Ch8-Computer Security
0 likes32 views
The document discusses various types of malicious programs including buffer overflows, viruses, worms, Trojan horses, backdoors, and logic bombs. It describes how buffer overflows can corrupt the program stack and be exploited by attackers. It explains that viruses attach themselves to other programs and replicate, worms replicate across networks, and Trojan horses masquerade as legitimate programs. It also outlines different approaches for antivirus software including signature-based, heuristic, activity monitoring, and full-featured protection.
Ch8-Computer Security
- 1. 1 241-427-SV-2-2553-COE-PSU 1 241-427 Computer Security Chapter VIII: Malicious programs Dr. Sangsuree Vasupongayya 241-427-SV-2-2553-COE-PSU 2 Outline o Unintentional software flaws n Buffer overflow o Intentional software n Virus n Worm
- 2. 2 241-427-SV-2-2553-COE-PSU 3 Buffer Overflow o A.k.a. smashing the stack o Occur when software fails to sanity check input o How common computer works n A new process is given memory by the OS n Function code is in the memory n First function to get run is main (entry point) n The execution continue until the end o Terminated o Crashes o Purposefully shut down n Functions may be called o Functions can call each other o When finish, the control is returned to the caller 241-427-SV-2-2553-COE-PSU 4 Function call o Function stores data about what it is doing in the stack o Stack grows and shrinks o When a function is called n Make sure that the stack has enough room n If not enough room and function knows it then o Error occurs n If not enough room and function does not know o Store data regardless o Overwriting the stack o Corrupting the stack o Crashing the program
- 3. 3 241-427-SV-2-2553-COE-PSU 5 Program execution o Instruction pointer (IP): points to the currently executing instruction o During execution n IP is incremented, jumps over sections of code, jumps backward and re-running the same section o All CPU registers must be stored n Where? In the stack o Given the IP is in the stack, when the buffer overflow occurs, the IP is also corrupted o What good does it do? n The hacker can overwrite the IP n Instead of returning to the caller n The control returns to the address saved in IP 241-427-SV-2-2553-COE-PSU 6 Buffer overflow o Write pass the end of a buffer and corrupt the stack Normal case Buffer overflow attack
- 4. 4 241-427-SV-2-2553-COE-PSU 7 Preventing stack overflow o Make stack non-executable n Hardware or OS n E.g., NX bit o Using “safe” programming languages n JAVA or C# n Automatically check all memory accesses o Runtime stack checking n by pushing a special value onto the stack immediately after the return address 241-427-SV-2-2553-COE-PSU 8 Malware o Software designed to break security o Malicious in its intent
- 5. 5 241-427-SV-2-2553-COE-PSU 9 Virus o A segment of code that attaches itself to existing programs; performs some predetermined action o Typical actions n System or file modification n Further infection o Viruses only infect executable programs not data o Infection n system comes into contact with a carrier of the virus n After a system is infected, it becomes a carrier o What can we do n Protect by prevention n Remove any virus 241-427-SV-2-2553-COE-PSU 10 Types of Virus o Parasitic virus n Attacks itself to executable files and replicates, when the infected program is executed, by finding other executable files to infect o Memory-resident virus n Reside in the main memory and infecting every program that executes o Boot sector virus n Infects a master boot record o Stealth virus: designed to hide itself from anti-virus o Polymorphic virus: mutates with every infection o Metamorphic virus: mutates by rewriting itself completely at each iteration
- 6. 6 241-427-SV-2-2553-COE-PSU 11 Worms o A stand-alone program o Infects a computer system and other computers only through network connections o It replicates itself o Attacks a system with the potential to do irrecoverable damage o Activities n Modification or deletion of files n Communicate information back to the author n Disrupt normal operations causing DoS 241-427-SV-2-2553-COE-PSU 12 Trojan Horses o A program that is advertised to perform one function while performs a different function o E.g., n stealing passwords n Covering for virus
- 7. 7 241-427-SV-2-2553-COE-PSU 13 Backdoor o a.k.a. trapdoor o A secret entry point into a program o Allow access w/o the usual security procedure o Usually for testing & debugging the program 241-427-SV-2-2553-COE-PSU 14 Logic Bomb o A code embedded in some legitimate program n To explode when certain conditions are met n Examples of conditions o Presence or absence of certain files o A particular day of the week or date o Particular user running the application n Actions o Alter or delete data or entire files o Cause a machine halt or do some damages
- 8. 8 241-427-SV-2-2553-COE-PSU 15 Anti-virus approaches o First generation: simple scanners n requires a virus signature o Second generation: heuristic scanners n Use heuristic rules, not a specific signature n E.g., look for the beginning of an encryption look in a polymorphic virus; using a checksum for integrity checking o Third generation: activity traps n Identify a virus by its action n Only identify the small set of actions that indicate an infection is being attempted to intervene o Fourth generation: full-featured protection n Variety of anti-virus techniques used in conjunction 241-427-SV-2-2553-COE-PSU 16 Remarks o An example virus in C language http://www.gohacking.com/2007/12/c-program-to- demonstrate-virus-in-c.html