Program Security

 The heart of application security is programming -

keeping programs free from flaws and to protect
computing resources from such flaws.
 There are 2 types of general flaws, namely those that
compromise data and those that affect service.
 There are 3 types of of controls:
◦ Development
◦ Operating system
◦ Administrative control.
 Control Purpose Benefit
Development Limit mistakes Produce better
Make malicious software
code difficult
Operating System Limit access to Promotes safe
system sharing of info

Administrative Limit actions of Improve usability,

people reusability and
maintainability
 Malware is a set of instructions that run on a
computer and make the system do something that an
attacker wants it to do.
 Types of malware:
◦ Virus
◦ Worm
◦ Malicious mobile code
◦ Backdoor
◦ Trojan horse
◦ RootKit
 A computer virus is a computer program that can
copy itself and infect a computer without the
permission or knowledge of the user.
 A true virus can only spread from one computer to
another when its host (some form of executable
code) is taken to the target computer, for instance
because a user sent it over a network or the Internet,
or carried it on a removable medium such as a floppy
disk, CD, or USB drive.
 Viruses can increase their chances of spreading to
other computers by infecting files on a network file
system or a file system that is accessed by another
computer.
 Some viruses try to trick anti-virus software by
intercepting its requests to the operating system.
 A virus can hide itself by intercepting the anti-virus
software’s request to read the file and passing the
request to the virus, instead of the OS.
 The virus can then return an uninfected version of
the file to the anti-virus software, so that it seems
that the file is "clean".
 Modern anti-virus software employs various
techniques to counter stealth mechanisms of viruses.
The only completely reliable method to avoid stealth
is to boot from a medium that is known to be clean.
 Most modern antivirus programs try to find virus-
patterns inside ordinary programs by scanning them
for so-called virus signatures.
 A signature is a characteristic byte-pattern that is
part of a certain virus or family of viruses.
 If a virus scanner finds such a pattern in a file, it
notifies the user that the file is infected. The user can
then delete, or (in some cases) "clean" or "heal" the
infected file.
 Some viruses modify their code on each infection.
That is, each infected file contains a different variant
of the virus.
 These techniques make detection by means of
signatures difficult but probably not impossible.
 A more advanced method is the use of simple
encryption to encipher the virus.
 If the virus is encrypted with a different key for each
infected file, the only part of the virus that remains
constant is the decrypting module, which would (for
example) be appended to the end.
 In this case, a virus scanner cannot directly detect the
virus using signatures, but it can still detect the
decrypting module, which still makes indirect
detection of the virus possible.
 Polymorphic code was the first technique that posed
a serious threat to virus scanners.
 Just like regular encrypted viruses, a polymorphic
virus infects files with an encrypted copy of itself,
which is decoded by a decryption module.
 In the case of polymorphic viruses, however, this
decryption module is also modified on each
infection.
 A well-written polymorphic virus therefore has no
parts which remain identical between infections,
making it very difficult to detect directly using
signatures.
 Anti-virus software can detect it by decrypting the
viruses using an emulator, or by statistical pattern
analysis of the encrypted virus body.
 To avoid being detected by emulation, some viruses
rewrite themselves completely each time they are to
infect new executables.
 Viruses that use this technique are said to be
metamorphic. To enable metamorphism, a
metamorphic engine is needed.
 A metamorphic virus is usually very large and
complex. For example, W32/Simile consisted of over
14000 lines of assembly language code, 90% of
which is part of the metamorphic engine
 Virus Effect How it is caused

Attach to executable Modify file directory

Write to executable program file
Attach to data/control Modify directory
file Rewrite data
Append to data
Append data to self
Remain in memory  Intercept interrupt by modifying interrupt
handler address table
 Load self in non-transient memory area
Infect disks  Intercept interrupt
 Intercept OS call (to format disk, for example)
 Modify system file
 Modify ordinary executable program

Source: Pfleeger & Pfleeger

 Virus Effect How it is caused
Conceal self  Intercept system calls that would reveal self
and falsify results
 Classify self as “hidden” file
Spread self  Infect boot sector
 Infect systems program
 Infect ordinary program
 Infect data ordinary program reads to
control its executable
Prevent deactivation  Activatebefore deactivating program and
block deactivation
 Store copy to reinfect after deactivation

