Program security chapter 3

Chapter No 3 Computer Network Security

Written by Engr. Muhammad Waseem 1

Program security

Two types of program flaws

Non-malicious program flaws

Malicious program flaws

Non malicious program errors

Being human, programmers and other developers make many mistakes, most of which are

unintentional and non-malicious. Many such errors cause program malfunctions but do not lead to

more serious security vulnerabilities.

Buffer overflows

Incomplete mediation

Time-of-check to time-of-use errors

Buffer overflow

A buffer overflow is the computing equivalent of trying to pour two liters of water into a one-

liter pitcher: Some water is going to spill out and make a mess. And in computing, what a mess these

errors have made.

A buffer (or array or string) is a space in which data can be held. A buffer resides in memory. Because

memory is finite, a buffer's capacity is finite. For this reason, in many programming languages the

programmer must declare the buffer's maximum size so that the compiler can set aside that amount of

space.

The computer equivalent of trying to pour two litre of water into a one-litre pitcher

A buffer is a space in which data can be held

Since memory is finite, so is the buffer

The programmer must declare the buffer size

char sample[10] sets a side ten bytes of memory

The compiler sets aside 10 bytes to store this buffer, one byte for each of the ten elements of the array,

sample[0] through sample[9]. Now we execute the statement

sample[10]=‘A’;

sample[i]=‘A’;

All program and data are in memory during execution, sharing the space with the OS, other

code and resident routines

If the extra character overwrites user’s data, it may affect the program’s results but not other

programs

If it overflows into the user’s program area, and overwrites an instruction to be executed the

machine will try to execute 0x41

Security implications

If the buffer overflows into system code space, the attacker merely inserts overflow data that

correspond to the machine code for instructions. The attacker may make use of the stack pointer or the

return register. Sub procedures calls are handled with a stack, a data structure in which the most recent

item inserted is the next one removed (last arrived, first served).An alternative style of buffer overflow



occurs when parameter values are passed into a routine, especially when the parameters are passed to a

web server on the Inter-net.

The attacker may replace code in system space by other instructions which will cause

control to be transferred to the attacker with OS privileges

The attacker could replace the return address

Identify what you are trying to protect.

Determine what you are trying to protect them from.

Determine how likely the threats are.

Implement steps that protect your assets in a cost effective manner

Review the process continuously making improvements when you find a weakness

Incomplete mediation

Incomplete mediation is another security problem that has been with us for decades. Attackers

are exploiting it to cause security problems.

Failure to perform “sanity checks” on data can lead to random or carefully planned flaws.

http://www.somesite.com/subpage/userinput&param1=(808)555-

1212&param2=2002Jan01

What if param2 were 1800Jan01? Or 1800Feb30? Or 2048Min32? Or

1Aardvark2Many?

A routine could fail on a data type error

Receiving program generates wrong result

The receiving program might have a default condition

The two parameters look like a telephone number and a date. Probably the client's (user's) web

browser enters those two values in their specified format for easy processing on the server's side. What

would happen if parm2 were submitted as 1800Jan01? Or 1800Feb30? Or 2048Min32? Or

1Aardvark2Many?

Something would likely fail. As with buffer overflows, one possibility is that the system would fail

catastrophically, with a routine's failing on a data type error as it tried to handle a month named "Min"

or even a year (like 1800) which was out of range. Another possibility is that the receiving program

would continue to execute but would generate a very wrong result. (For example, imagine the amount

of interest due today on a billing error with a start date of 1 Jan 1800.) Then again, the processing

server might have a default condition, deciding to treat 1Aardvark2Many as 3 July 1947. The

possibilities are endless.

Time-to-check to time-of-use errors

Its Involves in synchronization.

Modern OSs and processors usually change the order of instruction execution to increase

performance.

Instructions that appear to be adjacent may not be executed immediately after each other,

because of intentionally changed order or the effects of other processes in concurrent

execution.



we want to make sure that only those who should access an object are allowed that access

Every requested access must be governed by an access policy stating who is allowed access to

what, then the request must be mediated by an access policy enforcement agent

An incomplete mediation problem occurs if the access is not checked universally. It is also

known as a serialization or synchronization flaw.

