Lecture 14 Overview. Secure programs Security implies some degree of trust that the program enforces expected – confidentiality, – integrity, and – availability

Lecture 14 Overview

Secure programs• Security implies some degree of trust that the

program enforces expected – confidentiality, – integrity, and – availability.

• Why is it so hard to write secure programs?– Axiom (Murphy):

Programs have bugs– Corollary:

Security-relevant programs have security bugsCS 450/650 Lecture 14: Program Security 2

Flaws, faults, and failures

• A flaw is a problem with a program• A security flaw is a problem that affects

security in some way– Confidentiality, integrity, availability

• Flaws come in two types: faults and failures• A fault is a mistake “behind the scenes”

– An error in the code, data, specification, process, etc.

– A fault is a potential problem

CS 450/650 Lecture 14: Program Security 3

Flaws, faults, and failures• A failure is when something actually goes

wrong– “Goes wrong” means deviation from desired

behaviour, • not necessarily from specified behaviour!

• A failure is the user/outside view• The quantity and types of faults in

requirements design and code implementation are often used as evidence of a product‘s quality or security


Types of security flaws: Genesis

• Some flaws are intentional– Malicious flaws are intentionally inserted to attack

• If it's meant to attack some particular system, we call it a targeted malicious flaw

– Nonmalicious (but intentional) flaws are often features that are meant to be in the system

• are correctly implemented, • but can cause a failure when used by an attacker

• Most security flaws are caused by unintentional program errors


Types of security flaws

• Most common sources of unintentional security flaws– Buffer overflows– Incomplete mediation– TOCTTOU errors (race conditions)


Buffer overflows

• The single most commonly exploited type of security flaw

• Simple example:#define LINELEN 1024

char buffer[LINELEN];

gets(buffer); orstrcpy(buffer, argv[1]);


Where a Buffer Can Overflow


Kinds of buffer overflows

• In addition to the classic attack which overflows a buffer on the stack to jump to shellcode, there are many variants:– Attacks which work when a single byte can be

written past the end of the buffer• often caused by a common off-by-one error

– Overflows of buffers on the heap instead of the stack

– Jump to other parts of the program, or parts of standard libraries, instead of shellcode


Defences against buffer overflows

• Use a language with bounds checking– And catch those exceptions!

• Non-executable stack– memory page is either writable or executable

• Stack (and code) at random addresses– Linux 2.6 does this

• “Canaries” that detect if the stack has been overwritten before return from each function– This is a compiler feature


Integer overflows• Machine integers can represent only a limited

set of numbers– might not correspond to programmer's model

• Program assumes integer is always positive– overflow will make (signed) integer wrap and

become negative, which will violate assumption• Program casts large unsigned integer to signed integer• Result of a mathematical operation causes overflow

• Attacker can pass values to program that will trigger overflow


Format string vulnerabilities

• Unfiltered user input is used as format string in printf(), fprintf(), sprintf(),. . .– printf(buffer) instead of printf("%s", buffer)

• First one will parse buffer for %'s and use whatever is currently on the stack to process found format parameters

– printf("%s%s%s%s") will likely crash program– printf("%x%x%x%x") will dump parts of the stack– The %n format parameter will cause writes to the

stack


Incomplete mediation

• Inputs to programs are often specified by untrusted users– Web-based applications are a common example

• Users sometimes mistype data in forms– Phone number: 51998884567– Email: iang#cs.uwaterloo.ca

• An application needs to ensure that what user has entered constitutes a meaningful request– This is called mediation


Incomplete mediation

• Incomplete mediation occurs when the application accepts incorrect data from user

• Sometimes this is hard to avoid– Phone number: 519-886-4567– This is a reasonable entry, that happens to be

wrong


Why do we care?

• What happens if someone fills in:– DOB: 98764874236492483649247836489236492

• Buffer overflow?

– DOB: '; DROP DATABASE clients --• SQL injection?

