COS330 2010

Security in Computing Chapter 3: Program Security

Prof HS Venter
hventer@cs.up.ac.za

In this chapter:

COS330 2010

Program errors with security implications: buffer overflows, incomplete access control Malicious code: viruses, worms, Trojan horses Program development controls against malicious code and vulnerabilities Controls to protect against program flaws in execution

2 !

In this chapter:

COS330 2010

A number of questions:
Why do we need security at the program level? How can we achieve it? How do we keep programs free from flaws? How do we protect computing resources against programs that contain flaws?

3 !

3.1 Secure Programs

COS330 2010

What is a secure program?

Possible answers:
Program that takes too long to break through its controls Program that ran through period of time without failing Program that does not have ANY potential fault Program that conform to minimal specifications

General definition
Program in which one has a degree of trust that enforces expected confidentiality, integrity and availability

4 !

3.1 Secure Programs

COS330 2010

Fixing faults
Which one of the following is a better indicator of the security of a peace of software?
Program A: Discover 100 faults and fix them Program B: Discover 20 faults and fix them

What are problems with penetrate & patch tests?

Pressure to repair specific problem; lost of focus in context Fault might have non-obvious side effects not picked up Fixing one problem caused failure somewhere else Not fixed properly because would hamper performance
5 !

3.1 Secure Programs

COS330 2010

Unexpected behavior
Expected behavior: programs behave as intended Unexpected behavior: program security flaw Flaws can derive from misunderstanding program specs up to one character coded/typed incorrectly Flaws can be intended or unintended; both are bad! No security techniques exist to eliminate all flaws!
Programs should behave intended: nothing more; nothing less S/W engineering techniques evolve more rapidly than security

6 !

3.2 Nonmalicious Program Errors

COS330 2010

Human errors: unintentional Three classic error types

Buffer overflows Incomplete mediation Time-of-check to time-of-use

7 !

3.2 Nonmalicious Program Errors

COS330 2010

Buffer overflows
Definition: the equivalent of trying to pour two liters of coke into a 500ml beer glass: some of it will spill and cause a sticky mess! REAL definition: access to memory outside of the original buffer bounds Example: char sample[10]; for (int i = 0; i <= 9; i++) sample[i] = A; sample [10] = B;
8 !

3.2 Nonmalicious Program Errors

COS330 2010

Figure 3-1Places Where a Buffer Can Overow.

9 !

3.2 Nonmalicious Program Errors

COS330 2010

Security implication of buffer overflows

Although the flaw might be created unknowingly by nonmalicious programmers, attackers might exploit it. Examples:
Privilege escalation: placing code into the operating system privileged mode Placing code (stack pointer) after the buffer that actually redirects execution to another place in memory Passing web parameters that are too long p. 107
10 !

3.2 Nonmalicious Program Errors

COS330 2010

Incomplete mediation
Definition: providing awkward/invalid data that will be too large to fit into a buffer or cause unexpected results Security implication
Unchecked data values

11 !

3.2 Nonmalicious Program Errors

COS330 2010

Time-of-check to time-of-use errors

Definition: serialisation or synchronisation flaw Sculpture example File access example Security implications
Unauthorised access

Combinations of these three nonmalicious attacks also possible

12 !

3.3 Virusses and other malicious code COS330

2010

Why worry about malicious code?

Can do much harm! Has been around a long time
As early as 1970 What IS new, is speed and variations in which they occur

Malicious code also known as a rogue program

13 !

3.3 Virusses and other malicious code COS330

2010

Kinds of malicious code

Agent (not actually malicious code)
Creator of the malicious code (sometimes unintentionally)

Virus
Can replicate itself Transient virus: runs as long as its host runs Resident virus: remains active in memory (stand-alone)

Trojan horse
Has nonmalicious primary effect, malicious secondary Often known to create backdoor(s)

14 !

