3. Program Security

About This Presentation

Title:

3. Program Security

Description:

3. Program Security. Topics covered in this ... How to keep programs free from flaws? ... Common perception that type-safe languages are slow is mostly mistaken ... – PowerPoint PPT presentation

Number of Views:1889

Avg rating:3.0/5.0

Slides: 179

Provided by: ssrnet

Category:

more less

Transcript and Presenter's Notes

Title: 3. Program Security

1
3. Program Security

Topics covered in this chapter
Programming errors with security implications
Buffer overflows, incomplete access control
Malicious code
Virus, Trojan horses
Program development control
SW engineering principles and practices
Controls to protect against program flaws in
execution
OS support and administrative Controls

2
Program Security

Protecting programs is at the heart of computer
security.
Two important questions
How to keep programs free from flaws?
How to protect computing resources against
faulty/malicious programs?

3
3.1 Secure programs

What we mean by secure program?
How can we look at a SW component or code
fragment and assess its security?
different answer from different people
Similar to the problem of assessing SW quality in
general

4
Secure programs

One way to assess security
ask people to name the characteristics of SW that
contribute to its overall security
Likely to get different answers from different
people
Importance of the characteristics depends on who
is analyzing the SW
Can also be influenced by someones general
perspective on SW quality

5
Fixing faults

Early approach in computer security penetrate
and patch
Patch efforts were largely useless, making the
system less secure because they frequently
introduced new faults
Narrow focus on the fault and not on the context
Side effects
Fixing one problem often cause a failure
somewhere else
Fault could not be fixed properly due to system
functionality or performance worry

6
Unexpected behavior

Compare the requirements with the behavior
Program security flaw inappropriate behavior
caused by vulnerability.
Two separate logical categories
Inadvertent human errors
Malicious, intentionally induced flaws
Both are harmful

7
Unexpected behavior

Program security flaws are unavoidable because
Program controls apply at individual program and
programmer level.
Programming and S/W engineering technique evolves
too rapidly.

8
Type of Flaws Landwehr et al.s taxonomy LAN
1994

Validation error
Failure to validate operands/parameters
Failure to handle boundary conditions properly
Domain error
Holes in the fences
Incomplete destruction of data within a
deallocated objects
Incomplete destruction of its context
Serialization and aliasing
Time-of-check-to-time-of-use flaw
Two names exist for same object

9
Type of Flaws Landwehr et al.s taxonomy LAN
1994

Inadequate identification and authentication
Permit a protected operation to be invoked
without checking the identity and authority
sufficiently
Boundary condition violation
Omission of checks to assure boundary
condition(e.g., table size, file allocation or
other resource consumption)
Other exploitable logic errors
Bugs that can be invoked by users to cause system
crashes

10
3.2 Non-malicious program errors

Three classic error types that have enabled many
recent security breaches
Buffer overflows
Incomplete mediation
Time-of-check to time-of-use errors
Combination of these flaws

11
Buffer overflows

Definition
buffer (or array/memory) is a space in which data
can be held
Buffer overflow
When the length limitation of a space reserved
for data - a buffer - is not properly enforced,
the buffer overflows
Input data is written to the buffer and, if it is
longer than the buffer size, the space beyond the
end of the buffer is overwritten
This might corrupt other data, or more seriously,
the program code

12
Buffer overflows

Example
char sample10
Compiler sets aside 10 bytes (sample0
sample9)
sample10 A
Subscript is out of bounds
Compiler warning will be desirable, however
samplei A
Couldnt identify the problem until i was set
during execution

13
Buffer overflows

Difficulties
In some languages, buffer sizes do not have to be
predefined, so there is no way to detect an
out-of-bounds error
Code needed to check each subscript against its
potential maximum value takes time and space
during execution
Even if compiler were careful, this same problem
can be caused with pointers, for which there is
no reasonable way to define a proper limit
Thus, some compilers do not generate the code to
check for exceeding bounds.

14
Buffer overflows

sample10 B
Places where a buffer can overflow

Users Data
Memory
Affects users data
Users Data
Users Program Code
Memory
Affects users code
15
Buffer overflows

Places where a buffer can overflow

System data
Users Data
Memory
Affects system data
System Program Code
Users Data
Memory
Affects system code
16
Buffer overflows

Security implication
Attacker may replace code in the system space
Attacker may make use of the stack pointer or the
return register

17
Buffer overflows

Security implication
For a long time, buffer overflows were simply a
minor annoyance
Rather recently, attackers have used them as
vehicles to cause a system crash and controlled
failure with a serious security implication

18
Buffer overflows

Extremely common bug.
First major exploit 1988 Internet Worm,
fingerd.
10 years later over 50 of all CERT
advisories
1997 16 out of 28 CERT advisories.
1998 9 out of 13 --
1999 6 out of 12 --

19
Buffer overflows

Often leads to total compromise of host.
Fortunately exploit requires expertise and
patience.
Two steps
Locate buffer overflow within an application.
Design an exploit.

(until one exploit available)
20
What are buffer overflows?

Suppose a web server contains a function void
func(char str) char buf128
strcpy(buf, str)
do-something(buf)
When the function is invoked the stack looks
like
What if str is 136 bytes long? After
strcpy

21
Basic stack exploit

Main problem no range checking in strcpy().
Suppose str is such that after strcpy
stack looks like
When func() exits, the user will be given a
shell !!
Note attack code runs in stack.
To determine ret guess position of stack when
func() is called.

