worm spread itself due to exactly this kind of a trapdoor in an email program Poor error checking is another source of trapdoors Trapdoors can be useful for system auditing or testing, but they must be documented and access must be protected Trapdoors-causes Trapdoors can persist(continue firmly) in programs because the developer: forgot to remove them Intentionally left it there for testing Intentionally left it for maintenance intentionally leave them in the program as a covert means of access to the component after it becomes an accepted part of a production system The first case is an unintentional security blunder, the next two are serious exposures of the system's security, and the fourth is the first step of an outright attack. It is important to remember that the fault is not with the trapdoor itself, which can be a very useful technique for program testing, correction, and maintenance. Rather, the fault is with the system development process, which does not ensure that the trapdoor is "closed" when it is no longer needed. That is, the trapdoor becomes a vulnerability if no one notices it or acts to prevent or control its use in vulnerable situations. Covert channels Programs that communicate information to people who shouldn’t receive it The communication accompanies other perfectly proper communications e.g., a student may communicate correct answer choices by coughing once for ‘a’, clearing her throat for ‘b’ and so on A programmer for a bank has no need to access the names or balances in depositors' accounts.
- 13. Chapter No 3 Computer Network Security Written by Engr. Muhammad Waseem 13 One way for the programmer to have a covert channel is to write to a file, print it out A programmer should not have access to data once the program is in operation. How to create covert channels A programmer can always find ways to communicate data values covertly. Running a program that produces a specific output report or displays a value may be too obvious. For example, in some installations, a printed report might occasionally be scanned by security staff before it is delivered to its intended recipient. The programmer can encode the data values in another innocuous report by varying the format of the output, changing the lengths of lines, or printing or not printing certain values. For example, changing the word "TOTAL" to "TOTALS" in a heading would not be noticed, but this creates a 1-bit covert channel. The absence or presence of the S conveys one bit of information. Numeric values can be inserted in insignificant positions of output fields, and the number of lines per page can be changed. A printed report would be too obvious Encode data values into a different report format Storage channels: pass information by using the presence or absence of objects in storage e.g., lock or not lock a file to signal one bit of information. A simple example of a covert channel is the file lock channel. In multiuser systems, files can be "locked" to prevent two people from writing to the same file at the same time (which could corrupt the file, if one person writes over some of what the other wrote). The operating system or database management system allows only one program to write to a file at a time, by blocking, delaying, or rejecting write requests from other programs. A covert channel can signal one bit of information by whether or not a file is locked Timing channels: pass information by the speed at which things happen e.g., using or not using an assigned amount of computing time (quantum). In the simple case, a multi programmed system with two user processes divides time into blocks and allocates blocks of processing alternately to one process and the other. A process is offered processing time, but if the process is waiting for another event to occur and has no processing to do, it rejects the offer. How to prevent these flaws Good software engineering practices Operating system controls Administrative controls Program controls in general