• We need to make sure that any user-supplied input falls within well-specified values– known to be safe


Client-side mediation

• forms that do client-side mediation– When you click “submit”, Javascript code will first

run validation checks on the data you entered– If you enter invalid data, a popup will prevent you

from submitting it

• Related issue: client-side state– Many web sites rely on the client to keep state for

them– Put hidden fields in the form which are passed

back to the server when user submits the formCS 450/650 Lecture 14: Program Security 16

Client-side mediation• Problem: what if the user

– Turns off Javascript?– Edits the form before submitting it?– Writes a script that interacts with the web server

instead of using a web browser at all?– Connects to the server “manually”?

• telnet server.com 80

• Note that the user can send arbitrary (unmediated) values to the server this way

• The user can also modify any client-side stateCS 450/650 Lecture 14: Program Security 17

Defences against incomplete mediation

• Client-side mediation is an OK method to use in order to have a friendlier user interface– but is useless for security purposes.

• You have to do server-side mediation– whether or not you also do client-side


Defences against incomplete mediation

• For values entered by the user– Always do very careful checks on the values of all

fields– These values can potentially contain completely

arbitrary 8-bit data and be of any length

• For state stored by the client:– Make sure the client has not modified the data in

any way


Time-Of-Check To Time-Of-Use errors

• TOCTTOU (“TOCK-too”) errors– Also known as “race condition” errors

• These errors occur when the following happens:– User requests the system to perform an action– The system verifies the user is allowed to perform

the action– The system performs the action


The problem

• State of the system changed between the check for permission and the execution of operation

• File whose permissions were checked for writeability by the user (file_he_owns) wasn't the same file that was later written to (/etc/passwd)– Even though they had the same name (logfile) at

different points in time


Program Flaws

• Taxonomy of flaws:– how (genesis)– when (time)– where (location)

• the flaw was introduced into the system

22CS 450/650 Lecture 16: Malicious Codes

Security Flaws by Genesis• Genesis

– Intentional• Malicious: Trojan Horse, Trapdoor, Logic Bomb, Worms,

Virus• Non-malicious

– Inadvertent• Validation error• Domain error• Serialization error• Identification/authentication error• Other error


Flaws by time

• Time of introduction– During development

• Requirement/specification/design• Source code• Object code

– During maintenance

– During operation


Flaws by Location

• Location– Software

• Operating system: system initialization, memory management, process management, device management, file management, identification/authentication, other

• Support tools: privileged utilities, unprivileged utilities• Application

– Hardware


Lecture 16

Malicious Codes

CS 450/650

Fundamentals of Integrated Computer Security

Slides are modified from Csilla Farkas and Brandon Phillips

Malware?

CS 450/650 Lecture 16: Malicious Codes 27

Kinds of Malicious Codes

• Virus: a program that attaches copies of itself into other programs. – Propagates and performs some

unwanted function– Viruses are not programs– Definition from RFC 1135: A virus is a piece of code

that inserts itself into a host [program], including operating systems, to propagate. It cannot run independently. It requires that its host program be run to activate it.


Kinds of Malicious Code• Worm: a program that propagates copies of

itself through the network. – Independent program. – May carry other code, including

programs and viruses. – Definition from RFC 1135: A worm is a program that

can run independently, will consume the resources of its host [machine] from within in order to maintain itself and can propagate a complete working version of itself on to other machines.


Kinds of Malicious Code

• Rabbit/Bacteria: make copies of themselves to overwhelm a computer system's resources– Denying the user access to the resources

• Logic/Time Bomb: programmed threats that lie dormant for an extended period of time until they are triggered– When triggered, malicious code is executed


Kinds of Malicious Code• Trojan Horse: secret, undocumented routine

embedded within a useful program – Execution of the program results in execution of

secret code• Trapdoor: secret, undocumented entry point

into a program, used to grant access without normal methods of access authentication

• Dropper: Not a virus or infected file– When executed, it installs a virus into memory, on

to the disk, or into a file31CS 450/650 Lecture 16: Malicious Codes

Malware Evolution• 1980s

– Malware for entertainment (pranks)

– 1983: “virus”– 1988: Internet Worm

• 1990s– Malware for social status /

experiments– 1990: antivirus software

• Early 2000s– Malware to spam

• Mid 2000s– Criminal malware


Malware Evolution

CS 450/650 Fundamentals of Integrated Computer Security 33

Change in Malware Dynamics• Dynamics of Malware have changed and the visible

front has diminished.