(exact shell code by Aleph One)
22
Some unsafe C lib functions

strcpy (char dest, const char src)
strcat (char dest, const char src)
gets (char s)
scanf ( const char format, )
printf (conts char format, )

23
Exploiting buffer overflows

Suppose web server calls func() with given URL.
Attacker can create a 200 byte URL to obtain
shell on web server.
Some complications
Program P should not contain the \0
character.
Null byte means end of string and copy will be
terminated
Overflow should not crash program before func()
exits.

24
Causing program to exec attack code

Stack smashing attack
Override return address in stack activation
record by overflowing a local buffer variable.
Function pointers (used in attack on Linux
superprobe)
Overflowing buf will override function pointer.
Longjmp buffers longjmp(pos) (used in
attack on Perl 5.003)
Overflowing buf next to pos overrides value of
pos.

25
Finding buffer overflows

Hackers find buffer overflows as follows
Run web server on local machine.
Issue requests with long tags. All long tags end
with .
If web server crashes, search core dump for
to find overflow location.
Some automated tools exist. (eEye Retina,
ISIC).

26
Preventing buf overflow attacks

Main problem
strcpy(), strcat(), sprintf() have no range
checking.
Safe versions strncpy(), strncat() are
misleading
strncpy() may leave buffer unterminated.
strncpy(), strncat() encourage off by 1 bugs.
Defenses
Type safe languages (Java, ML). Legacy code?
Mark stack as non-execute. Random stack
location.
Static source code analysis.
Run time checking StackGuard, Libsafe, SafeC,
(Purify).
Black box testing (e.g. eEye Retina, ISIC ).

27
(No Transcript)
28
(No Transcript)
29
(No Transcript)
30
(No Transcript)
31
Type Safety for Security
32
(No Transcript)
33
Performance of Type Safe Languages

Common perception that type-safe languages are
slow is mostly mistaken
Compiler now lifts bounds checks out of loop
Null pointer checks are negligible cost
Garbage collection has come a long way, and can
even improve locality
Some Java programs are faster than C programs

34
Marking stack as non-execute

Basic stack exploit can be prevented by marking
stack segment as non-executable or randomizing
stack location.
Code patches exist for Linux and Solaris.
Some complications on x86.
Problems
Does not defend against return-to-libc exploit.
Overflow sets ret-addr to address of libc
function.
Some apps need executable stack (e.g. LISP
interpreters).
Does not block more general overflow exploits
Overflow on heap overflow buffer next to func
pointer.
Patch not shipped by default for Linux and
Solaris.

35
Static source code analysis

Statically check source to detect buffer
overflows.
Several consulting companies.
Compiler tools checks unsafe constructs
int main ( )
char str (char )malloc(10)
// allocate 10 bytes for str
gets (str ) // reads input from
stdin and store into str
When compiled with GCC, returns following
warning
/tmp/cc203ViF.o in function main
/tmp/cc203ViF.o(.text0x1f) the gets
function is dangerous and should not be used.

36
Static source code analysis

Several tools exist
_at_stake.com (l0pht.com) SLINT (designed for
UNIX)
Cigital its4. Scans function calls.
Berkeley Wagner, et al. Test constraint
violations.
Find lots of bugs, but not all.

37
Run time checking StackGuard

Many many run-time checking techniques
Solutions 1 StackGuard (WireX)
Run time tests for stack integrity.
Embed canaries in stack frames and verify their
integrity prior to function return.

Frame 1
Frame 2
topofstack
str
ret
sfp
local
canary
str
ret
sfp
local
canary
38
Canary Types

Random canary (used in Visual Studio 2003)
Choose random string at program startup.
Insert canary string into every stack frame.
Verify canary before returning from function.
To corrupt random canary, attacker must learn
current random string.
Terminator canary
Canary consists of four string termination
characters null, newline, linefeed, EOF
String functions will not copy beyond terminator.
Hence, attacker cannot use string functions to
corrupt stack.

39
StackGuard (Cont.)

StackGuard implemented as a GCC patch.
Program must be recompiled.
Minimal performance effects 8 for Apache.
Newer version PointGuard.
Protects function pointers and setjmp buffers by
placing canaries next to them.
More noticeable performance effects.
Note Canaries dont offer fullproof protection.
Some stack smashing attacks can leave canaries
untouched.

40
Run time checking Libsafe

Solutions 2 Libsafe (Avaya Labs)
Dynamically loaded library.
Intercepts calls to strcpy (dest, src)
Validates sufficient space in current stack
frame frame-pointer dest gt strlen(src)
If so, does strcpy. Otherwise, terminates
application.

topofstack
dest
ret-addr
sfp
src
buf
ret-addr
sfp
main
libsafe
41
More methods

Address obfuscation. (Stony Brook 03)
Encrypt return address on stack by XORing with
random string. Decrypt just before returning
from function.
Attacker needs decryption key to set return
address to desired value.
PaX ASLR Randomize location of libc.
Attacker cannot jump directly to exec function.