A person draws five $20 bills from his pocket, carefully counts them and places them in front

of the seller. When the seller turns around to make his bill, he takes back one $20 bill, hands

over the stack of bills, takes his buy and leaves

An application request access to a file and passes a data structure. The mediator stores the

filename locally and checks for access rights. While the mediator checks for access, the user

may modify the locally stored file name and gain access to a different file

The problem is called a time-of-check to time-of-use flaw because it exploits the delay between the

two times. That is, between the time the access was checked and the time the result of the check was

used, a change occurred, invalidating the result of the check.

Security implication

Checking one action and performing another is an example of ineffective access control. We must be

wary whenever there is a time lag, making sure that there is no way to corrupt the check's results

during that interval.

Solutions:

Digital signatures and certificates. Time-of-check is when someone signs and

time-of-use is when anyone verifies the signature. If the private key is exposed,

the key must be revoked

Failures due to non-malicious flaws

ARPANET had hard coded 347 as the size of the node table

When a host’s node table reached 348, it crashed

Viruses and other malicious code

Malicious code can be a program or part of a program; a program part can even attach itself to

another (good) program so that malicious effect occurs whenever the good program runs.occurs

whenever the good program runs.

Much of the work done by programs is invisible to users. How can you tell if a game program

does nothing in addition to its expected interaction with you?

Malicious people can make programs serve as vehicles to access and change data and other

programs

Unanticipated or undesired effects in program parts

Example of Malicious code-possibilities

Write a message to the screen

Stopping a running program

Generating a sound

Erasing a stored file

Kinds of malicious code

Virus



Trojan horse

Logic bomb

Backdoor

Worm

Rabbit

Code Type Characteristics

Virus Attaches itself to program and propagates

copies of itself to other programs

Trojan

horse

Contains unexpected, additional

functionality

Logic

bomb

Triggers action when condition occurs

Time

bomb

Triggers action when specified time occurs

Trapdoor Allows unauthorized access to functionality

Worm Propagates copies of itself through a

network

Rabbit Replicates itself without limit to exhaust

resource

Virus

A program that can pass on malicious code to other non-malicious programs by modifying

them

Virus can be transient or resident

Transient virus’s life depends on the life of its host: the virus runs when the host does

A resident virus locates itself in memory

A program that pass on malicious code to other non malicious (program) by modifying them. Infects a

program by attaching the program . A good program, once infected becomes a carrier and infects other

program.



Trojan horse

Trojans are malicious programs that perform actions that have not been authorized by the user.

These actions can include: Deleting data, blocking data, Modifying data, and Copying data,

disrupting the performance of computers or computer networks.

A Trojan horse is malicious code that, in addition to its primary effect, has a second,

nonobvious malicious effect.

As an example of a computer Trojan horse, consider a login script that solicits a user’s

identification and password, passes the identification information on to the rest of the system

for login processing, but also retains a copy of the information for later, malicious use.

Logic bomb

A logic bomb is a class of malicious code that “detonates” or goes off when a specified

condition occurs.

A time bomb is a logic bomb whose trigger is a time or date.

Backdoor

A trapdoor or backdoor is a feature in a program by which someone can access the program

other than by the obvious, direct call, perhaps with special privileges.

For instance, an automated bank teller program might allow anyone entering the number

990099 on the keypad to process the log of everyone’s transactions at that machine.

Worm

A worm is a program that spreads copies of itself through a network.

The primary difference between a worm and a virus is that a worm operates through networks,

and a virus can spread through any medium (but usually uses copied program or data files).

Additionally, the worm spreads copies of itself as a standalone program, whereas the virus

spreads copies of itself as a program that attaches to or embeds in other programs.

Rabbit

Some literature also defines a rabbit as a virus or worm that self-replicates without bound, with

the intention of exhausting some computing resources.

A rabbit might create copies of itself and store them on disk, in an effort to completely fill the

disk,

How viruses attach

Virus can attach itself to program or data by: •Appending itself, so virus code is activated when

program is run. (Variation: Virus code before and after program.) •Integrating itself into program,

so virus code is spread out over its target program. Integrating itself into data, e.g. as an executable

text macro.