CS 450/650 Fundamentals of Integrated Computer Security 34

Worms

Spam

Phishing

Bots

Viruses

Spyware

Targeted Trojans

Rootkits

“Spear Phishing”

Stable Front

Growing Front

Front in Decline

Visibility

PropagationPanda Software

Malware Targets

Platform %

*nix (Linux, BSD) 0.052%

Mac (OS X primarily) 0.005%

Mobile (Symbian, WinCE) 0.020%

Other (MySQL, IIS, DOS) 0.012%

Windows (XP SP2, SP3, Vista, 7) 99.91%


Malware Proliferation (2009-2010)


(Microsoft Security Intelligence Report 9)

Malware Families in 2010


Regional Threat Categories(Microsoft Security Intelligence Report 9)


Virus Lifecycle

• Dormant phase: the virus is idle– not all viruses have this stage

• Propagation phase: the virus places an identical copy of itself into other programs of into certain system areas

• Triggering phase: the virus is activated to perform the function for which it was created

• Execution phase: the function is performed– The function may be harmless or damaging


Virus Types

• Parasitic virus: – Attaches itself to a file and replicates when the

infected program is executed– most common form

• Memory resident virus: – lodged in main memory as part of a resident

system program– Virus may infect every program that executes


Virus Types

• Boot Sector Viruses:– Infects the boot record and spreads when system

is booted– Gains control of machine before the virus

detection tools– Very hard to notice

• Macro Virus:– virus is part of the macro associated with a

document41CS 450/650 Lecture 16: Malicious Codes

Virus Types

• Stealth virus: – A form of virus explicitly designed to hide from

detection by antivirus software

• Polymorphic virus: – A virus that mutates with every infection making

detection by the “signature” of the virus difficult


How Viruses Append

43

Original

program

virus

Original

program

virus

Virus appended to program

+ =

CS 450/650 Lecture 16: Malicious Codes

How Viruses Append

44

Original

program

virus

Original

program

Virus-1

Virus surrounding a program

+ =

Virus-2


How Viruses Append

45

Original

program

virus

Original

program

Virus-1

Virus integrated into program

+ =

Virus-2

Virus-3Virus-4


How Viruses Gain Control

• Virus V has to be invoked instead of target T– V overwrites T– V changes pointers from T to V


High risk virus properties

• Hard to detect• Hard to destroy• Spread infection widely• Can re-infect• Easy to create • Machine independent


Virus Signatures

• Storage pattern– Code always located on a specific address– Increased file size

• Execution pattern

• Transmission pattern

• Polymorphic Viruses


Antivirus Approaches

• Detection: – determine infection and locate the virus

• Identification: – identify the specific virus

• Removal: – remove the virus from all infected systems, so the

disease cannot spread further

• Recovery: – restore the system to its original state


Preventing Virus Infection

• Prevention:– Good source of software installed – Isolated testing phase– Use virus detectors

• Limit damage:– Make bootable diskette– Make and retain backup copies important

resources


Nyxem Email Virus

• Estimate of total number of infected computers is between 470K and 945K

• At least 45K of the infected computers were also compromised by other forms of spyware or botware

• Spread


Worm• Self-replicating (like virus)• Objective: system penetration (intruder)• Phases: dormant, propagation, triggering, and

execution • Propagation:

– Searches for other systems to infect • e.g., host tables

– Establishes connection with remote system– Copies itself to remote system– Execute


Code-Red Worm• On July 19, 2001, more than 359,000 computers connected to the Internet

were infected with the Code-Red (CRv2) worm in less than 14 hours

• Spread


Sapphire/Slammer Worm

• was the fastest computer worm in history– doubled in size every 8.5 seconds– infected more than 90 percent of vulnerable ~75K

hosts within 10 minutes.


Witty Worm

• reached its peak activity after approximately 45 minutes– at which point the majority of vulnerable hosts

had been infected

• World• USA


Browser-based Exploits• 10% Adobe Flash• 8% RealPlayer• 8% Microsoft

(Microsoft Security Intelligence Report 6)


Bank Logons• A Washington Mutual Bank account in

the U.S. with an available balance of $14,400 is priced at 600 euros ($924), while a Citibank UK account with an available balance of 10,044 pounds is priced at 850 euros ($1,310).