42
Format string bugs
43
Format function

a special kind of ANSI C function.
Functionality
Used to convert simple C datatypes to a string
representation
Allow to specify the format of the representation
Process the resulting string (output to stderr,
stdout, syslog, )
How the format function works
Format string controls the behavior of the
function
It specifies the type of parameters that should
be printed
Parameters are pushed on the stack either
directly (by value) or indirectly (by reference)

44
printf (Number d has no address, number d has
08x\n, i, a, a) From within the printf
function the stack looks like
Stack top . ltagt ltagt ltigt A Stack bottom
A address of the format string i value of the
variable i a value of the variable a a
address of the variable a
Source Exploiting Format String Vulnerability ,
scut /team teso, September 1, 2001
45
Format string problem

int func(char user)
fprintf( stdout, user)
Problem what if user sssssss ??
Most likely program will crash DoS.
If not, program will print memory contents.
Privacy?
Full exploit using user n
Correct form
int func(char user)
fprintf( stdout, s, user)

46
Format string problem

flagswidth.precisionmodifierstype
c Character
d or I signed decimal integer
f decimal floating point
o signed octal
x unsigned hexadecimal integer
s string of characters
p address pointed by the argument
n nothing printed. The argument must be a
pointer to integer where the number of characters
written so far will be stored

47
History

Danger discovered in June 2000.
Examples
wu-ftpd 2. remote root.
Linux rpc.statd remote root
IRIX telnetd remote root
BSD chpass local root

48
Vulnerable functions

Any function using a format string.
Printing
printf, fprintf, sprintf,
vprintf, vfprintf, vsprintf,
Logging
syslog, err, warn

49
Example

We can show some parts of the stack memory by
using a format string like this
printf ("08x.08x.08x.08x.08x\n")
retrieve five parameters from the stack and
display them as 8-digit padded hexadecimal
numbers.
possible output may look like
40012980.080628c4.bffff7a4.00000005.08059c04

50
Exploit

Dumping arbitrary memory
Walk up stack until desired pointer is found.
printf( 08x.08x.08x.08xs)
Writing to arbitrary memory
printf( hello n, temp) -- writes 6 into
temp.
printf( 08x.08x.08x.08x.n)

51
Overflow using format string

char errmsg512, outbuf512
sprintf (errmsg, Illegal command 400s,
user)
sprintf( outbuf, errmsg )
What if user 500d ltnopsgt ltshellcodegt
Bypass 400s limitation.
Will overflow outbuf.

52
Side Channel Attacks
53
Side Channel attacks

Attacks based on Side Channel Information
SCI is information that can be retrieved from the
encryption device that is neither the plaintext
nor the ciphertext.
Based on
timing information(time that operations take)
Radiation of various sort
Power consumption statistics
Type of attacks
Timing attack
Differential power analysis(DPA) attack
Simple power analysis(SPA) attack
Differential fault analysis attack

54
Timing attacks

Timing attacks are based on the time a device
takes to perform operations.
Cryptosystems often take slightly different
amounts of time to process different inputs.
Performance optimizations to bypass unnecessary
operations
Branching and conditional statements
RAM cache hits
Processor instructions
Encryption key and the input data

55
Timing attacks

Brumly and Boneh
Timing attack on openSSL
With detailed knowledge on cryptographic routines
used, can correlate cipher texts with time to
decrypt
Effective even with network and OS by trying many
times to reduce random noise
Other things may affect the timing of functions
Page faults
System calls
Interrupts

56
Timing attacks example

RSA operations
Attacker wants to compute R yx mod n (X is
secret key)
Assume attacker knows n and y.
Victim must compute yx mod n for several values
of y, where y, n, and the computation time are
known to the attacker and x stays the same.
Statistical method will lead to the recovery of
the key from these measurements.

57
Timing attacks example

Consider the following pwd checking code
int password-check( char inp, char pwd)
if (strlen(inp) ! strlen(pwd))
return 0
for( i0 i lt strlen(pwd) i)
if ( inpi ! pwdi )
return 0
return 1
A simple timing attack will expose the password
one character at a time.

58
Timing attacks example

Correct code
int password-check( char inp, char pwd)
oklen ( strlen(inp) strlen(pwd) )
for( ok1, i0 i lt strlen(pwd)
i)
ok ok ( inpi pwdi )
return ok oklen
Timing attack is ineffective (?)

59
Power Consumption attacks

based on analyzing the power consumption of the
unit while it performs the encryption operation.
SPA attacks
Based on the visual representation of the power
consumption while encryption operation is
performed
Direct interpretation of power consumption
measurements collected during cryptographic
operations
Amount of power consumption varies on the
instruction performed
Can reveal DES key schedule, DES permutations,
DPA attacks
Consist of not only of visual but also
statistical analysis and error-correction
statistical methods
Can reveal DES keys from most smart cards, RSA
algorithms

60
SIDE CHANNEL ATTACKS
SIDE CHANNEL ATTACKS
VANGELIS KARATSIOLIS
61
3. SIMPLE POWER ANALYSIS

Simple attack
Attacks features as
Double and add algorithm
Hamming weight of key bytes
General large features
Needs a few seconds
Direct observation of a systems power
consumption
Can gain very useful information

62
HOW SPA WORKS
Key 101011 Double-and-Add Algorithm
Power Trace
With Dummy Operations
0
1
0
1
1
Power Trace
63
COUNTERMEASURES-SPA

Avoiding procedures based on secret information
(conditional branches)
Reduce the leaked power
Prevent learning of the implementation
Introduce dummy operations

64
DIFFERENTIAL POWER ANALYSIS

Advanced attack
Data collection and then statistical analysis
Attacks many features of an implementation
Needs several hours
Difficult to prevent

65
HOW DPA WORKS

First collection of a big number of measurements
( 1000)
Then observation of the difference of execution
procedures (the last depends on secret
information)
And/or correlation with specific values
e.g. Key 101011 (2, 4, 5, 10, 20, 21, 42, 43)
3P is never computed!

