Program Security

Lecture 3
Week 3

Topics

Vulnerabilities
Secure Program
Malicious Code
Top 10 Web application vulnerabilities

Safeguard to Program threat

Pillar to Software Security

Secure Programs

Different people have different perspective on

software quality.

Tracking faults (from developers):

Requirements
Design
Code inspections
Note: fixing might cause more faults

Failures - are effects of faults

Vulnerability and flaws do not map to faults and
failures
"Bugs" means different things, depending on context.
IEEE says "fault" is inside view from the developer
Failure - outside view from user

Secure Programs

Types of Flaws:
validation error
domain error
serialization and aliasing
inadequate identification and
authentication
boundary condition violation
other exploitable logic errors

Non-malicious Program Errors?

Buffer Overflows
Accidental not checking array bounds Example C program

Incomplete Mediation - data exposed or uncontrolled

http://www.testing.com/order.asp?cutID=115&part=666&qty=3&pric
e=500&total=1500
Time

of Check to Time of use

the process of executing the instruction

Process all the data in the local storage rather than put
on the clipboard.

Viruses and Other Malicious Code

Programs

work on data and users usually don't

see the raw data.

Malicious

users can make programs that access

data and other programs other than what was
intended.

Malicious

code can do harm.

Malicious

code has been around for a long long

time (70's).

Malicious

code can also be accidental.

Malicious Codes

unanticipated

or undesired effects in programs

generated on the intent of damage

damage

could be in form of :

modification/destruction
stolen data
unauthorized access
damage on system
or other forms not intended by users

Viruses and Malicious Programs

Computer Viruses

and related programs have

the ability to replicate themselves on an ever
increasing number of computers. They originally
spread by people sharing floppy disks. Now
they spread primarily over the Internet (a
Worm).

Other Malicious

Programs may be installed by

hand on a single machine. They may also be
built into widely distributed commercial
software packages. These are very hard to
detect before the payload activates (Trojan
Horses, Trap Doors, and Logic Bombs).
8

Taxanomy of Malicious Programs

Malicious
Programs

Need Host

Independent

Program

Trapdoors

Logic
Bombs

Trojan
Horses

Viruses

Bacteria

Worms

Examples of malicious codes:

Trojan

Horse - a program which performs a

useful function, but also performs an
unexpected action as well.

Virus

- a code segment which replicates by

attaching copies to existing executables.

Transient - only executes when the

program that it is attached to runs.

Resident - once the program executes the

virus stays in memory until it gets triggered
again. Terminate and Stay Resident (TSR).

10

Examples of malicious codes:

Worm - a program which replicates itself and

causes execution of the new copy.

Bacteria - replicates until it fills all disk space, or

CPU cycles

Logic bomb - malicious code that activates on

an event (e.g., date).

Trap Door (or Back Door) - undocumented

entry point written into code for debugging that
can allow unwanted users.

11

Examples of malicious codes:

Spyware

- This is new and can be non-malicious or

malicious.
Can steal your information (Identity Theft) This is
done with a keystroke logger and even though you
use encryption on connections the damage is already
done before you can send it.

Can steal your email addresses

Can see what Web sites you visit
Can see contents of files

PopUp ads
Slow down your computer
Crash your computer
12

Examples of malicious codes:

13

Viruses
Personal

computer viruses exploit the lack of effective

access controls in these systems
modify files and OS itself
Characteristics of a virus:
replication
requires a host program as a carrier
activated by external action
replication limited to (virtual) system
Viruses are currently designed to attack single platforms.
A virus can be referred to for example, as an IBM-PC
virus (referring to the hardware) or a DOS virus
(referring to the hardware)
The

unexpected and uncontrollable replication of

viruses makes them so dangerous.
14

How Viruses Attach

Append

viruses - execute first then transfers

control to original program.

Surround

virus -has control before and after

regular program.

Integrated

viruses - replace some of the target

program or all of the target and give the effect that
the target program worked.

15

Virus Appended to a Program

Original
Program, A

or

Virus, B

Original
Program, A
+
Virus, B

Original
Program, A
+
Virus, B

16

How Viruses Gain Control

The

virus needs to have the CPU execute it to be

in control.