3.3 Virusses and other malicious code COS330

2010

Kinds of malicious code

Logic bomb
triggers on a certain event; sometimes called a time bomb

Trapdoor
Also called a backdoor: intentional or unintentional method to gain access to an object

Worm
Like a virus, but spread copies of itself through a network

Rabbit
Like virus/worm with the effect of exhausting resources

Document virus (macro virus)

Use integrated code applications to gain access to code library
15 !

3.3 Virusses and other malicious code COS330

2010

How do viruses spread?

Through activation by human: running setup.exe
Attacker might have replaced the original setup.exe file with one that contains a virus

Through email attachments Appended viruses

Append virus as first instruction of normal program After virus executed, normal program execution continues

16 !

3.3 Virusses and other malicious code COS330

2010

Figure 3-4Virus Appended to a Program.

17 !

3.3 Virusses and other malicious code COS330

2010

How do viruses spread?

Viruses that surround a program
Attempts to falsify its existence by having the last say

Integrated Viruses and Replacements

Weaved into the original program Creator of virus must know EXACTLY what structure of original program looks like

18 !

3.3 Virusses and other malicious code COS330

2010

Figure 3-5Virus Surrounding a Program.

19 !

3.3 Virusses and other malicious code COS330

2010

Figure 3-6Virus Integrated into a Program.

20 !

3.3 Virusses and other malicious code COS330

2010

How viruses gain control

Figure 3-7Virus Completely Replacing a Program.

21 !

3.3 Virusses and other malicious code COS330

2010

Homes for viruses

Appealing qualities of a virus
Hard to detect Not easily destroyed or activated Spreads infection widely Can reinfect its home program or other programs Easy to create Often machine and operating system independent

One-time execution viruses Boot sector viruses Memory resident viruses

22 !

3.3 Virusses and other malicious code COS330

2010

Figure 3-8Boot Sector Virus Relocating Code.

23 !

3.3 Virusses and other malicious code COS330

2010

Virus signatures
Telltale pattern of a virus reveals its signature Can be detected and removed in some cases by a virus scanner Virus scanner only effective if up to date Some viruses detected by storage patterns Some viruses detected by execution patterns Some viruses detected by transmission patterns Polymorphic virus signatures
24 !

3.3 Virusses and other malicious code COS330

2010

Figure 3-9Recognizable Patterns in Viruses.

25 !

3.3 Virusses and other malicious code COS330

2010

Prevention of virus infection

Use only commercial software from trusted vendors Test all new software on an isolated computer Open attachments only when you know them to be safe and from a trusted source Make a recoverable system image and store it safely Retain backup copies of executable files
26 !

3.3 Virusses and other malicious code COS330

2010
Truths & misconceptions of viruses
Viruses can only infect Microsoft Windows
False

Viruses can modify hidden or read-only files

True

Viruses only appear in data/Word/executable files

False

Viruses spread only through disks and email

False

Viruses cannot remain in memory after complete power off

True, BUT http://www.freedom-to-tinker.com/?p=1257

Viruses cannot infect hardware

True

Viruses van be malevolent, benign, or benevolent

True
27 !

3.3 Virusses and other malicious code COS330

2010

Examples of malicious code

The Brain Virus The Internet Worm Code Red Web bugs (tracking cookies)

28 !

3.4 Targeted malicious code

COS330 2010

Viruses are seen as anonymous code Targeted malicious code similar in results, but targeting particular systems or particular applications for particular purposes Many of the virus writers techniques apply, but there are also new ones

29 !

3.4 Targeted malicious code

COS330 2010

Trapdoor
Very similar to anonymous trapdoor but used with good intent, but later used by attackers maliciously
Integration testing Error checking

Causes
Original programmers forget to remove them Intentionally leave them in program for testing (Excel trick) Intentionally leave them in program for maintenance Intentionally leave them in program for covert means of access
30 !

3.4 Targeted malicious code

COS330 2010

Salami attack
Bits of seemingly useless information accumulated for later useful use Examples
Shaving fractional amount when rounding in banks to go to your account! Withdraw big amounts of up to $10,000.00 from accounts who reported no activity for very long periods.