• It may appear to be less dangerous to resell access to a bank account rather than to use it directly.

McAfee ©2008


Lecture 16

Targeted Malware

CS 450/650

Fundamentals of Integrated Computer Security

Slides are modified from Csilla Farkas and Brandon Phillips

Targeted Malicious Code

• Trapdoor– undocumented entry point to a module

– forget to remove them– intentionally leave them in the program for testing– intentionally leave them in the program for

maintenance of the finished program, or– intentionally leave them in the program as a

covert means of access to the component after it becomes an accepted part of a production system

59CS 450/650 Lecture 16: Targeted Malicious Codes


• Salami Attack– a series of many minor actions that together

results in a larger action that would be difficult or illegal to perform at once

– Ex. Interest computation

• rootkit – A program or coordinated set of programs

designed to gain control over a computer system or network of computing systems



• Privilege Escalation– a means for malicious code to be launched by a

user with lower privileges but run with higher privileges

• Interface illusion – a spoofing attack in which all or part of a web

page is false

• Keystroke Logging



• Man-in-the-Middle Attacks

• Timing Attacks– attempts to compromise a cryptosystem by

analyzing the time taken to execute cryptographic algorithms

• Covert Channels– programs that leak information– Ex. Hide data in output


Covert Channel - Trojan Horse

John

Spy

Only John

is permitted

to access

the document

MS Word

Document

Spy’s

Document

copy

TH

installcopy


Covert Channel• Two active agents

– Sender (has access to unauthorized information)• e.g., Trojan Horse in MS Word

– Receiver (reads sent information)• e.g., program creating the copy

• Encoding schema– How the information is sent

• e.g., – File F exists 0– File F is does not exist 1

• Synchronization– e.g., when to check for existence of F


Storage Covert Channels

• Based on properties of resources– pass information by using presence or absence of

objects in storage

• Examples:– File locks– Delete/create file– Memory allocation


File Lock Covert Channel

66

File Existence Channel Used to Signal 100

67

Timing Covert Channel

• Time is the factor – how fast– pass information using the speed at which things

happen

• Examples:– Processing time– Transmission time


Covert Timing Channel

69

Covert Channel Detection and Removal

• Identification:– Shared resources– Program code correctness– Information flow analysis

• Removal:– Total removal – may not be possible– Reduce bandwidth


Controls Against Program Threats

• Prevent Threats during software development– Modularity

• security analysts must be able to understand each component as an independent unit and be assured of its limited effect on other components



• Prevent Threats during software development– Encapsulation

• hide a component's implementation details • minimize interfaces to reduce covert channels

– Information hiding • a component as a kind of black box • components will have limited effect on other

components



• Peer Reviews– Hazard Analysis

• set of systematic techniques to expose potentially hazardous system states

– Testing • unit testing, integration testing, function testing,

performance testing, acceptance testing, installation testing, regression testing



• Good Design– Using a philosophy of fault tolerance– Have a consistent policy for handling failures– Capture the design rationale and history– Use design patterns

• Prediction– predict the risks involved in building and using the

system



• Static Analysis– Use tools and techniques to examine characteristics

of design and code to see if the characteristics warn of possible faults

• Configuration Management– control changes during development and

maintenance• Analysis of Mistakes• Proofs of Program Correctness

– Can we prove that there are no security holes?75CS 450/650 Lecture 16: Targeted Malicious Codes

Operating System Controls on Use of Programs

• Trusted Software– code has been rigorously developed and analyzed

• Functional correctness• Enforcement of integrity• Limited privilege• Appropriate confidence level


Operating System Controls on Use of Programs

• Mutual Suspicion– assume other program is not trustworthy

• Confinement – limit resources that program can access

• Access Log – list who access computer objects, when, and for

how long


Administrative Controls

• Standards of Program Development• Standards of design• Standards of documentation, language, and coding

style• Standards of programming• Standards of testing• Standards of configuration management• Security Audits

• Separation of Duties


Documents

Lecture 14 Overview. Secure programs Security implies some degree of trust that the program enforces expected – confidentiality, – integrity, and – availability