66
COUNTERMEASURES-DPA

Randomisation of the expression of
computed/computing objects
No key dependency with the executing procedure
Blinding techniques
Reduction of side channel information
Randomise secret exponent

67
DPA vs. SPA

Low amount of experiments
Faster to launch

Not many implementation details
Noise is not so important
Attacks even small features

68
SPA-DPA GENERAL FEATURES

Very new kind of cryptanalytic attacks
Not theoretical attacks
Successfully analysing a smart card
Non invasive attacks
They are not noticeable
Easily transferred among systems
Performed in a few instances
Easily accessed information
Easy and low cost per device

69
RESISTANCE AGAINST POWER ATTACKS

Transistor layer
Technical reduction of side channel leakage
noise introduction
Algorithmic solutions

70
Differential Fault Analysis attacks

Fault analysis relates to the ability to
investigate ciphers and extract keys by
generating faults in a system
Faults are most often caused by changing the
voltage, tampering with clocks, or by applying
radiation
Can reveal DES sub key
Non-Differential Fault Analysis is also useful
for extracting DES keys

71
Incomplete mediation

Definition
Security problem caused by incorrect/incomplete
check of the parameters in the mediator
Example
http//www.somesite.com/subpage/userprintparm1(8
08)555-1212parm22004Jan01
What would happen if parm2 were submitted as
1800Jan01 or 1800Feb30 or 2048Min32 or
1Aardvark2Many?

72
Incomplete mediation

Solution anticipation
Correctness check on the clients side
Restrict the choices only to valid ones
However, the program is still vulnerable
User could edit the URL line
Server cannot distinguish whether the response
line came from clients browser or as a result of
users editing

73
Incomplete mediation

Security implication
Easy to exploit, but have been less used than
buffer overflows
Nevertheless, unchecked data values represent a
serious potential vulnerability

74
Incomplete mediation

Real example
http//www.thins.com/order/finalcustID101part5
55Aqy20price10shipboatshipcost5total205
By editing last total205 to total25
attacker could have ordered any product at any
price

75
Time-of-check to time-of-use errors

Definition
Incomplete mediation flaws relate to
serialization or synchronization
Example
Persons buying a sculpture that costs 100
Buyer draws five 20 from wallet
Carefully counts them in front of the seller
Seller turns around to write a receipt
While sellers back is turned, buyer takes back
one 20 bill
When the seller turns around, buyer hands over
the stack of bills, takes receipt, and leaves
with sculpture

76
Time-of-check to time-of-use errors

Example
Between the time when the security was
checked(counting the bills), and the
access(exchanging the sculpture for the bill), a
condition has changed
Example with computing systems
Suppose a request to access a file that were
presented as ltmy_file, change byte 4 to Agt
The mediator would copy the file name into its
own local storage area and compare from there

77
Time-of-check to time-of-use errors

While the mediator is checking access rights for
the file my_file, user could change the work
ticket as follows ltyour_file, delete filegt
Having read the work ticket once, the mediator
would not be expected to reread the ticket before
approving it the mediator would approve the
access and send the now-modified descriptor to
the file handler

78
(No Transcript)
79
(No Transcript)
80
(No Transcript)
81
Time-of-check to time-of-use errors

Difficulty
To improve efficiency, modern processors and OS
usually change the order in which instructions
and procedures are executed
Instructions that appear to be adjacent may not
actually be executed immediately after each other
Intentionally changed order
Concurrent execution

82
Time-of-check to time-of-use errors

Security implication
Checking one action and performing another is an
example of ineffective access control
Must be wary whenever there is a time lag, making
sure that there is no way to corrupt the checks
results during that interval

83
Time-of-check to time-of-use errors

Solution
Digital signatures and certificates
Time of check when the person signs
Time of use when anyone verifies the signature
If signers private key is disclosed before its
time of use, the key must be revoked

84
Combination of flaws

Worst aspect of all three flaws is that they can
by used together
Clever attacker uses flaws as common building
blocks to build a complex attack
We must know about and protect against even
simple flaws (Sidebar 3-3, page 112 of Textbook)

85
3.3 Viruses and other malicious code

Kinds of malicious code
Virus
Trojan horse
Logic bomb
Time bomb
Trapdoor
Worm
Rabbit

86
Kinds of malicious code

Virus
???? ????? ???? ?? ??? ??? ? ?? ????.
????? ?? ????? ??? ??? ?????, ?? ????? ????? ??.
Transient Virus
?? ????? ???? ??? ????.
Resident Virus
???? ????, ?? ????? ?????, ????? ????.