One

way is to overwrite the program on the disk.

Another

is to move the original program and then

after the CPU executes it then transfer control to
the program.

Another

is to install itself in memory and change

the pointers of the operating system or interrupt
table to point to it.
17

Homes for Viruses

Install

itself in the boot sector (MBR)

master boot record.

Memory

resident virus - (TSR) terminate

and stay resident.

Other

homes such as applications like word

processors and spread sheets and even
attachments to email.

Even

attachments to vendor distributed

programs or games.
18

Types of Viruses
Parasitic Virus

- attaches itself to executable files as part

of their code. Runs whenever the host program runs.

Memory-resident Virus

- Lodges in main memory as

part of the residual operating system.

Boot

Sector Virus - infects the boot sector of a disk,

and spreads when the operating system boots up (original
DOS viruses).

Stealth Virus

- explicitly designed to hide from Virus

Scanning programs.

Polymorphic Virus

- mutates with every new host to

prevent signature detection.

19

Truths and Misconceptions About

Viruses
Although

other computers/operating systems are

vulnerable to Viruses, it seems the mentality of the
programmers of Viruses is more common on PCs.
Viruses can modify hidden and read only files. True
Viruses can appear only in data files or Word docs, or
in programs. False
Viruses spread only on disks or in e-mail. False
Viruses can not live in memory when the computer is
shut off, but they can still be on other storage devices.
Also Reboot (warm start) is vulnerable to Viruses in
memory. True
Viruses cannot infect hardware. True
Viruses can be malevolent, benign, or benevolent. True
20

How Worm Attack

Original
Worm, B
Program, A

Original Worm, B
Program, A

Worm, B

21

Worms
Characteristics

of a worm:

self-contained, do not require a host

replication
activated by creating process
for network worms, replication occurs across
communication links

Worms

exploit flaws in the operating system

or inadequate system management to
replicate.
Release of a worm usually results in brief but
spectacular outbreaks, shutting down entire
networks.
22

Worms
Protection against Worms
requires a combination of basic system security and good
network security
add-on tools:
configuration review tools
checksum-based change detection tools
intrusion detection tools
network security tools:
wrapper program : filter network connections
firewall system
The

most important means of defense is the

identification & authentication (I&A) controls, which
are usually integrated into the system. If poorly
managed, these controls become a vulnerability which
is easily exploited.
23

Targeted Malicious Code

The previous notes have dealt with

anonymous code not targeted to a specific
system, application or a particular purpose.

Trapdoors - secret, undocumented entry

point into a module or program.

Salami Attack

24

Trapdoors and the Salami Attack

Trapdoors are often caused by programmers leaving

debug routines in the code. Or failure to check array
bounds which lets code overrun the array bounds and
get placed on the stack.

Causes of Trapdoors:
Programmer forgets to remove them.
Programmer intentionally leaves them in for testing.
Leaves them in intentionally for maintenance of the
finished product.

Leaves them in for later covert means of access.

Salami Attacks refer to the simple fact, that when
dealing with real numbers the computer has a fixed size
and will perform rounding or truncation. There will
always be those programmers that will try to conceal
the small amounts on the hope that humans will not
notice
25

Top 10 Web App Vulnerabilities

Attack associated to programs error

Cross site scripting

Injection flaws
Malicious file execution
Insecure direct object reference
Cross site request forgery
Information leakage and improper error
handling
Broken authentication and session
management
Insecure crypto storage
Insecure comms
Failure to restrict URL access
26

Safeguard to Program Threat

Virus Signatures
Virus

cannot be completely invisible but can be

very hard to detect, especially if it has selfmodifying code.

The

code it executes can be identified and a

program can scan for the tell-tail code.

Usually

it is at the start of a program or maybe a

test and jump to code at the bottom of the file.

If

the virus writer wants to keep the program size

the same to prevent detection then it has to
replace some of the program code.

But

a good scanner with a checksum can detect

the changes in the code.

28

Example of cod red worm sign

GET/default.ida?NNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u780
1%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u53
1b%u53ff%u0078%u0000%u00=a HTTP/1.0

29

The Source of Viruses

Virus

program can be small so it hides

very easily in a large program.

