Upload
elthomas
View
219
Download
0
Embed Size (px)
Citation preview
8/3/2019 CHAPTER 3 Program Security_copy
1/48
UDIT Sonali C. 1
CHAPTER 3
PROGRAM SECURITY
SONALI CHAUHAN
Dept. of Information Technology - MSc-IT Part 2
Mumbai University
8/3/2019 CHAPTER 3 Program Security_copy
2/48
UDIT Sonali C. 2
Introduction
In previous chapter we cover why we need security
We will see in this chapter how to apply security
And how it can be achieved.
Protection programs is heart of security.
To secure a program:
How do we keep programs free from flaws
How do we protect computing resources against programsthat contain flaws?
We will deal with writing of program.
8/3/2019 CHAPTER 3 Program Security_copy
3/48
UDIT Sonali C. 3
What is security?
It implies some degree of trust that programenforce expected confidentiality, integrity,
availability. Security characteristic depends on application
and users perceptions about software quality.
Here we have to make sure that the program:
Do what it is suppose to do?
Not what it is not suppose to do?
Secure Programs
Why security at program level?
8/3/2019 CHAPTER 3 Program Security_copy
4/48
UDIT Sonali C. 4
What you must understand
What is fault?
Cause of fault?
What are the effect of faults?
Human makes mistake (error) in performing some s/wactivity, error may lead to fault (incorrect data or action orcommand) in program which may results in failure(system not performing as required) of the system
Fault is inside system where as failure can be seen byusers i.e outside.
8/3/2019 CHAPTER 3 Program Security_copy
5/48
UDIT Sonali C. 5
How to fix faults?
Penetrate and patch
Patch introduce more problems
Patch causes more side effect Patch address problem only in one place, not
in other related place
May affect non-functional requirements
8/3/2019 CHAPTER 3 Program Security_copy
6/48
UDIT Sonali C. 6
TERMINOLOGY-
Unexpected Behavior
Inadequacies of patch-and-penetrate
PROGRAM SECURITY FLAW
To achieve program security, one way is to compare
requirements with the behavior. i.e. Check whether program behaves as their designer intended or
users expected.
Inappropriate program behavior caused by a program
vulnerability (weakness). Flaw - fault or failure - effect
Vulnerability class of flaw -Cause
8/3/2019 CHAPTER 3 Program Security_copy
7/48
8/3/2019 CHAPTER 3 Program Security_copy
8/48
UDIT Sonali C. 8
Unexpected Behavior -
Program Flaw
Program flaw is in 2 category:
Inadvertent human errors
Validation error (permission check)
Domain error (controlled access to data)
Inadequate identification and authentication
Boundary condition violation Logical error
Malicious and Intentionally induced flaws Malicious
Nonmalicious
8/3/2019 CHAPTER 3 Program Security_copy
9/48
UDIT Sonali C. 9
Non-malicious Errors
Buffer Overflows
Buffer is a place where data is held.
It resides in memory and its finite
Programmer need to set buffer size
Array bounds example (some languages do notcheck array bounds, and in others array boundsdo not have to be pre-specified)
Char sample[10];
for(int i=0;i
8/3/2019 CHAPTER 3 Program Security_copy
10/48
UDIT Sonali C. 10
The out-of-array-bounds data can
overflow into :
8/3/2019 CHAPTER 3 Program Security_copy
11/48
8/3/2019 CHAPTER 3 Program Security_copy
12/48
UDIT Sonali C. 12
Users data space, overwriting other existing data
Users program data,
Overlaying an already executed instruction, with no effect
Overlay an instruction not yet executed, with the result aninstruction with operation code 0X42 (internal code for
character B) will be executed. If there is no such
instruction, the system will halt with illegal instruction
exception. Otherwise the machine will use succeedingbytes as if they were rest of the instruction
8/3/2019 CHAPTER 3 Program Security_copy
13/48
UDIT Sonali C. 13
Security Implication
What can a malicious programmer can dowith buffer overflows? Replace code in the system space, insert overflow data
corresponding to machine code for instructions, and gain
control back from the operating system, with higherprivileges.
