When the tides of life turn against you... And the current upsets your boat... Don't waste those tears on what might have been... Just lay on your back and float!...

Lecture 5 ~Program Security~

Assalamualaikum w.b.t...

Lecture 5 kiteorg blajar bab Program Security... Topic lam lecture nie:-
~Vulnerabilities
•Secure Program
•Malicious Code
•Top 10 Web application vulnerabilities
~Safeguard to Program threat
~Pillar to Software Security


Secure Programs
~Different people have different perspective on software quality.
~Tracking faults (from developers):
•Requirements
•Design
•Code inspections Note: fixing might cause more faults
~Failures - are effects of faults
~Vulnerability and flaws do not map to faults and failures
~"Bugs" means different things, depending on context.
~IEEE says "fault" is inside view from the developer Failure - outside view from
user
~Types of Flaws:
•validation error
•domain error
•serialization and aliasing
•inadequate identification and authentication
•boundary condition violation
•other exploitable logic errors


Nonmalicious Program Errors?
~Buffer Overflows
•Accidental not checking array bounds Example C program

~Incomplete Mediation - data exposed or uncontrolled
http://www.testing.com/order.asp?cutID=115&part=666&qty=3&price=500&total=1500
~Time of Check to Time of use
•the process of executing the instruction
•Process all the data in the local storage rather than put on the clipboard.


Viruses and Other Malicious Code
•Programs work on data and users usually don't see the raw data.
•Malicious users can make programs that access data and other programs other than
what was intended.
•Malicious code can do harm.
•Malicious code has been around for a long long time (70's).
•Malicious code can also be accidental.


Malicious Codes
~unanticipated or undesired effects in programs generated on the intent of damage
~damage could be in form of :
•modification/destruction
•stolen data
•unauthorized access
•damage on system
•or other forms not intended by users


Viruses and ”Malicious Programs”
•Computer “Viruses” and related programs have the ability to replicate themselves
on an ever increasing number of computers. They originally spread by people
sharing floppy disks. Now they spread primarily over the Internet (a “Worm”).

•Other “Malicious Programs” may be installed by hand on a single machine. They may
also be built into widely distributed commercial software packages. These are
very hard to detect before the payload activates (Trojan Horses, Trap Doors, and
Logic Bombs).


Taxanomy of Malicious Programs



Examples of malicious codes:
~Trojan Horse - a program which performs a useful function, but also performs an
unexpected action as well.
~Virus - a code segment which replicates by attaching copies to existing executables.
•Transient - only executes when the program that it is attached to runs.
•Resident - once the program executes the virus stays in memory until it gets
triggered again. Terminate and Stay Resident (TSR).
•Worm - a program which replicates itself and causes execution of the new copy.
•Bacteria - replicates until it fills all disk space, or CPU cycles
•Logic bomb - malicious code that activates on an event (e.g., date).
•Trap Door (or Back Door) - undocumented entry point written into code for
debugging that can allow unwanted users.
~Spyware - This is new and can be non-malicious or malicious.
•Can steal your information (Identity Theft) This is done with a keystroke logger
and even though you use encryption on connections the damage is already done
before you can send it.
•Can steal your email addresses
•Can see what Web sites you visit
•Can see contents of files
•PopUp ads
•Slow down your computer
•Crash your computer



Viruses
~Personal computer viruses exploit the lack of effective access controls in these
systems
•modify files and OS itself
~Characteristics of a virus:
•replication
•requires a host program as a carrier
•activated by external action
•replication limited to (virtual) system
~Viruses are currently designed to attack single platforms.
~A virus can be referred to for example, as an IBM-PC virus (referring to the
hardware) or a DOS virus (referring to the hardware)
~The unexpected and uncontrollable replication of viruses makes them so dangerous.


How Viruses Attach
~Append viruses - execute first then transfers control to original program.
~Surround virus -has control before and after regular program.
~Integrated viruses - replace some of the target program or all of the target and
give the effect that the target program worked.


Virus Appended to a Program



How Viruses Gain Control
~The virus needs to have the CPU execute it to be in control.
~One way is to overwrite the program on the disk.
~Another is to move the original program and then after the CPU executes it then
transfer control to the program.
~Another is to install itself in memory and change the pointers of the operating
system or interrupt table to point to it.


Homes for Viruses
•Install itself in the boot sector (MBR) master boot record.
•Memory resident virus - (TSR) terminate and stay resident.
•Other homes such as applications like word processors and spread sheets and even
attachments to email.
•Even attachments to vendor distributed programs or games.


Types of Viruses
Parasitic Virus - attaches itself to executable files as part of their code. Runs whenever the host program runs.

Memory-resident Virus - Lodges in main memory as part of the residual operating system.

Boot Sector Virus - infects the boot sector of a disk, and spreads when the operating system boots up (original DOS viruses).

Stealth Virus - explicitly designed to hide from Virus Scanning programs.

Polymorphic Virus - mutates with every new host to prevent signature detection.


Truths and Misconceptions About Viruses
•Although other computers/operating systems are vulnerable to Viruses, it seems the
mentality of the programmers of Viruses is more common on PCs.
•Viruses can modify hidden and read only files. True
•Viruses can appear only in data files or Word docs, or in programs. False
•Viruses spread only on disks or in e-mail. False
•Viruses can not live in memory when the computer is shut off, but they can still be
on other storage devices. Also Reboot (warm start) is vulnerable to Viruses in
memory. True
•Viruses cannot infect hardware. True
•Viruses can be malevolent, benign, or benevolent. True


How Worm Attack




Worms
~Characteristics of a worm:
•self-contained, do not require a host
•replication
•activated by creating process
•for network worms, replication occurs across communication links
~Worms exploit flaws in the operating system or inadequate system management to
replicate.
~Release of a worm usually results in brief but spectacular outbreaks, shutting down
entire networks.
~Protection against Worms
•requires a combination of basic system security and good network security
•add-on tools:
*configuration review tools
*checksum-based change detection tools
*intrusion detection tools
•network security tools:
*wrapper program : filter network connections
*firewall system
~The most important means of defense is the identification & authentication (I&A)
controls, which are usually integrated into the system. If poorly managed, these
controls become a vulnerability which is easily exploited.