A virus will do nothing and will not spread unless it is executed. There are many ways to

ensure that a virus is executed

A setup program may call dozens or even hundreds of other programs, on the distribution disk,

already residing on the computer, or resident in memory

Human intervention is necessary to start the process

Email attachments

The virus code can be embedded in an executable file attachment

Objects such as graphics files can contain code to be executed by the editor, so they can be

transmission agents for viruses



Appended viruses

A program virus attaches itself to a program; then, whenever the program is run, the virus is activated.

This kind of attachment is usually easy to program.

Usually a virus inserts a copy of itself before the first executable instruction in a program.

This kind of attachment is Simple and usually effective

Typically the user does not notice the effects of the virus since the program does its job as

usual

Viruses that surround a program

An alternative to the attachment is a virus that runs the original program but has control before

and after a program execution.

a virus writer might want to prevent the virus from being detected. If the virus is stored on

disk, its presence will be given away by its file name, or its size will affect the amount of space

used on the disk.

A virus’ presence may be given away by the file size of the program, so the virus writer may

infect the file listing display program to regain control after the file listing is generated but

before it is displayed

Integrated viruses and replacements

When the virus replaces some of its target, integrating itself into the original code of the target.

The virus writer has to know the exact structure of the original program to know where to

insert which pieces of the virus.

Could replace the entire target



Document viruses

Most popular

Which is implemented within a formatted document, such as a written document, a database, a

slide presentation, or a spreadsheet.

These documents are highly structured files that contain both data (words or numbers) and

commands (such as formulas, formatting controls, links).

User sees only the contents of the document, so the virus writers includes the virus in the

commands

How viruses gain control

The virus (V) has to be invoked instead of the target (T).

The virus has to either seem to be the target, or has to push the target out of the way and

become a substitute

A virus could replace a target by assuming its name

The virus can overwrite the target on disk

How viruses gain control

The virus can change the pointers in the file tables so that the virus is located instead of the

target

Desirable qualities in viruses

Hard to detect

Not easily destroyed or deactivated.

Spreads widely

Re-infect its home program or other programs

Easy to create



Machine independent and OS independent

Few viruses meet all these criteria. The virus writer chooses from these objectives when deciding what

the virus will do and where it will reside.

The challenge for the virus writer was to write code that would be executed repeatedly so that the virus

could multiply. One execution is enough to ensure widespread distribution. Many viruses are

transmitted by e-mail, using either of two routes.

Homes for viruses

One time execution

Boot sector viruses

Memory-resident viruses

Other homes

One-time execution

Majority of viruses today execute only once, spreading their infection and causing their effect

in that one execution

A virus often arrives as an email attachment of a document virus and is executed just by

opening it

Boot sector viruses

A given hardware platform can run many different OS

The boot sector contains a boot loader to load the particular OS into memory and run it

To accommodate large boot loaders, chaining is used

The virus may break the chain anywhere and insert itself

Appeal: virus gains control early, when no detection tool is running, and is invisible to file

listing

When a computer is started, control begins with firmware that determines which hardware components

are present, tests them, and transfers control to an operating system. The boot sector is an especially

appealing place to house a virus. The virus gains control very early in the boot process, before most

detection tools are active, so that it can avoid, or at least complicate, detection. The files in the boot

area are crucial parts of the operating system.

Memory resident viruses

Some parts of the operating system and most user programs execute, terminate, and disappear, with

their space in memory being available for anything executed later. For very frequently used parts of

the operating system and for a few specialized user programs, it would take too long to reload the

program each time it was needed. Such code remains in memory and is called "resident" code



Some portions of the OS and a few specialized user programs would take too long to reload

each time they are needed, so they are kept in memory and are called resident code

e.g., routines that interpret keys pressed on the keyboard, error control, alarm clock

Virus writers also like to attach viruses to resident code because the resident code is activated many

times while the machine is running

Other homes for viruses

One popular home for a virus is an application program. Many applications, such as word processors

and spreadsheets, have a "macro" feature, by which a user can record a series of commands and repeat

them with one invocation. Such programs also provide a "start-up macro" that is executed every time

the application is executed.

Libraries are also excellent places for malicious code to reside. Because libraries are used by many

programs, the code in them will have a broad effect. Executing code in a library can pass on the viral

infection to other transmission media. Compilers, loaders, linkers, runtime monitors, runtime

debuggers, and even virus control programs are good candidates for hosting viruses because they are

widely shared.