Cause an overflow into the stack, change either old stack pointer thereby changing the context for the calling
procedure) or
Return address to cause control to transfer where (s)he wants Pass parameters on to a web server that causes
buffer overflow and crashes the program
8/3/2019 CHAPTER 3 Program Security_copy
14/48
UDIT Sonali C. 14
Non-malicious Errors
Incomplete Mediation
Pass parameters to a web server that causes itto fail due to data type error, or execute with awrong result.
This problem can be altered by client sidechecking of input, or by limiting the client-side choices only to valid ones (by drop-downboxes, check boxes, etc.). However, this canbe rendered useless if the client manuallyedits the URLs in the http requests.
8/3/2019 CHAPTER 3 Program Security_copy
15/48
UDIT Sonali C. 15
http://www.things.com/order.asp?custID=101
&part=555A&qy=20&price=10&shipcost=5&tot
al=205
Malicious attacker tampered wit URL:
http://www.things.com/order.asp?custID=101&part=555A&qy=20&price=10&shipcost=5&tot
al=25
Security Implication
http://www.things.com/order.asp?custID=101http://www.things.com/order.asp?custID=101http://www.things.com/order.asp?custID=101http://www.things.com/order.asp?custID=1018/3/2019 CHAPTER 3 Program Security_copy
16/48
UDIT Sonali C. 16
Non-malicious Errors
Time-of-check to Time-of-use errors
Also known as serialization or synchronization flaw
Purchase at a store: Costs $100
You count out the money on the counter
Cashier turns around, you take $20 back Cashier doesn't notice
Still get the $100 item
During the time that an access to resources (files) is checkedand the time the result of the check is used, the user can
change the descriptor of the resource, thereby exploiting thelack of synchronization
Use of digital signatures can alleviate this problem
8/3/2019 CHAPTER 3 Program Security_copy
17/48
UDIT Sonali C. 17
Malicious Code
Why worry about Malicious code?
Malicious code can do anything that a program can.
Malicious code runs under the users authority.
Malicious code can do anything that a user can, but
without his/her permission or knowledge
Definition: Unanticipated or undesired effects in
programs or program parts, caused by an agentintent on damage.
8/3/2019 CHAPTER 3 Program Security_copy
18/48
UDIT Sonali C. 18
Kinds of malicious code:
Virus:program that can pass on malicious codeto other nonmalicious programs by modifying
them It will attach itself to a program, either destroying
it or coexisting with it.
Transient:its life depends on the life of the host
Resident:locates itself in memory, and can remainactive or be activated as a stand-alone program evenafter its attached program ends (runs even when hostprogram isn't running)
CONT
8/3/2019 CHAPTER 3 Program Security_copy
19/48
UDIT Sonali C. 19
Trojan Horse:In addition to primary function,
also has a non-obvious malicious effect
Logic bomb:detonates when a specified
condition occurs Time bomb:logic bomb whose trigger is a time
or date
Worm:program that spreads copies of itself (as astandalone program) through a network
CONT
8/3/2019 CHAPTER 3 Program Security_copy
20/48
UDIT Sonali C. 20
Rabbit:virus or worm that self-replicates without
bound, with the intent of exhausting some
computing resource.
Trapdoor or backdoor:Someone can access theprogram by other than obvious, direct call,
perhaps with special privileges
Its undocumented entry point to the system
Inserted during code development
CONT
8/3/2019 CHAPTER 3 Program Security_copy
21/48
UDIT Sonali C. 21
Viruses & Targeted malicious code
How viruses attach & types of viruses
Qualities appealing to virus writers
Boot sector viruses and Memory-resident viruses
Virus signatures
Polymorphic viruses
Virus prevention
Targeted malicious code: Trapdoors, Salami attacks,covert channels
8/3/2019 CHAPTER 3 Program Security_copy
22/48
UDIT Sonali C. 22
How viruses attach & types of viruses
For a virus to do its work, it must be executed. Onceexecuted, it may install itself in permanent memory, orspread itself
E-mail attachments:A common means is via e-mail
attachments Virus appended to a program:when the program is executed,
the virus is also executed
Virus that surrounds a program:Runs the original program,but has control before and after the program execution
Integrated virus:integrates itself into the original program
Document virus:virus implemented in a formatteddocument
8/3/2019 CHAPTER 3 Program Security_copy
23/48
UDIT Sonali C. 23
Appended Virus
Dnt need any
information about
program
Easy to write andappend and simple
Virus do its task and
then transfers to
original program.
