Information Securtiy

2 1

MALWARE SOFTWARE FLAWS

GVHD: Trần Thị Quế Nguyệt Trần Phú 50701818 Nguyễn Vũ Anh Minh 50701475

1

2

Bad software

The NASA Mars Lander, which cost $165 million, crashed into Mars due to a software error in converting between English and metric units of measure.

The Denver airport baggage handling system. Bugs in this software delayed the airport opening by 11 months at a cost of about $1 million per day.

3

Let’s estimate !!!

The number of bugs in software at 5 per 1,000 lines of code (LOC).

Each of executable file which contains, perhaps, 10,000 LOC.

=> So we get about 50 bugs.

A typical computer might have 3,000 executable files, on average.

=> There are about 150,000 bugs for a single computer.

To be continued . . . A medium-sized corporate network with 30,000 nodes.

And we get about 4.5 billion bugs in the network.

But don’t worry . . .

Now suppose that only 10% of these bugs are security critical and that only 10% of these security-critical bugs are remotely exploitable.

CONCLUSION:

there are “only” 45 million serious security flaws due to bad software in this network!

4

Let’s estimate !!!

5

SOFTWARE FLAWS

1 Buffer overflow 2 Incomplete mediation 3 Race conditions 6

Buffer overflow

Define:

In computer programming, a

buffer overflow

is an anomalous condition where a program somehow writes data beyond the allocated end of a buffer in memory. Buffer overflows usually arise as a consequence of a bug. And buffer overflows are also a commonly exploited computer security risk .

7

Buffer overflow

The 1st level “Stack smashing attacks”

Overflowing data will cause a computer to crash.

Trudy could take advantage of this to launch a denial of service (DoS) attack.

8

Buffer overflow

The 2nd level

The authentication decision resides in a single bit. If a buffer overflow overwrites this authentication bit, then Trudy can authenticate herself as, say, Alice.

9

Buffer overflow

The 3rd level

* The

text

section is for code.

* The

data

section holds static variables.

* The

heap

is for dynamic data.

* The

stack

can be viewed as “scratch paper” for the processor. For example, dynamic local variables, parameters to functions, and the return address of a function call are all stored on the stack.

* The

stack pointer

, or SP, indicates the top of the stack.

10

Buffer overflow

The 3rd level void func(int a, int b){ char buffer[10]; } void main(){ func(1,2); }

11

Buffer overflow

The 4th level

* First, she may not know the precise address of the evil code she has inserted, and.

* Second, she may not know the precise location of the return address on the stack.

12

Stack smashing prevention

3 popular ways:

- Eliminate all buffer overflows from software.

- Detect buffer overflows as they occur and respond accordingly.

- Not allow code to execute on the stack. In this section, we’ll briefly discuss each of these options.

13

Stack smashing prevention

1. Eliminate all buffer overflows from software.

* Using “safe” programming languages such as JAVAor C# will eliminate most buffer overflows at the source.

14

Stack smashing prevention

2. Runtime stack checking.

* Using a specific value that is used is the constant 0x000aff0d, that value is called “ canary ”.

* Microsoft recently added a canary feature to its C++ compiler. Any program that was compiled with the

/GS

compiler flag would use a canary (or called “ security cookie ”) in order to detect a buffer overflow.

15

Stack smashing prevention

3. Make the stack non-executable.

* Some hardware (and many operating systems) support the “no execute” or NX bit.

* “

Return to libc” –

(page 35) J. Koziol et al.,

The Shellcoder’s Handbook

,Wiley, 2004.

http://www.mediafire.com/?w4gv972a38et59y

16

Incomplete Mediation

Example:

http:

//

www.things.com

/

orders

/

final&custID=112& num=55A&qty=20&price=10&shipping=5&total=205

AND

http:

//

www.things.com

/

orders

/

final&custID=112& num=55A&qty=20&price=10&shipping=5&total=25 - Recent research has revealed numerous buffer overflows in the Linux kernel, and most of these are due to incomplete mediation.

- There are tools available to help find likely cases of incomplete mediation.

17

Race conditions

(Electronics + Computing) 1. File systems 2. Networking 3. Life-critical systems

Race conditions were among the flaws in the Therac-25 radiation therapy machine, which led to the death of three patients and injuries to several more.

The Energy Management System provided by GE Energy and used by Ohio-based FirstEnergy Corp.

4. Computer security TOCTTOU

(

Race conditions (TOCTTOU)

19

Race conditions (TOCTTOU)

if ( access ( "file" , exit ( 1 ); W_OK ) != 0 ) { } // After the access check // fd = open ( "file" , O_WRONLY ); // Actually writing over /etc/passwd write ( fd , buffer , sizeof ( buffer )); symlink ( "file" , "/etc/passwd" ); // Before the open, "file" points to the // password database // 20

Race conditions (TOCTTOU)

- Race conditions are probably fairly common.

- But attacks based on race conditions require careful timing, which makes them much more difficult to exploit than buffer overflow. - In 2004, an impossibility result was published, showing that there was no portable, deterministic technique for avoiding TOCTTOU race conditions.

21

Race conditions ( Prevention )

if ( access ( "file" , exit ( 1 ); W_OK ) != 0 ) { } fd = open ( "file" , O_WRONLY ); write ( fd , buffer , sizeof ( buffer )); fd = open ( "file" , O_WRONLY ); if ( accessat ( fd , exit(1) ; } W_OK ) != 0 ) { write ( fd , buffer , sizeof ( buffer ));

File handles

VS

File names

22

I A N T

23

V I R U S

MALWARE

1 Malware 3 Example 2 Future of Malware 4 Attack 5 Malware Detection 24

AGENDA

another system from to

Malware

25

Example of malware

1 Brain 3 2 Morris Worm Code Red 4 4 SQL slammer 5 Trojan 26

Brain

27

Morris Worm

Disk containing the source code for the Morris Worm held at the Boston Museum of Science • First internet worm • Written by Rebert Tappan Morris – Cornel Uni.

• Nov 2, 1988 • What can it do?

• effects 28

Code Red

• • • Jul 13, 2001 Microsoft IIS Server Action depend on the day of the month 29

SQL Slammer

• • • A computer worm caused DDOS Burn out the available bandwidth on internet Affected systems 30

Trojan

31

Malware Detection

Signature Detection Change Detection Anomaly Detection 32

Future of Malware

• Polymorphic • Metamorphic 33

Miscellaneous software-based attacks • • • • Salami attacks Linearization attacks Time bombs Trusting software 34

35