Application macros

Libraries

Compilers, linkers

Runtime monitors, runtime debuggers

Anti-virus

Virus signatures

A virus cannot be completely invisible

Code must be stored somewhere and must be in memory to execute.

A virus executes in a particular way and uses a certain method to spread

Each of these characteristics yields a tell-tale (presence of something) pattern called a

signature.

A virus scanner that can automatically detect and, in some cases, remove viruses. The scanner searches

memory and long-term storage, monitoring execution and watching for the signatures of viruses

.When the scanner recognizes a known virus's pattern, it can then block the virus, inform the user, and

deactivate or remove the virus. A virus scanner is effective only if it has been kept up-to-date

Virus effects and causes

Virus Effect How It Is Caused

Attach to executable program Modify file directory

Write to executable program file

Attach to data or control file Modify directory

Rewrite data

Append to data

Append data to self

Remain in memory handler address Intercept interrupt by modifying interrupt



table Load self in no transient memory area

Infect disks Intercept interrupt

Intercept operating system call (to format disk, for example)

Modify system file

Modify ordinary executable program

Conceal self-falsify result Intercept system calls that would reveal self and

Classify self as "hidden" file

Spread infection Infect boot sector

Infect systems program

Infect ordinary program

Infect data ordinary program reads to control its execution

Prevent deactivation de-activation Activate before deactivating program and block

Store copy to rein fact after deactivation

Execution patterns

A virus writer may want a virus to do several things at the same time

Spread infection

Avoid detection

Cause harm

Most virus writers seek to avoid detection for themselves and their creations. Because a disk's boot

sector is not visible to normal operations (for example, the contents of the boot sector do not show on

a directory listing) One virus can erase files, another an entire disk; one virus can prevent a computer

from booting, and another can prevent writing to disk. The damage is bounded only by the creativity

of the virus's author

Transmission patterns

A virus is effective only if it has some means of transmission from one location to another.

Viruses can travel

During the boot process

Over a network connection

Host’s execution

Remain in memory to infect other diskettes

Since a virus can execute any instructions a program can, virus travel is not confined to any single

medium or execution pattern.

Polymorphic viruses

The virus signature may be the most reliable way for a virus scanner to identify a virus

A clever virus writer can cause something other than specific strings to be in portions where a virus

scanner would look for those strings.



A virus that can change its appearance is called a polymorphic virus (Poly means "many"

and morph means "form".)

Two-form virus can be treated as two independent viruses, so the virus writer will want a large

or unlimited number of forms

A polymorphic virus has to randomly reposition all parts of itself and randomly change all

fixed data

A virus may randomly intersperse harmless instructions throughout its code

A simple variety of polymorphic virus uses encryption under various keys to make the stored form of

the virus different. These are sometimes called encrypting viruses.

Prevention of virus infection

The only way to prevent the infection of a virus is not to share executable code with an infected

source.

This was easy to do because it was easy to tell if a file was executable or not.

Today’s files are more complex, and a seemingly no executable file can contain executable.

Programs are usually configured to activate this code automatically, such as open attachments.

The file type is hidden in a field at the start of a file, so Windows would try to open an

executable file with a non-executable extension, with the appropriate program, failing which

the executable code will be run

Since you cannot know which sources are infected, assume that every outside source is

infected

Prevention

Use only software acquired from reliable and well-established vendors

Test all software on an isolated computer Test the computer with a copy of an up-to-date

virus scanner, created before running the suspect program. Only if the program passes these

tests should it be installed on a less isolated machine.

Open attachments only when you know them to be safe an attachment from an unknown

source is of questionable safety. You might also distrust an attachment from a known source

but with a peculiar message.

Make a recoverable system image and store it safely if your system does become infected,

this clean version will let you reboot securely because it overwrites the corrupted system files

with clean copies.

Make and retain backup copies of executable system files. This way, in the event of a virus

infection, you can remove infected files and reinstall from the clean backup copies (stored in a

secure, offline location, of course).

