Transcript Chapter 3-2

Chapter 3 – Program Security
Section 3.4 Targeted Malicious Code
Section 3.5 Controls Against Program Threats
In this Section
 Program Threats
 Trapdoors
 Salami Attack
 Privilege Escalation
 Man-in-the-Middle
 Covert Channels
 Controls Against Program Threats
 Modularity
 Mutual Suspicion
 Hazard Analysis
Targeted Malicious Code
 So far looked at code written to affect users and
machines indiscriminately
 Targeted Malicious Code – written for a particular
system or application with a particular purpose
 Similar to viruses but with the addition of new
techniques
Trapdoor
 Trapdoor – an undocumented entry point to a module.
 Inserted for code development
 “Hooks” to add additional future enhancements
 Can be legitimate or non-legitmate
 Software Testing
 Unit Testing
 Integration Testing
 Stubs and Drivers – routines that inject information during
testing
 Control Stubs – used to invoke debugging code
 Accidently left in place
 Poor Error Checking
Trapdoors
 Poorly defined Data
 Incomplete Mediation
 Undefined Opcodes – instructions that have not been
defined for the processor
 Trapdoors can be useful
 Software audits may request trapdoors to be inserted
 Trap doors should always be documented.
Causes of Trapdoors
 Forgot to remove
 Intentionally for Testing
 Intentionally left for maintenance
 Intentionally left for covert means of access
 Trapdoors are not bad. They are not faults until the
trapdoor is not shut.
 A system is not secure if a trapdoor is present but
unknown by others
Salami Attack
 Named after the way scrap meat is used to form salami
 Salami Attack – merges seemingly inconsequential bits of
data to yield something important
 Classic Salami Attacks
 Missing ½ cent
 Missing percentage
 Taking a bit from a bunch
 Charging higher fees
 Why do they happen?
 Sometimes programmers just except small errors
 Code many times it to large to look for salami type errors
Rootkits
 Rootkit – is a piece of malicious code that goes to
great lengths not to be discovered
 If discovered tries to reestablish itself
 Tries to run itself as “root” on the system (UNIX




administrator)
Resides between user and OS
Intercepts commands in order to keep itself hidden
Rootkit Revealer – program written to reveal rootkits
XCP rootkit – used to help prevent copying of music
Others
 Privilege Escalation-Attack is a means for malicious
code to be launched by a user with lower privileges but
run with higher privileges
 Interface Illusions - spoofing an attack in which all
or part of a web page is false
 Keystroke Logging – keeps a copy of everything
pressed
 Man-in-the-Middle Attack- Malicious program exists
between tow programs
 Timing Attack – identify how fast something happens
Covert Channels
 Communication information to people/systems that





should not have it
Unnoticed communication and accompanies other
information
Data written to a drive, sent across a network, placed in a
file or printout
Storage Channel – passes information based on presence
or non-presence of data
File lock Channel – lock or non-lock of file
Timing Channels – varying speed in system or not using
assigned computational time
Controls Against Program Threats
 Development of Controls
 Specify the system
 Design the system
 Implement the system
 Test the system
 Review the system at various stages
 Document the system
 Manage the system
 Maintain the systems
 Typically it is not one person that does all of these
Designing Secure and Usable
Systems
 You can’t retrofit usable security
 Tools aren’t a solution
 Min the upper layers
 Keep the customers satisfied
 Think Locally; act locally
Modularity
 Small self-contained units
 Modularity
 Isolates
 Hides
 Keep it isolated from the effects of other components
 Encapsulation – is isolation
 Information Hiding – each component hides its
precise implementation of some other design decision
from others.
Modularization
 Process of dividing into subtasks
 Goal of Modular Units
 Single-purpose
 Small
 Simple
 Independent
 Advantages of Modularity
 Maintenance
 Understandability
 Reuse
 Correctness
 Testing
Modularity
 High Cohesion
 All the elements of a component have a logical and
functional reason for being there
 Low Coupling
 The degree with which a component depends on other
components in the system
 Encapsulation – does not mean complete isolation
 Information Hiding – a “black box” approach
Mutual Suspicion
 Programs are not always trustworthy
 Mutual suspicion – each program operates as if other
routines in the system were malicious or incorrect
 Confinement – program is strictly prohibited in what
system resources can be accessed
Peer Reviews
 Peer review
 Hazard analysis
 Testing
 Good design
 Predictions
 Static analysis
 Configuration management
 Analysis of mistakes
Types of Peer Review
 Review- presented formally
 Walk-Through – creator leads and controls the
discussion
 Inspection – formal detailed analysis
 Finding a fault and dealing with it:
 By learning how, when, and why errors occur
 By taking action to prevent mistakes
 By scrutinizing products to find the instances and
effects of errors that were missed.
Hazard Analysis/Testing
 Hazard Analysis – set of systematic techniques to expose potentially hazardous system
states.
 Hazards and Operability Studies
 Failure Modes and effects analysis
 Fault tree analysis
 Testing
 Unit Testing
 Integration Testing
 Function Testing
 Performance Testing
 Acceptance Testing
 Installation Testing
 Regression Testing
 Black-box Testing
 Clear-box Testing
 Independent Testing
 Penetration Testing
Good Design
 Using a philosophy of fault tolerance
 Having a consistent policy for handling failures
 Capturing the design rationale and history
 Using design patterns
 Passive fault detection – waiting for a system to fail
 Active fault detection – construct a system that
reacts to a failure
Good Design
 Handling Problems
 Retrying – restoring the system to previous state and try
again
 Correcting – resorting the system to previous state and
correcting some system characteristic before trying
again
 Reporting – restoring and reporting but not trying again
Configuration Management
 Who is making the changes
 Corrective change
 Adaptive change
 Perfective change
 Preventive change
 Configuration Management – is the process by which we
control changes during development and maintenance
 Configuration identification
 Configuration control and change management
 Configuration auditing
 Status accounting