87
Kinds of malicious code(contd)

Trojan horse
??? ?? ??? ???? ????
e.g.) login process?? ???? ID, password? ??? ???
?? ????? ?? ?? ??? script?.
Logic bomb
?? ??? ???? ???? ?? ????
Time Bomb
?? ???? ?? ?? ???? ?? ????
Trapdoor or Backdoor
??? ????, ?? ????? ?? ??? ? ?? ????

88
Kinds of malicious code(contd)

Worm
????? ??? ?? ??? ?? ??? ????
Worm ? Virus? ??
Worm? network? ?? ??, Virus? ?? ???? ???? ??.
Worm? stand-alone ????, Virus? ??? ??? ?
Rabbit
????? ?? ???, ?? ???? ??? ?? ??? Virus ?? Worm

89
Summary of Malicious Code
90
How Viruses Attach

Appended Viruses
Virus That Surround a Program
Integrated Viruses and Replacements

91
Appended Viruses

????? ? executable instruction? ???
????? ??? ??? ?? ?? ??, ????
???? ??? ????

Virus Code
Original Program
Virus Code

Original Program
92
Virus Surrounding a Program
Virus Code part (a)
Original Program
Virus Code
Original Program

Virus Code part (b)
93
Virus Integrated into a Program

????? ?? ??? ??? ??? ??? ???, ????? ??? ?? ??? ??

Original Program
Virus Code

Modified Program

94
Document Viruses

Currently most popular
implemented within a document (ex. word document,
database, slide presentation, spreadsheet)
document contains data commands(formula,
formatting control, links)
commands are part of a PL including macros,
procedures, file accesses, system calls)

95
How Viruses Gain Control
T Target V Virus
before
after
V
T
T
T
V
file system
file system
file table
file table
Overwriting T
96
How Viruses Gain Control(contd)
T Target V Virus
before
after
V
V
T
T
T
T
file system
file table
file table
file system
Changing Pointers
97
Homes for Virus

The virus writer may find these qualities
appealing
It is hard to detect.
It is not easily destroyed or deactivated.
It spreads infection widely.
It can reinfect its home program or other
programs.
It is easy to create.
It is machine independent and OS independent.

98
Boot Sector Viruses

Bootstrap OS code? disk?? memory? ??? ?
control? ?? ?? ??
Boot sector Bootstrap load???? ?? ?? ???? disk
sector
Chain boot sector? ????? 512byte??, ??
bootstrap loader? ??? ?? ??? ?? block? ???? ???
??.
Virus writer? ? chain? ???? virus code? ??.
??
??? boot process?? control? ???? detection? ????
??? ? ? ??.
boot area file? ????? ???? ???? ??? ??? ?? ? ? ??.

99
Boot Sector Virus Relocating Code
Boot Sector
Other Sectors
Bootstrap Loader
System Initialization
chain
before infection
Boot Sector
Other Sectors
Virus Code
System Initialization
Bootstrap Loader
chain
chain
after infection
100
Memory-Resident Viruses

Resident code
???? ???? ????.
Memory-Resident Virus
Resident code? ???? ????.
Resident code? ??? ?? ???? ???, Virus? ?????
????.

101
Virus Signatures

A virus cannot be completely invisible.
Virus? ??? ?? ??? ???? ????? ???.
?? ???? Signature?? ??? ???? ?.
Virus scanner? ?? Signature? ??? Virus? ?????
???.

102
Virus Signatures(contd)

Code red Virus? Signature.

103
Virus Signatures(contd)

Signatures? ??? pattern? ?? ??.
Storage Patterns
Virus code? start? ?? ??? signature? ? ? ??
??
Program? ??? ?? ??? code? ??? ??.
??? Jump??? header? ??, ?? virus code? ?? ?? ??.
????? Virus? ?? ??? ????? ? ??? ???.
Virus? ?? program? ??? ??? ???? ?? program? ???
???? ?? ?? ??? ??.

104
Virus Signatures(contd)

Recognizable Patterns in Viruses

Recognizable Signature Elements
IF (--) JUMP
Attached Virus Code
Original Program
Original Program
Separate Virus Module
105
Virus Signatures(contd)

Execution Patterns
???? Virus? ???? ???, ?? ???? Program? ???? ???.
????, ?? ?????? Virus ??? ?? ??.
Transmission Patterns
Virus? ?? ??? ???.
?? ?? ?? Virus ??? ?? ?? ??.

106
Virus Signatures(contd)

Polymorphic Viruses
Virus that can change its appearance
?? ???? ?? ??? ?? ?? ??? ?? ??
??
use encryption with various keys(encrypring
viruses)
??? ??? Signature? ? ? ??.
?? ??? code jump ? data??? code? ??
redundant code? ??? ??
???? 0? ??? ??
jump to the next instruction? ??

107
Example of Malicious Code

To see how viruses and other types of malicious
code operate, we examine three types of malicious
code that affected many users worldwide
the Brain,
the Internet worm and
the Code Red worm.

108
The First example The Brain Virus

Introduction
?????? ???.
?? ?????? ????? ??? virus?.
??? ????? ?? ??? ??.
What It Does
Upper memory? ???.
?? ??? Virus? ??? ??. ?? ??? ??? ?? ??.
??? ???? ????? FAT ??

