Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
In this chapter:
COS330 2010
Program errors with security implications: buffer overflows, incomplete access control Malicious code: viruses, worms, Trojan horses Program development controls against malicious code and vulnerabilities Controls to protect against program flaws in execution
2 !
In this chapter:
COS330 2010
A number of questions:
Why do we need security at the program level? How can we achieve it? How do we keep programs free from flaws? How do we protect computing resources against programs that contain flaws?
3 !
COS330 2010
General definition
Program in which one has a degree of trust that enforces expected confidentiality, integrity and availability
4 !
COS330 2010
Fixing faults
Which one of the following is a better indicator of the security of a peace of software?
Program A: Discover 100 faults and fix them Program B: Discover 20 faults and fix them
COS330 2010
Unexpected behavior
Expected behavior: programs behave as intended Unexpected behavior: program security flaw Flaws can derive from misunderstanding program specs up to one character coded/typed incorrectly Flaws can be intended or unintended; both are bad! No security techniques exist to eliminate all flaws!
Programs should behave intended: nothing more; nothing less S/W engineering techniques evolve more rapidly than security
6 !
COS330 2010
7 !
COS330 2010
Buffer overflows
Definition: the equivalent of trying to pour two liters of coke into a 500ml beer glass: some of it will spill and cause a sticky mess! REAL definition: access to memory outside of the original buffer bounds Example: char sample[10]; for (int i = 0; i <= 9; i++) sample[i] = A; sample [10] = B;
8 !
COS330 2010
COS330 2010
COS330 2010
Incomplete mediation
Definition: providing awkward/invalid data that will be too large to fit into a buffer or cause unexpected results Security implication
Unchecked data values
11 !
COS330 2010
12 !
13 !
Virus
Can replicate itself Transient virus: runs as long as its host runs Resident virus: remains active in memory (stand-alone)
Trojan horse
Has nonmalicious primary effect, malicious secondary Often known to create backdoor(s)
14 !
Trapdoor
Also called a backdoor: intentional or unintentional method to gain access to an object
Worm
Like a virus, but spread copies of itself through a network
Rabbit
Like virus/worm with the effect of exhausting resources
16 !
18 !
Virus signatures
Telltale pattern of a virus reveals its signature Can be detected and removed in some cases by a virus scanner Virus scanner only effective if up to date Some viruses detected by storage patterns Some viruses detected by execution patterns Some viruses detected by transmission patterns Polymorphic virus signatures
24 !
28 !
COS330 2010
Viruses are seen as anonymous code Targeted malicious code similar in results, but targeting particular systems or particular applications for particular purposes Many of the virus writers techniques apply, but there are also new ones
29 !
COS330 2010
Trapdoor
Very similar to anonymous trapdoor but used with good intent, but later used by attackers maliciously
Integration testing Error checking
Causes
Original programmers forget to remove them Intentionally leave them in program for testing (Excel trick) Intentionally leave them in program for maintenance Intentionally leave them in program for covert means of access
30 !
COS330 2010
Salami attack
Bits of seemingly useless information accumulated for later useful use Examples
Shaving fractional amount when rounding in banks to go to your account! Withdraw big amounts of up to $10,000.00 from accounts who reported no activity for very long periods.
31 !
COS330 2010
Rootkits
Virus VERY good in hiding itself and having root privileges Example: Sony XCP (extended copy protection)
Privilege escalation
Attack enabling a user that runs programs with low privileges, to escalate to higher privileges Attacker can replace a program with high privileges with his own, so that it would run rather than the original one
32 !
COS330 2010
Interface illusions
Spoofing attack in witch all or part of web page is false Also known as phishing attacks
Keystroke logging
Recording all keystrokes Can either send strokes via internet or recorded by hardware device placed (unnoticed) by attacker between keyboard cable plug and PC then remove it later (unnoticed) for analysing
33 !
COS330 2010
Man-in-the-middle attacks
Malicious program interjects itself between two other programs Example: program might intercept the saving call fooling the user in thinking that his work was saved
Timing attacks
Highly sophisticated; normally used in cryptanalysis to measure the time in machine cycles it takes to encrypt/decrypt such bits read textbook details
34 !
COS330 2010
Covert channels
Programs that leak information Using a certain channel of communication and hiding another form of communication in that Read much more about covert channels in textbook
35 !
COS330 2010
36 !
COS330 2010
37 !
COS330 2010
Developmental controls
Different skills are needed (from different people)
Specify the system Design the system Implement the system Test the system Review the system Document the system Manage the system Maintain the system
38 !
COS330 2010
Developmental controls
Three fundamental principals to S/W engineering
Modularity Encapsulation Information hiding
Modularity
single-purpose, small, simple, independent Advantages for security: maintenance, understandability, reuse, correctness, testing Cohesion vs coupling
39 !
COS330 2010
Developmental controls
Encapsulation
Hides a components implementation details, but not all: Hide what needs to be hidden, show what needs to be shown
Information hiding
Like a black box Inputs and outputs well-defined
40 !
COS330 2010
Developmental controls
Mutual suspicion
The relationship between two programs Act as if they do not trust each other
Confinement
Program that is severely limited in its actions; untrustworthy
Genetic diversity
Same as dont keep your eggs in one basket If one component fails, many/all other components fail too
41 !
COS330 2010
Developmental controls
Peer reviews
Have your code inspected by peers
Hazard analysis
Systematic techniques intended to expose potential hazardous system states (exploring what-if scenarios)
Testing
Unit testing, integration testing, function testing, performance testing, acceptance testing, installation testing, regression testing, black-box testing, white-box testing, independent testing, penetration testing
42 !
COS330 2010
Developmental controls
Good design
Fault tolerance, policy, design rationale, design patterns
Prediction
Predict the risks involved in building and using the system More about planning on how much to spend
Static analysis
control flow structure, data flow structure, data structure
43 !
COS330 2010
Developmental controls
Configuration management
Scrutinises new and changed code for security purposes 4 activities for configuration management:
Configuration identification Configuration control and change management Configuration auditing Status accounting
COS330 2010
Developmental controls
Programming practice conclusions
No technique is sure to prevent erroneous software No silver bullet for S/W engineering
Process standards
Examine how an organisation does something, not what it does
45 !
In this chapter:
COS330 2010
A number of questions:
Why do we need security at the program level? How can we achieve it? How do we keep programs free from flaws? How do we protect computing resources against programs that contain flaws?
46 !