Transcript Chapter 3-2
Chapter 3 – Program Security
Section 3.4 Targeted Malicious Code
Section 3.5 Controls Against Program Threats
In this Section
Program Threats
Trapdoors
Salami Attack
Privilege Escalation
Man-in-the-Middle
Covert Channels
Controls Against Program Threats
Modularity
Mutual Suspicion
Hazard Analysis
Targeted Malicious Code
So far looked at code written to affect users and
machines indiscriminately
Targeted Malicious Code – written for a particular
system or application with a particular purpose
Similar to viruses but with the addition of new
techniques
Trapdoor
Trapdoor – an undocumented entry point to a module.
Inserted for code development
“Hooks” to add additional future enhancements
Can be legitimate or non-legitmate
Software Testing
Unit Testing
Integration Testing
Stubs and Drivers – routines that inject information during
testing
Control Stubs – used to invoke debugging code
Accidently left in place
Poor Error Checking
Trapdoors
Poorly defined Data
Incomplete Mediation
Undefined Opcodes – instructions that have not been
defined for the processor
Trapdoors can be useful
Software audits may request trapdoors to be inserted
Trap doors should always be documented.
Causes of Trapdoors
Forgot to remove
Intentionally for Testing
Intentionally left for maintenance
Intentionally left for covert means of access
Trapdoors are not bad. They are not faults until the
trapdoor is not shut.
A system is not secure if a trapdoor is present but
unknown by others
Salami Attack
Named after the way scrap meat is used to form salami
Salami Attack – merges seemingly inconsequential bits of
data to yield something important
Classic Salami Attacks
Missing ½ cent
Missing percentage
Taking a bit from a bunch
Charging higher fees
Why do they happen?
Sometimes programmers just except small errors
Code many times it to large to look for salami type errors
Rootkits
Rootkit – is a piece of malicious code that goes to
great lengths not to be discovered
If discovered tries to reestablish itself
Tries to run itself as “root” on the system (UNIX
administrator)
Resides between user and OS
Intercepts commands in order to keep itself hidden
Rootkit Revealer – program written to reveal rootkits
XCP rootkit – used to help prevent copying of music
Others
Privilege Escalation-Attack is a means for malicious
code to be launched by a user with lower privileges but
run with higher privileges
Interface Illusions - spoofing an attack in which all
or part of a web page is false
Keystroke Logging – keeps a copy of everything
pressed
Man-in-the-Middle Attack- Malicious program exists
between tow programs
Timing Attack – identify how fast something happens
Covert Channels
Communication information to people/systems that
should not have it
Unnoticed communication and accompanies other
information
Data written to a drive, sent across a network, placed in a
file or printout
Storage Channel – passes information based on presence
or non-presence of data
File lock Channel – lock or non-lock of file
Timing Channels – varying speed in system or not using
assigned computational time
Controls Against Program Threats
Development of Controls
Specify the system
Design the system
Implement the system
Test the system
Review the system at various stages
Document the system
Manage the system
Maintain the systems
Typically it is not one person that does all of these
Designing Secure and Usable
Systems
You can’t retrofit usable security
Tools aren’t a solution
Min the upper layers
Keep the customers satisfied
Think Locally; act locally
Modularity
Small self-contained units
Modularity
Isolates
Hides
Keep it isolated from the effects of other components
Encapsulation – is isolation
Information Hiding – each component hides its
precise implementation of some other design decision
from others.
Modularization
Process of dividing into subtasks
Goal of Modular Units
Single-purpose
Small
Simple
Independent
Advantages of Modularity
Maintenance
Understandability
Reuse
Correctness
Testing
Modularity
High Cohesion
All the elements of a component have a logical and
functional reason for being there
Low Coupling
The degree with which a component depends on other
components in the system
Encapsulation – does not mean complete isolation
Information Hiding – a “black box” approach
Mutual Suspicion
Programs are not always trustworthy
Mutual suspicion – each program operates as if other
routines in the system were malicious or incorrect
Confinement – program is strictly prohibited in what
system resources can be accessed
Peer Reviews
Peer review
Hazard analysis
Testing
Good design
Predictions
Static analysis
Configuration management
Analysis of mistakes
Types of Peer Review
Review- presented formally
Walk-Through – creator leads and controls the
discussion
Inspection – formal detailed analysis
Finding a fault and dealing with it:
By learning how, when, and why errors occur
By taking action to prevent mistakes
By scrutinizing products to find the instances and
effects of errors that were missed.
Hazard Analysis/Testing
Hazard Analysis – set of systematic techniques to expose potentially hazardous system
states.
Hazards and Operability Studies
Failure Modes and effects analysis
Fault tree analysis
Testing
Unit Testing
Integration Testing
Function Testing
Performance Testing
Acceptance Testing
Installation Testing
Regression Testing
Black-box Testing
Clear-box Testing
Independent Testing
Penetration Testing
Good Design
Using a philosophy of fault tolerance
Having a consistent policy for handling failures
Capturing the design rationale and history
Using design patterns
Passive fault detection – waiting for a system to fail
Active fault detection – construct a system that
reacts to a failure
Good Design
Handling Problems
Retrying – restoring the system to previous state and try
again
Correcting – resorting the system to previous state and
correcting some system characteristic before trying
again
Reporting – restoring and reporting but not trying again
Configuration Management
Who is making the changes
Corrective change
Adaptive change
Perfective change
Preventive change
Configuration Management – is the process by which we
control changes during development and maintenance
Configuration identification
Configuration control and change management
Configuration auditing
Status accounting