Might

hide in a compiler, a data base

manager or a file manager.

The

number one spot is an attachment

to email or some public download file.

30

Virus Phases

Dormant phase - the virus is idle

Propagation phase - the virus places an

identical copy of itself into other programs

Triggering phase the virus is activated to

perform the function for which it was
intended

Execution phase the function is

performed
31

Preventing Virus Infection

Protection

against viruses
detection tools
example : scanners, vulnerability monitors,
modification detection programs
identification tools
example : scanners
removal tools
example : disinfectors

Scanners

and disinfectors are the most popular classes of

anti-virus software.
Personal and administrative practices and institutional
policies with regard to shared or external software usage
should form the first line of defense.
32

Preventing Virus Infection

Ways to prevent Virus infections

Use only commercial software acquired from reliable, well
established vendors.
Test all new software on an isolated computer.
Do not put a floppy disk in the machine unless it has been
scanned first.
Do not open attachments to email unless they have been
scanned. Including turn off the auto open of attachments in
mail readers.
Scan any downloaded files before they are run.
At least once a week update the virus signature data files.

Make a bootable disk with a virus scan program on it and write

protected.
Make and retain backup copies of executable system files in the
event the virus detection program can't remove the virus.

33

Preventing Web application attack

Input validation.

Strong output encoding.

Do not use "blacklist" validation

Do not use GET requests (URLs) for sensitive data or to perform value
transactions

Disable or limit detailed error handling

errors from all layers are adequately checked and configured to prevent
error messages from being exploited by intruders

Do not allow the login process to start from an unencrypted page

Encrypt Password

Check the old password when the user changes to a new password

Do not create cryptographic algorithms

Do not use weak algorithms

Ensure the access control matrix is part of the business, architecture, and
design of the application

More.refer to OWASP TOP 10 Official document

http://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf

34

Controls Against Program Threats

Software Engineering
Modularity, Encapsulation, and Information Hiding
Peer reviews
Hazard Analysis HAZOP, FMEA, FTA
Independent Testing
Good Design
Prediction
Static Analysis
Configuration Management
Proofs of Program Correctness
Operating System Controls - trusted software,
confinement, audit log
Administrative Controls - Standards of program
development

35

Pillar of software security

Risk Management
Touchpoints
Knowledge

36

Risk Management

Business understands the idea of risk even

software risk
Technical perfection is impossible
There no such thing as 100% security

Perfect quality is a myth

Technical problem do not always spur
action

Answer the So what? Question explicitly

Help user undesrtand what they should do

about risk
Build better software

37

Touchpoints

38

Knowledge catalog

Principles
Guidelines
Rules
Attack patterns
Vulnerabilities
Historical Risks

39

40

Summary of Program Threats and

Controls
Malicious

code gets a lot of publicity. But don't

let media attention distract you from the
seriousness of the threat.

There

is no real way to measure the amount of

damage that malicious code can do. All one can
do is estimate, and that is only for the
discovered programs, what about the ones that
haven't been discovered or haven't been
executed, or worst the ones that haven't been
written yet.
41

Summary of Program Threats and

Controls
Sites

to research for Viruses, Worms, Hoaxes and other

Malicious Code:
The Department of Energy's CIAC Hoax page
http://ciac.llnl.gov/ciac/CIACHoaxes.html
The Symantec Corporation (Norton Anti-virus Home)
SARC database
http://www.symantec.com/avcenter/hoax.html
Network Associates (McAfee and Dr. Solomon Antivirus) web page
http://vil.nai.com/villib/alpha.asp
The CERT (Computer Emergency Response Team)
http://www.cert.org/
The SANS Institute (System Administration,
Networking, and Security)
http://www.sans.org/newlook/home.htm

42

Summary

Viruses come in different forms

Some are mere nuisances, some come with
devastating consequences
E-mail worms are self replicating and clogs
the networks with unwanted traffic
Virus codes are not necessarily complex
It is necessary to scan the systems/networks
for infections on a periodic basis for
protection against viruses
Anti-dotes to new virus releases are
promptly made available by security
companies and the forms the major counter
measure.

43