CHAPTER 3 Program Security_copy

8/3/2019 CHAPTER 3 Program Security_copy

1/48

UDIT Sonali C. 1

CHAPTER 3

PROGRAM SECURITY

SONALI CHAUHAN

Dept. of Information Technology - MSc-IT Part 2

Mumbai University


2/48

UDIT Sonali C. 2

Introduction

In previous chapter we cover why we need security

We will see in this chapter how to apply security

And how it can be achieved.

Protection programs is heart of security.

To secure a program:

How do we keep programs free from flaws

How do we protect computing resources against programsthat contain flaws?

We will deal with writing of program.


3/48

UDIT Sonali C. 3

What is security?

It implies some degree of trust that programenforce expected confidentiality, integrity,

availability. Security characteristic depends on application

and users perceptions about software quality.

Here we have to make sure that the program:

Do what it is suppose to do?

Not what it is not suppose to do?

Secure Programs

Why security at program level?


4/48

UDIT Sonali C. 4

What you must understand

What is fault?

Cause of fault?

What are the effect of faults?

Human makes mistake (error) in performing some s/wactivity, error may lead to fault (incorrect data or action orcommand) in program which may results in failure(system not performing as required) of the system

Fault is inside system where as failure can be seen byusers i.e outside.


5/48

UDIT Sonali C. 5

How to fix faults?

Penetrate and patch

Patch introduce more problems

Patch causes more side effect Patch address problem only in one place, not

in other related place

May affect non-functional requirements


6/48

UDIT Sonali C. 6

TERMINOLOGY-

Unexpected Behavior

Inadequacies of patch-and-penetrate

PROGRAM SECURITY FLAW

To achieve program security, one way is to compare

requirements with the behavior. i.e. Check whether program behaves as their designer intended or

users expected.

Inappropriate program behavior caused by a program

vulnerability (weakness). Flaw - fault or failure - effect

Vulnerability class of flaw -Cause


7/48


8/48

UDIT Sonali C. 8

Unexpected Behavior -

Program Flaw

Program flaw is in 2 category:

Inadvertent human errors

Validation error (permission check)

Domain error (controlled access to data)

Inadequate identification and authentication

Boundary condition violation Logical error

Malicious and Intentionally induced flaws Malicious

Nonmalicious


9/48

UDIT Sonali C. 9

Non-malicious Errors

Buffer Overflows

Buffer is a place where data is held.

It resides in memory and its finite

Programmer need to set buffer size

Array bounds example (some languages do notcheck array bounds, and in others array boundsdo not have to be pre-specified)

Char sample[10];

for(int i=0;i


10/48

UDIT Sonali C. 10

The out-of-array-bounds data can

overflow into :


11/48


12/48

UDIT Sonali C. 12

Users data space, overwriting other existing data

Users program data,

Overlaying an already executed instruction, with no effect

Overlay an instruction not yet executed, with the result aninstruction with operation code 0X42 (internal code for

character B) will be executed. If there is no such

instruction, the system will halt with illegal instruction

exception. Otherwise the machine will use succeedingbytes as if they were rest of the instruction


13/48

UDIT Sonali C. 13

Security Implication

What can a malicious programmer can dowith buffer overflows? Replace code in the system space, insert overflow data

corresponding to machine code for instructions, and gain

control back from the operating system, with higherprivileges.

Cause an overflow into the stack, change either old stack pointer thereby changing the context for the calling

procedure) or

Return address to cause control to transfer where (s)he wants Pass parameters on to a web server that causes

buffer overflow and crashes the program


14/48

UDIT Sonali C. 14


Incomplete Mediation

Pass parameters to a web server that causes itto fail due to data type error, or execute with awrong result.

This problem can be altered by client sidechecking of input, or by limiting the client-side choices only to valid ones (by drop-downboxes, check boxes, etc.). However, this canbe rendered useless if the client manuallyedits the URLs in the http requests.