8/3/2019 CHAPTER 3 Program Security_copy
24/48
UDIT Sonali C. 24
How viruses attach & types of viruses
For a virus to do its work, it must be executed. Onceexecuted, it may install itself in permanent memory, orspread itself
E-mail attachments:A common means is via e-mail
attachments Virus appended to a program:when the program is executed,
the virus is also executed
Virus that surrounds a program:Runs the original program,but has control before and after the program execution
Integrated virus:integrates itself into the original program
Document virus:virus implemented in a formatteddocument
8/3/2019 CHAPTER 3 Program Security_copy
25/48
UDIT Sonali C. 25
Virus that surrounds a program
8/3/2019 CHAPTER 3 Program Security_copy
26/48
UDIT Sonali C. 26
How viruses attach & types of viruses
For a virus to do its work, it must be executed. Onceexecuted, it may install itself in permanent memory, orspread itself
E-mail attachments:A common means is via e-mail
attachments Virus appended to a program:when the program is executed,
the virus is also executed
Virus that surrounds a program:Runs the original program,but has control before and after the program execution
Integrated virus:integrates itself into the original program
Document virus:virus implemented in a formatteddocument
8/3/2019 CHAPTER 3 Program Security_copy
27/48
UDIT Sonali C. 27
Integrated virus
Virus writer should know the structure of code
8/3/2019 CHAPTER 3 Program Security_copy
28/48
UDIT Sonali C. 28
How viruses attach & types of viruses
For a virus to do its work, it must be executed. Onceexecuted, it may install itself in permanent memory, orspread itself
E-mail attachments:A common means is via e-mail
attachments Virus appended to a program:when the program is executed,
the virus is also executed
Virus that surrounds a program:Runs the original program,but has control before and after the program execution
Integrated virus:integrates itself into the original program
Document virus:virus implemented in a formatteddocument
8/3/2019 CHAPTER 3 Program Security_copy
29/48
UDIT Sonali C. 29
Qualities appealing to virus writers
Hard to detect
Not easily destroyed or deactivated
Spreads infection widely
Can re-infect its home program or otherprograms
Easy to create
Machine independent and operating systemindependent
8/3/2019 CHAPTER 3 Program Security_copy
30/48
UDIT Sonali C. 30
How Virus Gain Control??
H Vi G i C l??
8/3/2019 CHAPTER 3 Program Security_copy
31/48
UDIT Sonali C. 31
How Virus Gain Control??
Boot Sector Virus
Boot sector viruses:When a computer is turned on,firmware recognizes the hardware present, teststhem, copies a fixed number of bytes from the diskto a location in memory (bootstrap), and jumps to
that address in memory in transferring control to theoperating system. Chaining bootstrap makesinstallation of viruses attractive (by breaking thechain).
Gain control very early in boot process Cannot be detected easily
Virus code is not easily noticed by user
H Vi G i C l??
8/3/2019 CHAPTER 3 Program Security_copy
32/48
UDIT Sonali C. 32
How Virus Gain Control??
Boot Sector Virus
H Vi G i C l??
8/3/2019 CHAPTER 3 Program Security_copy
33/48
UDIT Sonali C. 33
How Virus Gain Control??
Memory-resident viruses
Memory-resident viruses: attached to
memory-resident code since such code is
executed frequently while the machine is
running
8/3/2019 CHAPTER 3 Program Security_copy
34/48
UDIT Sonali C. 34
Other Home of Virus
One-Time Execution: Virusexecutes only once,
spreading their infection and causing their effect in
one time execution e.g. Often arrives through e-
mails (executed just by opening) Macros
Libraries
Compilers
Linkers
D i Vi
8/3/2019 CHAPTER 3 Program Security_copy
35/48
UDIT Sonali C. 35
Detecting Virus
Virus Signatures
Pattern of bytes that provide telltale signs of a virus.They are used by virus scanners to detect thepresence of the virus
In case of attached viruses, the start of the virus codebecomes detectable signature
Suspicious patterns such as JUMP instructions atthe beginning of programs used by scanners todetect viruses
Scanners are effective only if up to date signaturesare used
8/3/2019 CHAPTER 3 Program Security_copy
36/48
UDIT Sonali C. 36
Detecting Virus
Tracking Storage Pattern
Execution Pattern
Transmission Pattern
Boot Process
Disk Access
Network Connection
8/3/2019 CHAPTER 3 Program Security_copy
37/48
UDIT Sonali C. 37
Polymorphism Virus
Virus Signature can be the most reliable way for ascanner to detect Virus.