109
The Brain Virus(contd)

How It Spreads
Brain virus? 3 ?? ?? ??? ???? ??
??? ?? ??? boot sector? ??, ? boot sector? ??
disk sector? ???
??? ? ?? ?? ??? ?? 2 ?? disk sector? ??
??, ? 3 ?? ??? (? boot sector, ??? ??? ?? ??)
???? ? ?? disk sector? ??
?? ??? faulty? ??, OS? ???? ??? ?.
Disk drive? ?? Disk read request? ????, Brain
virus? ???? ?? ?? ?? ??.

110
Another Example The Internet Worm

Introduction
1988?? Cornell University ???? Morris? ??
?? ???? ???
?? ???? ???? ??? ???? network ??? ?? Network? ??
?? ?.
What It Did
Determine to where it could spread
Spread its infection
remain undiscovered and undiscoverable

111
The Internet Worm(contd)

What Effect It Had
???? ?? ??? System? ?? ??
???? ??? ???? ?? ?? ??? ?? ???? ?? ?? ???
Internet connection? ???.
Internet? ???? ????, ??? ?? ???? ??? ?.

112
The Internet Worm(contd)

How It Worked
How to spread
???? ID? ???, password guessing attack? ??.
fingerd? buffer overflow attack? ??.
sendmail handler? trapdoor? ????.
??? ???? command string? ???? ??

113
The Internet Worm(contd)

Spread infection
??? target? ?? ? ?? ??? ??? ???, boot loader?
target system? ??? ?? ???.
Remain undiscovered and undiscoverable
boot loader? full code? download ? ? code?
memory? ????? ??? ?, disk? ???? ????.
process? ??? id? ????? ????, ? process? ?? CPU
time? ???? ?? ???.

114
The Internet Worm(contd)

What was learned
sent shock wave through the internet community
COPS program was developed
affected sites tightened security
CERT(Computer Emergency Response Team) at CMU was
formed.

115
More Malicious Code Code Red

Introduction
2001?? ??.
9???? 250,000?? System? ???.
? ?? ?? ??? ??.
?? ??? ??? ??.
What It Did
Microsoft? Internet Information Server(IIS)? ????
??? ??
What Effect It Had
defaced web sites
?? ??? ??? ?? ??

116
Code Red(contd)

??? ?? ??? ?? ??? ??
1?19? 90?? thread? ??, ?? System ??
20?27? ????? DOS attack? ?
28? ?? ??? ?? ??
??? ?? Web site? ????? ???, ? ??? ??? ??? ???
??? ?? ?? ???? ?? ????? ??? ? ??? ?? ??? ???
????.

117
Code Red(contd)

How It Worked
trapdoor? ??? ?? windir\cmd.exe? ?? ??? ??
Code red? explorer.exe? ???? ?? ?? ?? Code red?
explorer.exe? ???? ??, detection? ????, Trojan
horse? ??? ? ?? ?.
??? ??? 300? ?? 600?? thread? ????, 24?? ??
48???? ?? ??? ???.

118
Code Red(contd)

'????' ???? ?? ?? ??
'Hi, How are you' ????? ??? ? ???? ?? ??? ?????
????? ??? ?? ?????? ?? ??.??? ??? ??? ??, ?? ???
?? ???? ? ??? ???? ???? ??.
?????? ??? 20? ???? ? ??? ?? ????(?? 1, 2) ????
??? ? ??? ??? 8? ?? ?? 1?3???? ???? ???.

119
Code Red(contd)

?????? ?? 7??? ??? ????? ??(??3) ? ??? ??? ???
??? ????? ??? .
????? ???????????? ????(OS) ? ??NT? ??2000? ????
????. ?? ?? ??? ?????, ??? ?? ??? ????? ??.
?? ??3? ??? ???? ??? ?? ??? ?? ??? ???? '?????'
????? ?? ?? ??? ? ?? ????? ??? ??? ??? ???? ??.
?? ?????? ????? ?? ?? ????.
???.??? ?? lthjyun_at_joongang.co.krgt
???? 2001. 08.08. 1834

120
VBS.ILoveYou.A Worm

VBS.ILoveYou.A worm (also known as
VBS.LoveLetter.A, VBS/LoveLet-A and The Love Bug)
VBS.ILoveYou.A is a new VBS based worm that has
recently (2000.5) begun spreading rapidly via
e-mail.
It can cause mail servers to become overloaded by
a huge volume of infected e-mail. It is written
in Microsoft's Visual Basic Script language.
It spreads by attaching itself to an outbound
e-mail sent to all addresses found in the
Microsoft Outlook Address Book.
The e-mail messages it sends always have a
subject of ILOVEYOU. The body contains a message
kindly check the attached LOVELETTER coming from
me.
There is an attachment called LOVE-LETTER-FOR-YOU.
TXT.vbs.
The attachment is the worm itself, which will
activate if the recipient opens the attachment.