Targeted Malicious Code
~The previous notes have dealt with anonymous code not targeted to a specific
system, application or a particular purpose.
~Trapdoors - secret, undocumented entry point into a module or program.
~Salami Attack


Trapdoors and the Salami Attack
~Trapdoors are often caused by programmers leaving debug routines in the code. Or
failure to check array bounds which lets code overrun the array bounds and get
placed on the stack.
~Causes of Trapdoors:
•Programmer forgets to remove them.
•Programmer intentionally leaves them in for testing.
•Leaves them in intentionally for maintenance of the finished product.
•Leaves them in for later covert means of access.
~Salami Attacks refer to the simple fact, that when dealing with real numbers the
computer has a fixed size and will perform rounding or truncation. There will
always be those programmers that will try to conceal the small amounts on the hope
that humans will not notice



Top 10 web app vulnerabilities
~Attack associated to programs error
•Cross site scripting
•Injection flaws
•Malicious file execution
•Insecure direct object reference
•Cross site request forgery
•Information leakage and improper error handling
•Broken authentication and session management
•Insecure crypto storage
•Insecure comms
•Failure to restrict URL access



Virus Signatures
~Virus cannot be completely invisible but can be very hard to detect, especially if
it has self-modifying code.
~The code it executes can be identified and a program can scan for the tell-tail
code.
~Usually it is at the start of a program or maybe a test and jump to code at the
bottom of the file.
~If the virus writer wants to keep the program size the same to prevent detection
then it has to replace some of the program code.
~But a good scanner with a checksum can detect the changes in the code.


Example of cod red worm sign
GET/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a


The Source of Viruses
•Virus program can be small so it hides very easily in a large program.
•Might hide in a compiler, a data base manager or a file manager.
•The number one spot is an attachment to email or some public download file.


Virus Phases
•Dormant phase - the virus is idle
•Propagation phase - the virus places an identical copy of itself into other
programs
•Triggering phase – the virus is activated to perform the function for which it was
intended
•Execution phase – the function is performed



Preventing Virus Infection
~Protection against viruses
•detection tools
*example : scanners, vulnerability monitors, modification detection programs
•identification tools
*example : scanners
•removal tools
*example : disinfectors Ways to prevent Virus infections
~Scanners and disinfectors are the most popular classes of anti-virus software.
~Personal and administrative practices and institutional policies with regard to
shared or external software usage should form the first line of defense.
~Ways to prevent Virus infections
•Use only commercial software acquired from reliable, well established vendors.
•Test all new software on an isolated computer.
•Do not put a floppy disk in the machine unless it has been scanned first.
•Do not open attachments to email unless they have been scanned. Including turn
off the auto open of attachments in mail readers.
•Scan any downloaded files before they are run.
•At least once a week update the virus signature data files.
~Make a bootable disk with a virus scan program on it and write protected.
~Make and retain backup copies of executable system files in the event the virus
detection program can't remove the virus.


Preventing Web application attack
•Input validation.
•Strong output encoding.
•Do not use "blacklist" validation
•Do not use GET requests (URLs) for sensitive data or to perform value transactions
•Disable or limit detailed error handling
•errors from all layers are adequately checked and configured to prevent error
messages from being exploited by intruders
•Do not allow the login process to start from an unencrypted page
•Encrypt Password
•Check the old password when the user changes to a new password
•Do not create cryptographic algorithms
•Do not use weak algorithms
•Ensure the access control matrix is part of the business, architecture, and design
of the application


Controls Against Program Threats
•Software Engineering
•Modularity, Encapsulation, and Information Hiding
•Peer reviews
•Hazard Analysis HAZOP, FMEA, FTA
•Independent Testing
•Good Design
•Prediction
•Static Analysis
•Configuration Management
•Proofs of Program Correctness
•Operating System Controls - trusted software, confinement, audit log
•Administrative Controls - Standards of program development


Pillar of software security
•Risk Management
•Touchpoints
•Knowledge


Risk Management
•Business understands the idea of risk even software risk
~Technical perfection is impossible
~There no such thing as 100% security
•Perfect quality is a myth
•Technical problem do not always spur action
~Answer the So what? Question explicitly
•Help user undesrtand what they should do about risk
•Build better software


Touchpoints



Knowledge catalog
~Principles
~Guidelines
~Rules
~Attack patterns
~Vulnerabilities
~Historical Risks


Summary of Program Threats and Controls
~Malicious code gets a lot of publicity. But don't let media attention distract you
from the seriousness of the threat.
~There is no real way to measure the amount of damage that malicious code can do.
All one can do is estimate, and that is only for the discovered programs, what
about the ones that haven't been discovered or haven't been executed, or worst the
ones that haven't been written yet.



Summary
~Viruses come in different forms
~Some are mere nuisances, some come with devastating consequences
~E-mail worms are self replicating and clogs the networks with unwanted traffic
~Virus codes are not necessarily complex
~It is necessary to scan the systems/networks for infections on a periodic basis for
protection against viruses
~Anti-dotes to new virus releases are promptly made available by security companies
and the forms the major counter measure.


Tue la antare yg kami blajar lam lecture kali nie... Enjoy ajer!...


alhamdulillah...


"Learn to enjoy little things -- there are so many of them.."

0 komplen:

Post a Comment

Related Posts with Thumbnails