Embed Size (px)
Citation preview
Outline for Today’s LectureAdministrative:
Objective: – Viruses and worms
Viruses and Worms
• Virus = program can reproduce itself by attaching its code to another executable program– Activated by executing its host
• Worm = program which replicates itself and causes execution of new copy– Self-contained– Hijacks or creates a new process
Lifecycle of an Attack
ProbePenetrate
Persist
Propagate
Paralyze
Scan portsPing addressesGuess passwordsGet address email address book
Mail attachmentsBuffer overflowsBackdoorsMacros
Create / modify filesInfect boot sectorModify registryWeaken security settingsHide and disguise actions
Use email clientBring up own SMTPor http serversftp
Do damageDestroy dataDenial of ServiceLeak information
History of Worms
1982 – PARC envisions works as an administrative mechanism to perform legit tasks on distributed system
1988 – Morris worm is the first Internet worm (with dramatic consequences)
…2001 – Code Red2003 – Slammer, Blaster2004 – Sasser, Witty
The Morris Internet Worm
• Nov. 1988, Robert Morris, Cornell grad student• Consisted of two programs
– bootstrap to upload worm– the worm itself
• Worm first hid its existence• Next replicated itself on new machines
– rsh– finger name@site - overflow finger daemon’s stack with long string– Bug in sendmail to mail bootstrap & exec it– Tried to break user passwords and go on
• Too aggressive – let 1 in 7 re-infects live• Caught and convicted
Stopping Attacks
• CERT – Computer Emergency Response Team – collects info on system flaws that can be attacked. Fields reports of security break-ins
• Traditional timeline of attack
Application released
with bug
Vulnerability announced
& patchreleased
Attack releasedBad guys
create attack
Good guyspatch fast
Often < 1 day
How Viruses Work
• Virus usually written in assembly language• Inserted into another program
– use tool called a “dropper”
• Virus dormant until program executed– then infects other programs– eventually executes its “payload”
• possibly waits for significant date
How Viruses Work
• An executable program• with a parasitic virus at the front• at the end• spread over free space within program (cavity virus)
Boot sector viruses1st hide the real boot sector
When booted, copies virus into memory, making it a memory resident virus
Then boots the OS
Device driver infected with virus, loads it at boot time.
How Viruses Work
How Viruses Work
• After virus has captured interrupt, trap vectors– Syscall trap a good one. Can look for exec calls
• After OS has retaken printer interrupt vector• After virus has noticed loss of printer interrupt vector and recaptured it
Macros
Applications like Word or Excel allow macros that get executed via keystroke or menu
Attach a macro to open file function and you are off and running
Can be sent in email attachments
Some emailers automatically open attachments
How Viruses Work
How Viruses Spread
• Virus placed where likely to be copied
• When copied– infects programs on hard drive, floppy– may try to spread over LAN
• Attach to innocent looking email– when it runs, use mailing list to replicate
Stopping Attacks
• Identifying viruses and worms before they execute – antivirus – trusted code only
• Catch’em in the act of misbehaving before they do harm
• Monitoring and controlling what suspicious code can do – interpreters and sandboxing
Antivirus and Anti-Antivirus Techniques
(a) A program(b) Infected program, metadata giveaways(c) Compressed infected program(d) Encrypted virus(e) Compressed virus with encrypted compression code
Antivirus and Anti-Antivirus Techniques
Examples of a polymorphic virusAll of these examples do the same thing
Mutation engine – code that morphs the signature part of the virus each time it spreads
Antivirus and Anti-Antivirus Techniques
• Integrity checkers - checksums• Behavioral checkers• Virus avoidance
– good OS– install only shrink-wrapped software– use antivirus software– do not click on attachments to email– avoid active content– frequent backups
• Recovery from virus attack– halt computer, reboot from safe disk, run antivirus
Trusted Mobile Code
When code is intentionally brought in, what can you do to protect yourself?Only download code from sources you trust – use digitally signed code
Mobile Code Sandboxing
Confine the effects of running (untrusted) code(a) Memory divided into 1-MB sandboxes(b) One way of checking an instruction for validity
Interpreted Mobile Code
Applets can be interpreted by a Web browser
Interpretation
• Interpreter never lets go of the program counter itself
• Interpreter can check each instruction as it is emulated
• Transfers of control flow are the danger points
• Performance cost, but can be mitigated
Covert Channels
Encapsulated server can still leak to collaborator via covert channels:Observable performance patterns (e.g., busy/blocked, page faulting)
Can information be leaked from “confined” processes?
Covert Channels
A covert channel using file locking
Covert Channels• Pictures appear the same
– 7-bit colors can not be distinguished from 8-bit colors
• Picture on right has text of 5 Shakespeare plays– Compressed & encrypted, inserted into low order bits of color values
ZebrasHamlet, Macbeth, Julius CaesarMerchant of Venice, King Lear
Is it a Technical Problem?
Lots of known solution techniques
• Access control
• Crypto
• Firewalls
• Intrusion detection
So why isn’t it a solved problem?
Economics
“The party who is in a position to protect a system is not the party who would suffer the results of security failure.”
Ross Anderson
Security• For whom is it built?• Who pays for it?