121
VBS.ILoveYou.A Worm

The worm will install itself on a machine by
copying itself to multiple subdirectories under
the different names
In the Windows directory under the name
Win32DLL.vbs.
In the Windows system directory under the name
MSKernel32.vbs.
In the Windows system directory under the name
LOVE-LETTER-FOR-YOU.TXT.vbs.
The worm modifies registry information to make
itself run during the next boot up.
It also sets the default page of Internet
Explorer to download a copy of a file called
WIN_BUGSFIX.exe. The web pages it refers to are
currently not operational.
The virus can also use the mIRC program to
distribute itself via IRC channels. If it detects
the presence of mIRC, it will try to send an HTML
file containing itself to other IRC users.
This worm will operate on any system that has
Windows Scripting Host (WSH) installed (this is
the default for Windows 98 and Windows 2000).

122
Web Browser Security
CS 155
April 15, 2004

John Mitchell

123
Web Security

Martin Nystrom, CISSP
Security Architect
Cisco Systems, Inc.
mnystrom_at_cisco.com

124
Example Web Application
Internal network
Internet
DMZ
Protected network

AJP
IIOP
T9
etc.

DB
Web server
App server (optional)
Clear-text or SSL
Web app
HTTP request
Web app
Web app
transport
DB
Web app
Web client IE, Mozilla, etc.

Apache
IIS
Netscape
etc.

J2EE server
ColdFusion
Oracle 9iAS
etc.

Perl
C
CGI
Java
ASP
PHP
etc.

ADO
ODBC
JDBC
etc.

Oracle
SQL Server
etc.

HTTP reply (HTML, JavaScript, VBScript, etc.)
125
OWASP Top 10 Web Application Security
Vulnerabilities
http//www.owasp.org

Unvalidated parameters
Broken access control
Broken account/session management
Cross-site scripting flaws
Buffer overflows
Command injection flaws
Error handling problems
Insecure use of cryptography
Remote administration flaws
Web and app server mis-configuration

126
Browser and Network
Network
request
Browser
Web site
reply
OS
Hardware

Browser sends requests
May reveal private information (in forms,
cookies)
Browser receives information, code
May corrupt state by running unsafe code
Interaction susceptible to network attacks
Consider network security later in the course

127
Tuesday, February 12, 2002

Microsoft Issues New IE Browser Security Patch
By Richard Karpinski
Microsoft has released a security patch that
closes some major holes in its Internet Explorer
browser
The so-called "cumulative patch" fixes six
different IE problems ...
Affected browsers include Internet Explorer 5.01,
5.5 and 6.0.
Microsoft rated the potential security breaches
as "critical."

MS announced 20 vulnerabilities on April 13, 2004
!!!
128
Feb 2002 patch addresses

A buffer overrun associated with an HTML
directive ... Hackers could use this breach to
run malicious code on a user's system.
A scripting vulnerability that would let an
attacker read files on a user's systems.
A vulnerability related to the display of file
names ... Hackers could misrepresent the name
of a file ... and trick a user into downloading
an unsafe file.
A vulnerability that would allow a Web page to
improperly invoke an application installed on a
user's system to open a file on a Web site.
more

129
September, 2006 Patch

Microsoft Takes Third Shot at Buggy Security
Patch
Robert McMillan, IDG News Service
Microsoft just can't seem to shake problems with
its MS06-042 update for Internet Explorer.
Microsoft today was forced to release its third
version of the update because of a new security
bug discovered in the update, according to Tony
Chor, a group program manager with Microsoft.

130
September, 2006 Patch

First released on August 8, the critical patch
fixes a handful of problems with the browser, but
it has caused headaches for some users.
Embarrassingly, it also introduced a security
vulnerability into the browser, which was fixed
last month.
"The original release of MS06-042 introduced a
new security vulnerability for IE 6.0 SP1 users
"However... a similar vulnerability was also
discovered in IE5.01 on Windows 2000, IE 6.0 SP1
(in a different location), and the original
release of Windows Server 2003."

131
September, 2006 Patch

Problems Cropped Up Fast
Microsoft customers ran into problems with
MS06-042 soon after it was released.
Web sites that used HTTP (HyperText Transfer
Protocol) 1.1 compression to speed up the
downloading of images could cause the browser to
fail and users of Web-based applications such as
PeopleSoft, Siebel, and Sage CRM had problems
with the software.
Later in August, security researchers at eEye
Digital Security disclosed that Microsoft had
introduced a new critical security vulnerability
in the update. Two days later Microsoft fixed the
eEye bug in the MS06-042 re-release.
Apparently this re-release did not address this
latest but "similar" vulnerability mentioned by
Chor.
Microsoft often re-issues its security updates to
fix minor bugs, but the security issue discovered
by eEye placed a lot more scrutiny on MS06-042.
Ultimately the update proved to be an ordeal for
Microsoft's Security Response Center, and for
Microsoft customers.

132
Browser Security Check
What kind of security are they checking?
http//www.verisign.com/advisor/check.html
133
Very Important Point

Security ? Cryptography

134
Browser security topics

Cookies
Cookie mechanism, JunkBuster, P3P
Privacy
Anonymizer
Mobile code
JavaScript
ActiveX
Plug-ins
Java

135
Basic Browser Session
www.e_buy.com
www.e_buy.com/ shopping.cfm? pID269 item1102030
405
View Catalog
Check out
Select Item
www.e_buy.com/ shopping.cfm? pID269
www.e_buy.com/ checkout.cfm? pID269 item1102030
405
Store session information in URL Easily read on
network
136
Store info across sessions?