Use virus detectors (often called virus scanners) regularly and update them daily Many of the

virus detectors available can both detect and eliminate infection from viruses

Trapdoors

A trapdoor is an undocumented entry point to a module

The trapdoor Inserted during code development, perhaps to test the module, or to provide

hooks by which to connect future modifications, or enhancements, or to allow access if the

module should fail in the future

In addition to these legitimate uses, trapdoors can allow a programmer access to a program

once it is placed in production.



Trapdoors-Examples

Computing systems are complex structures, programmers usually develop and test systems in a

modular manner, taking advantage of the way the system is composed of modules or components.

Each small component of the system is tested first, separate from the other components, in a step

called unit testing, to ensure that the component works correctly by itself.

Components are tested together during integration testing, to see how they function as they send

messages and data from one to the other.

Rather than paste all modules together in a big bang approach, the modules are grouped into

several logical clusters of a few components each

Each cluster is tested in a way that allows testers to control and understand what might make a

component or its interface fail.

During component testing, the tester cannot use the surrounding routines that prepare input or

work with output, so they write “stubs” and “drivers” to inject data in and extract results.

These stubs and drivers are later discarded because they are replaced by the actual components.

The programmers embed debugging code into suspicious components.

To control stubs or invoke debugging code, the programmer embeds special control sequences

in the component's design, specifically to support testing.

Command insertion is a recognized testing practice, if left in place after testing, the extra

commands can become a problem.

The Internet Worm spread itself due to exactly this kind of a trapdoor in an email program

Poor error checking is another source of trapdoors

Trapdoors can be useful for system auditing or testing, but they must be documented and

access must be protected

Trapdoors-causes

Trapdoors can persist(continue firmly) in programs because the developer:

forgot to remove them

Intentionally left it there for testing

Intentionally left it for maintenance

intentionally leave them in the program as a covert means of access to the component

after it becomes an accepted part of a production system

The first case is an unintentional security blunder, the next two are serious exposures of the system's

security, and the fourth is the first step of an outright attack. It is important to remember that the fault

is not with the trapdoor itself, which can be a very useful technique for program testing, correction,

and maintenance. Rather, the fault is with the system development process, which does not ensure that

the trapdoor is "closed" when it is no longer needed. That is, the trapdoor becomes a vulnerability if no

one notices it or acts to prevent or control its use in vulnerable situations.

Covert channels

Programs that communicate information to people who shouldn’t receive it

The communication accompanies other perfectly proper communications e.g., a student may

communicate correct answer choices by coughing once for ‘a’, clearing her throat for ‘b’ and

so on

A programmer for a bank has no need to access the names or balances in depositors' accounts.



One way for the programmer to have a covert channel is to write to a file, print it out

A programmer should not have access to data once the program is in operation.

How to create covert channels

A programmer can always find ways to communicate data values covertly. Running a program that

produces a specific output report or displays a value may be too obvious. For example, in some

installations, a printed report might occasionally be scanned by security staff before it is delivered to

its intended recipient.

The programmer can encode the data values in another innocuous report by varying the format of the

output, changing the lengths of lines, or printing or not printing certain values. For example, changing

the word "TOTAL" to "TOTALS" in a heading would not be noticed, but this creates a 1-bit covert

channel. The absence or presence of the S conveys one bit of information. Numeric values can be

inserted in insignificant positions of output fields, and the number of lines per page can be changed.

A printed report would be too obvious

Encode data values into a different report format

Storage channels: pass information by using the presence or absence of objects in storage e.g.,

lock or not lock a file to signal one bit of information.

A simple example of a covert channel is the file lock channel. In multiuser systems, files can be

"locked" to prevent two people from writing to the same file at the same time (which could corrupt the

file, if one person writes over some of what the other wrote). The operating system or database

management system allows only one program to write to a file at a time, by blocking, delaying, or

rejecting write requests from other programs. A covert channel can signal one bit of information by

whether or not a file is locked

Timing channels: pass information by the speed at which things happen e.g., using or not using

an assigned amount of computing time (quantum).

In the simple case, a multi programmed system with two user processes divides time into blocks and

allocates blocks of processing alternately to one process and the other. A process is offered processing

time, but if the process is waiting for another event to occur and has no processing to do, it rejects the

offer.

How to prevent these flaws

Good software engineering practices

Operating system controls

Administrative controls

Program controls in general

Engineering

Program security chapter 3