31 !

3.4 Targeted malicious code

COS330 2010

Rootkits
Virus VERY good in hiding itself and having root privileges Example: Sony XCP (extended copy protection)

Privilege escalation
Attack enabling a user that runs programs with low privileges, to escalate to higher privileges Attacker can replace a program with high privileges with his own, so that it would run rather than the original one
32 !

3.4 Targeted malicious code

COS330 2010

Interface illusions
Spoofing attack in witch all or part of web page is false Also known as phishing attacks

Keystroke logging
Recording all keystrokes Can either send strokes via internet or recorded by hardware device placed (unnoticed) by attacker between keyboard cable plug and PC then remove it later (unnoticed) for analysing
33 !

3.4 Targeted malicious code

COS330 2010

Man-in-the-middle attacks
Malicious program interjects itself between two other programs Example: program might intercept the saving call fooling the user in thinking that his work was saved

Timing attacks
Highly sophisticated; normally used in cryptanalysis to measure the time in machine cycles it takes to encrypt/decrypt such bits read textbook details
34 !

3.4 Targeted malicious code

COS330 2010

Covert channels
Programs that leak information Using a certain channel of communication and hiding another form of communication in that Read much more about covert channels in textbook

35 !

COS330 2010

Figure 3-12Covert Channels.

36 !

3.5 Controls against program threats

COS330 2010

Controls are used to counter act on threats Three types of controls:

Developmental controls Operating system controls Administrative controls

37 !

3.5 Controls against program threats

COS330 2010

Developmental controls
Different skills are needed (from different people)
Specify the system Design the system Implement the system Test the system Review the system Document the system Manage the system Maintain the system

38 !

3.5 Controls against program threats

COS330 2010

Developmental controls
Three fundamental principals to S/W engineering
Modularity Encapsulation Information hiding

Modularity
single-purpose, small, simple, independent Advantages for security: maintenance, understandability, reuse, correctness, testing Cohesion vs coupling
39 !

3.5 Controls against program threats

COS330 2010

Developmental controls
Encapsulation
Hides a components implementation details, but not all: Hide what needs to be hidden, show what needs to be shown

Information hiding
Like a black box Inputs and outputs well-defined

40 !

3.5 Controls against program threats

COS330 2010

Developmental controls
Mutual suspicion
The relationship between two programs Act as if they do not trust each other

Confinement
Program that is severely limited in its actions; untrustworthy

Genetic diversity
Same as dont keep your eggs in one basket If one component fails, many/all other components fail too

41 !

3.5 Controls against program threats

COS330 2010

Developmental controls
Peer reviews
Have your code inspected by peers

Hazard analysis
Systematic techniques intended to expose potential hazardous system states (exploring what-if scenarios)

Testing
Unit testing, integration testing, function testing, performance testing, acceptance testing, installation testing, regression testing, black-box testing, white-box testing, independent testing, penetration testing

42 !

3.5 Controls against program threats

COS330 2010

Developmental controls
Good design
Fault tolerance, policy, design rationale, design patterns

Prediction
Predict the risks involved in building and using the system More about planning on how much to spend

Static analysis
control flow structure, data flow structure, data structure

43 !

3.5 Controls against program threats

COS330 2010

Developmental controls
Configuration management
Scrutinises new and changed code for security purposes 4 activities for configuration management:
Configuration identification Configuration control and change management Configuration auditing Status accounting

Lessons from mistakes Proofs of program correctness (program verification)

44 !

3.5 Controls against program threats

COS330 2010

Developmental controls
Programming practice conclusions
No technique is sure to prevent erroneous software No silver bullet for S/W engineering

Standards of programming development

Using tried-and-tested ways of development

Process standards
Examine how an organisation does something, not what it does

45 !

In this chapter:

COS330 2010

A number of questions:
Why do we need security at the program level? How can we achieve it? How do we keep programs free from flaws? How do we protect computing resources against programs that contain flaws?

46 !