A virus that can change its appearance
Forms:More than one alternative but with equivalent beginning
words, on installation one of the words is installed
Move pieces of the virus around to make detectiondifficult
Embed random numbers
Encrypting viruses
8/3/2019 CHAPTER 3 Program Security_copy
38/48
UDIT Sonali C. 38
Virus Prevention
Not sharing executable code
Setting e-mail handlers not to automatically openattachments
Be careful with large datasets and graphics since theycan have embedded in them executables
Be careful with Microsoft file design problem(operating system may switch to the application of
the hidden file type) Use only commercial software acquired from
reliable, well-established vendors (?)
8/3/2019 CHAPTER 3 Program Security_copy
39/48
UDIT Sonali C. 39
Virus Prevention
Test all new software on an isolated computer
Open attachments only when known to be
safe
Make a recoverable system image and store it
safely
Backups of executable system files
Use detectors regularly and update frequently
8/3/2019 CHAPTER 3 Program Security_copy
40/48
UDIT Sonali C. 40
Truths, Misconceptions about Viruses
Virus can only affect MS-Windows: FalseVirus can modify hidden or read only files:
True Can appear only in data files, Word docs, or
only in programs: False. (Depends on whatyou mean by data)
Spread only through floppies or email: False.What about file sharing, bulletin boards, etc.?
8/3/2019 CHAPTER 3 Program Security_copy
41/48
UDIT Sonali C. 41
Truths, Misconceptions about Viruses
Can't remain in memory after power off:
True, but when the affected program is rerun,they're reloaded
Virus cannot infect hardware: True
Virus can be malevolent, benign, or
benevolent: True
8/3/2019 CHAPTER 3 Program Security_copy
42/48
UDIT Sonali C. 42
Targeted malicious code
Trapdoors:undocumented entry point to a module
Sources of trapdoors:
During unit and integration testing, programmers usestubs (to mimic output) and drivers (to mimic input).
They also embed control sequences in the design tosupport testing. If such code is not removed at the end ofthe testing, they can be used as trapdoors
Poor error checking:Unacceptable input may not be
caught but passed on to the user for use Undefined opcodes: hardware equivalent of poor error
checking
8/3/2019 CHAPTER 3 Program Security_copy
43/48
UDIT Sonali C. 43
Trapdoors
Trapdoors can be useful in finding
security flaws, but
Left on purpose with full understanding of their
potential consequences
Must be documented
Access to them must be controlled
8/3/2019 CHAPTER 3 Program Security_copy
44/48
UDIT Sonali C. 44
Trapdoors
Causes of trapdoors: Trapdoors canpersist in production becausedevelopers Forget to remove them Intentionally leave them for testing
Intentionally leave them for programmaintenance
Intentionally leave them as covert means ofaccess
8/3/2019 CHAPTER 3 Program Security_copy
45/48
UDIT Sonali C. 45
8/3/2019 CHAPTER 3 Program Security_copy
46/48
UDIT Sonali C. 46
Salami attack
Programs that disregard small amounts of
money in computations (interest, tax
calculations, etc.) may be vulnerable to salami
attack where such shavings from transactionscan be accumulated elsewhere
8/3/2019 CHAPTER 3 Program Security_copy
47/48
UDIT Sonali C. 47
Interface Illusion
Spoofing attack in which all or part of web page is
false.
Keystroke Logging
Man-in-the Middle Attack
Malicious program interjects itself between two
program.
8/3/2019 CHAPTER 3 Program Security_copy
48/48