15/48

UDIT Sonali C. 15

http://www.things.com/order.asp?custID=101

&part=555A&qy=20&price=10&shipcost=5&tot

al=205

Malicious attacker tampered wit URL:

http://www.things.com/order.asp?custID=101&part=555A&qy=20&price=10&shipcost=5&tot

al=25

Security Implication
http://www.things.com/order.asp?custID=101http://www.things.com/order.asp?custID=101http://www.things.com/order.asp?custID=101http://www.things.com/order.asp?custID=101


16/48

UDIT Sonali C. 16


Time-of-check to Time-of-use errors

Also known as serialization or synchronization flaw

Purchase at a store: Costs $100

You count out the money on the counter

Cashier turns around, you take $20 back Cashier doesn't notice

Still get the $100 item

During the time that an access to resources (files) is checkedand the time the result of the check is used, the user can

change the descriptor of the resource, thereby exploiting thelack of synchronization

Use of digital signatures can alleviate this problem


17/48

UDIT Sonali C. 17

Malicious Code

Why worry about Malicious code?

Malicious code can do anything that a program can.

Malicious code runs under the users authority.

Malicious code can do anything that a user can, but

without his/her permission or knowledge

Definition: Unanticipated or undesired effects in

programs or program parts, caused by an agentintent on damage.


18/48

UDIT Sonali C. 18

Kinds of malicious code:

Virus:program that can pass on malicious codeto other nonmalicious programs by modifying

them It will attach itself to a program, either destroying

it or coexisting with it.

Transient:its life depends on the life of the host

Resident:locates itself in memory, and can remainactive or be activated as a stand-alone program evenafter its attached program ends (runs even when hostprogram isn't running)

CONT


19/48

UDIT Sonali C. 19

Trojan Horse:In addition to primary function,

also has a non-obvious malicious effect

Logic bomb:detonates when a specified

condition occurs Time bomb:logic bomb whose trigger is a time

or date

Worm:program that spreads copies of itself (as astandalone program) through a network

CONT


20/48

UDIT Sonali C. 20

Rabbit:virus or worm that self-replicates without

bound, with the intent of exhausting some

computing resource.

Trapdoor or backdoor:Someone can access theprogram by other than obvious, direct call,

perhaps with special privileges

Its undocumented entry point to the system

Inserted during code development

CONT


21/48

UDIT Sonali C. 21

Viruses & Targeted malicious code

How viruses attach & types of viruses

Qualities appealing to virus writers

Boot sector viruses and Memory-resident viruses

Virus signatures

Polymorphic viruses

Virus prevention

Targeted malicious code: Trapdoors, Salami attacks,covert channels


22/48

UDIT Sonali C. 22


For a virus to do its work, it must be executed. Onceexecuted, it may install itself in permanent memory, orspread itself

E-mail attachments:A common means is via e-mail

attachments Virus appended to a program:when the program is executed,

the virus is also executed

Virus that surrounds a program:Runs the original program,but has control before and after the program execution

Integrated virus:integrates itself into the original program

Document virus:virus implemented in a formatteddocument


23/48

UDIT Sonali C. 23

Appended Virus

Dnt need any

information about

program

Easy to write andappend and simple

Virus do its task and

then transfers to

original program.


24/48

UDIT Sonali C. 24










25/48

UDIT Sonali C. 25

Virus that surrounds a program


26/48

UDIT Sonali C. 26










27/48

UDIT Sonali C. 27

Integrated virus

Virus writer should know the structure of code


28/48

UDIT Sonali C. 28










29/48

UDIT Sonali C. 29

Qualities appealing to virus writers

Hard to detect

Not easily destroyed or deactivated

Spreads infection widely

Can re-infect its home program or otherprograms

Easy to create

Machine independent and operating systemindependent


30/48

UDIT Sonali C. 30

How Virus Gain Control??

H Vi G i C l??


31/48

UDIT Sonali C. 31


Boot Sector Virus

Boot sector viruses:When a computer is turned on,firmware recognizes the hardware present, teststhem, copies a fixed number of bytes from the diskto a location in memory (bootstrap), and jumps to

that address in memory in transferring control to theoperating system. Chaining bootstrap makesinstallation of viruses attractive (by breaking thechain).

Gain control very early in boot process Cannot be detected easily

Virus code is not easily noticed by user

H Vi G i C l??