Cookies
A cookie is a file created by an Internet site to
store information on your computer

Enters form data
Server
Browser
Stores cookie
Requests cookie
Server
Browser
Returns data
Http is stateless protocol cookies add state
137
Browser Cookie Management

Cookie Ownership
Once a cookie is saved on your computer, only the
Web site that created the cookie can read it.
Variations
Temporary cookies
Stored until you quit your browser
Persistent cookies
Remain until deleted or expire
Third-party cookies
Originates on or sent to another Web site

138
Third-Party Cookies

Yahoo! Privacy Center
Yahoo! sends most of the advertisements you see
However, we also allow third-party ad servers
to serve advertisements
Because your web browser must request these
from the ad network web site, these companies can
send their own cookies to your cookie file ...
Opting Out of Third-Party Ad Servers
If you want to prevent a third-party ad server
from sending and reading cookies on your
computer, currently you must visit each ad
network's web site individually and opt out (if
they offer this capability).

139
Example Mortgage Center
lthtmlgtlttitlegt Mortgage Center lt/titlegtltbodygt
http//www.loanweb.com/ad.asp?RLID0b70at1ep0k9
140
Cookie issues

Cookies maintain record of your browsing habits
Cookie stores information as set of name/value
pairs
May include any information a web site knows
about you
Sites track your activity from multiple visits to
site
Sites can share this information (e.g.,
doubleclick)
Sites using DoubleClick place small graphic that
causes user to request page from DoubleClick
DoubleClick uses cookies to identify you on
various sites
Browser attacks could invade your privacy
08 Nov 2001
Users of Microsoft's browser and e-mail
programs could be vulnerable to having their
browser cookies stolen or modified due to a new
security bug in Internet Explorer (IE), the
company warned today.

141
Managing cookie policy via proxy
Network
Proxy
Browser
Cookie Jar

Proxy intercepts request and response
May modify cookies before sending to Browser
Can do other checks filter ads, block sites, etc.

142
Sample Proxy

Cookie management by policy in cookiefile
Default all cookies are silently crunched
Options
Allow cookies only to/from certain sites
Block cookies to browser (but allow to server)
Send vanilla wafers instead
Block URLs matching any pattern in blockfile
Example pattern /./ad matches
http//nomatterwhere.com/images/advert/g3487.gif

Easy to write your own http proxy you can try
this at home
143
Preserving web privacy

Your IP address may be visible to web sites
This may reveal your employer, ISP, etc.
Can link activities on different sites, different
times
Can you prevent sites from learning about you?
Anonymizer
Single site that hides origin of web request
Crowds
Distributed solution

144
Browsing Anonymizers

Web Anonymizer hides your IP address
What does anonymizer.com know about you?

www.anonymizer.com/ cgi-bin/redirect.cgi?url
Server
Anonymizer
Browser
145
Related approach to anonymity

Hide source of messages by routing them randomly
Routers dont know for sure if the apparent
source of the message is the actual sender or
simply another router
Only secure against local attackers!
Existing systems Freenet, Crowds, etc.

146
Crowds
Reiter,Rubin 98
C
C4
C
C
C3
C
C
C1
C
pf
C2
C0
1-pf
C
C
sender
recipient

Sender randomly chooses a path through the crowd
Some routers are honest, some corrupt
After receiving a message, honest router flips a
coin
With probability Pf routes to the next member on
the path
With probability 1- Pf sends directly to the
recipient

147
What Does Anonymity Mean?

Beyond suspicion
The observed source of the message is no more
likely to be the actual sender than anybody else
Probable innocence
Probability lt50 that the observed source of the
message is the actual sender
Possible innocence
Non-trivial probability that the observed source
of the message is not the actual sender

Guaranteed by Crowds if there are sufficiently
few corrupt routers
148
Something you can try at home

Find out what sites know about you
Anonymizer.com, other sites will tell you what
they can find about your IP address
Many other sites offer this too

www.anonymizer.com
Try Private Surfing FREE! Make your online
activities invisible and untrackable to online
snoops. Just type a URL click GO.
GO
149
Controlling information from web

Data is harmless (?)
Risks come from code received from web
Scripts in web pages
Plug-ins
Applets

Server
Browser
Risk to browser?
150
JavaScript

Language executed by browser
Used in many attacks (to exploit other
vulnerabilities)
Cookie attack from earlier slide (08 Nov 2001)
With the assistance of some JavaScript code,
an attacker could construct a Web page or
HTML-based e-mail that could access any cookie in
the browser's memory or those stored on disk ...
JavaScript runs
Before the HTML is loaded, before the document is
viewed
While the document is viewed, or as the browser
is leaving

151
ActiveX

ActiveX controls reside on client's machine,
activated by HTML object tag on the page
ActiveX controls are not interpreted by browser
Compiled binaries executed by client OS
Controls can be downloaded and installed
Security model relies on three components
Digital signatures to verify source of binary
IE policy can reject controls from network zones
Controls marked by author as safe for
initialization, safe for scripting which affects
the way control used
Once accepted, installed and started, no control
over execution

152
Installing Controls
If you install and run, no further control over
the code.
In principle, browser/OS could apply sandboxing,
other techniques for containing risks in native
code.
153
Risks associated with controls