32/48

UDIT Sonali C. 32


Boot Sector Virus

H Vi G i C l??


33/48

UDIT Sonali C. 33


Memory-resident viruses

Memory-resident viruses: attached to

memory-resident code since such code is

executed frequently while the machine is

running


34/48

UDIT Sonali C. 34

Other Home of Virus

One-Time Execution: Virusexecutes only once,

spreading their infection and causing their effect in

one time execution e.g. Often arrives through e-

mails (executed just by opening) Macros

Libraries

Compilers

Linkers

D i Vi


35/48

UDIT Sonali C. 35

Detecting Virus

Virus Signatures

Pattern of bytes that provide telltale signs of a virus.They are used by virus scanners to detect thepresence of the virus

In case of attached viruses, the start of the virus codebecomes detectable signature

Suspicious patterns such as JUMP instructions atthe beginning of programs used by scanners todetect viruses

Scanners are effective only if up to date signaturesare used


36/48

UDIT Sonali C. 36

Detecting Virus

Tracking Storage Pattern

Execution Pattern

Transmission Pattern

Boot Process

Disk Access

Network Connection


37/48

UDIT Sonali C. 37

Polymorphism Virus

Virus Signature can be the most reliable way for ascanner to detect Virus.

A virus that can change its appearance

Forms:More than one alternative but with equivalent beginning

words, on installation one of the words is installed

Move pieces of the virus around to make detectiondifficult

Embed random numbers

Encrypting viruses


38/48

UDIT Sonali C. 38

Virus Prevention

Not sharing executable code

Setting e-mail handlers not to automatically openattachments

Be careful with large datasets and graphics since theycan have embedded in them executables

Be careful with Microsoft file design problem(operating system may switch to the application of

the hidden file type) Use only commercial software acquired from

reliable, well-established vendors (?)


39/48

UDIT Sonali C. 39

Virus Prevention

Test all new software on an isolated computer

Open attachments only when known to be

safe

Make a recoverable system image and store it

safely

Backups of executable system files

Use detectors regularly and update frequently


40/48

UDIT Sonali C. 40

Truths, Misconceptions about Viruses

Virus can only affect MS-Windows: FalseVirus can modify hidden or read only files:

True Can appear only in data files, Word docs, or

only in programs: False. (Depends on whatyou mean by data)

Spread only through floppies or email: False.What about file sharing, bulletin boards, etc.?


41/48

UDIT Sonali C. 41

Truths, Misconceptions about Viruses

Can't remain in memory after power off:

True, but when the affected program is rerun,they're reloaded

Virus cannot infect hardware: True

Virus can be malevolent, benign, or

benevolent: True


42/48

UDIT Sonali C. 42

Targeted malicious code

Trapdoors:undocumented entry point to a module

Sources of trapdoors:

During unit and integration testing, programmers usestubs (to mimic output) and drivers (to mimic input).

They also embed control sequences in the design tosupport testing. If such code is not removed at the end ofthe testing, they can be used as trapdoors

Poor error checking:Unacceptable input may not be

caught but passed on to the user for use Undefined opcodes: hardware equivalent of poor error

checking


43/48

UDIT Sonali C. 43

Trapdoors

Trapdoors can be useful in finding

security flaws, but

Left on purpose with full understanding of their

potential consequences

Must be documented

Access to them must be controlled


44/48

UDIT Sonali C. 44

Trapdoors

Causes of trapdoors: Trapdoors canpersist in production becausedevelopers Forget to remove them Intentionally leave them for testing

Intentionally leave them for programmaintenance

Intentionally leave them as covert means ofaccess


45/48

UDIT Sonali C. 45


46/48

UDIT Sonali C. 46

Salami attack

Programs that disregard small amounts of

money in computations (interest, tax

calculations, etc.) may be vulnerable to salami

attack where such shavings from transactionscan be accumulated elsewhere


47/48

UDIT Sonali C. 47

Interface Illusion

Spoofing attack in which all or part of web page is

false.

Keystroke Logging

Man-in-the Middle Attack

Malicious program interjects itself between two

program.


48/48

Documents

CHAPTER 3 Program Security_copy