Source: Pfleeger & Pfleeger

 A worm is a self-replicating computer program.
 It uses a network to send copies of itself to other
nodes (computers on the network) and it may do so
without any user intervention.
 Unlike a virus, it does not need to attach itself to an
existing program.
 Worms almost always cause at least some harm to
the network, if only by consuming bandwidth,
whereas viruses almost always corrupt or modify files
on a targeted computer.
 Worms spread by exploiting vulnerabilities in
operating systems.
 Many worms that have been created are only
designed to spread, and don't attempt to alter the
systems they pass through.
 However, as the Morris worm and Mydoom showed,
the network traffic and other unintended effects can
often cause major disruption.
 However, some worms carry a payload – a code
designed to do more than spread the worm - it
might delete files on a host system (e.g., the
ExploreZip worm), encrypt files in a cryptoviral
extortion attack, or send documents via e-mail.
 A very common payload for worms is to install a
backdoor in the infected computer to allow the
creation of a "zombie" under control of the worm
author - Sobig and Mydoom are examples which
created zombies.
 All vendors supply regular security, and if these are
installed to a machine then the majority of worms are
unable to spread to it.
 Users need to be wary of opening unexpected email,
and should not run attached files or programs, or
visit web sites that are linked to such emails.
However, as with the ILOVEYOU worm, and with the
increased growth and efficiency of phishing attacks,
it remains possible to trick the end-user into running
a malicious code.
 Mobile code is a lightweight program that is
downloaded from a remote system an executed
locally with minimal or no user intervention.
 Examples: Java applets, JavaScript scripts, VBScripts,
ActiveX controls, etc.
 Malicious mobile code is mobile code that makes a
system do something that it is not supposed to do.
 Malicious mobile code thrives in networked
environments. A good deal of malicious mobile code
is spread via web browsers.
 Examples of attack: browser hijacking, cross-site
scripting (XSS) attacks, elevated e-mail access, web
bugs, etc.
 A backdoor is a program that allows attackers to
bypass normal security controls on a system, gaining
access on the attacker’s own terms.
 Backdoors could give the attacker many different
types of access, including:
◦ Local escalation of privilege
◦ Remote execution of individual commands
◦ Remote command-line access (remote shell)
◦ Remote control of the GUI
 A trojan is a form of malware that appears to
perform a desirable function but in fact performs
undisclosed malicious functions that allow
unauthorised access to the host machine.
 Example: a program named "waterfalls.scr" serves as
a simple example of a Trojan horse. The author
claims it is a free waterfall screen saver. When
running, it instead unloads hidden programs, scripts,
or any number of commands without the user's
knowledge or consent. Malicious Trojan horse
programs are used to circumvent protection systems,
in effect creating a vulnerable system to allow
unauthorised access to the user's computer.
 A RootKit is a trojan horse backdoor tool that
modifies existing operating system software so that
an attacker can keep access to and hide on a
machine.
 -obj :
 Gain remote backdoor access
 Masking attacker tracks
 Gather sensitive data, network traffic-unauthorized
access
 To store other malicious programme
 RootKits can operate at two different levels, depending
on which software they replace or alter on the target
system.
◦ User-mode RootKits could alter existing binary executables or
libraries on the system. They manipulate the user-level operating
system elements.
◦ Kernel-mode RootKits could alter the kernel of the operating
system itself.
 ? Place rootkits
 Scanning vulnerability on servers , comp..
 Wrapping in software packages
 Through social engineering
 Zero day attack

 Comprises
 Backdoor programme
 Packet sniff
 Log wiping
 There are two main types of botnet.
1. Exe based botnet.
2. Http based botnet.

 exe based bots are mainly used for windows

machines

 exe based botnets.

need to be compiled and build an exe.
a client and run will get affected
 Http based bots are mostly php bot and perl
bot.

 They are used together with RFI or SQLi

attacks.
 When a site is backdoored with a shell.
 The attacker upload a php and run it.
 that site will act as a zombie.

 As with any new class of technology, web applications
have brought with them a new range of security
vulnerabilities.
 Many web applications state that they are secure because
they use SSL. SSL is an excellent technology that protects
the confidentiality and integrity of data in transit between
the user’s browser and the web server.
 However, many web applications are insecure in ways that
have nothing to do with SSL. SSL does not stop attacks
that directly target the server or client components of an
application, as most successful attacks do.
 Stuttard and Pinto (2008) tested hundreds of web
applications during 2006 and 2007, and found that they
were affected by some common categories of vulnerability.
 Broken authentication (67%) – This category of
vulnerability encompasses various defects within the
application’s login mechanism, which may enable an
attacker to guest weak passwords, launch a brute-
force attack, or bypass the login altogether.
 Broken access controls (78%) – This involves cases
where application fails to properly protect access to its
data and functionality, potentially enabling an attacker
to view other users’ sensitive daa held on the server,
or cary out privileged actions.
 SQL injection (36%) – This vulnerability enables an
attacker to submit crafted input to interfere with the
application’s interaction with back-end databases. An
attacker may be able to retrieve arbitrary data from the
application, interfere with its logic, or execute
commands on the database server itself.
 Cross-site scripting (91%) – This vulnerability enables
an attacker to target other users of the application,
potentially gaining access to their data, performing
unauthorised actions on their behalf, or carrying out
other attacks against them.
 Information leakage (81%) – This involves cases
where an application divulges sensitive information
that is of use to an attacker in developing an assault
against the application, through defective error
handling or other behaviour.
 Immature security awareness – There is less mature
level of awareness of web application security issues
than there is in longer-established areas such as
networks and operating systems.
 In-house development – Most web applications are
developed in-house by an organisation’s own staff or
contractors. They are typically customised or bolted
together using new code. In this situation, every
application is different and may contain its own
unique defects.
 Deceptive simplicity – With today’s web application
platforms and development tools, it is possible for a novice
programmer to create a powerful application from scratch
in a short period of time. But there is a huge difference
between producing code that is functional and code that is
secure. Many web applications are created by well-meaning
individuals who simply lack the knowledge and experience
to identify where security problems may arise.
 Rapidly evolving threat profile – Research into web
application attacks and defences is a thriving area in which
new concepts and threats are conceived at a faster rate than
is now the case for older technologies. A development team
that begins a project with a complete knowledge of current
threats may well have lost this status by the time the
application is completed and deployed.
 Resource and time constraints – Most web
application development projects are subject to strict
constraints on time and resources. In the balancing
of competing priorities, the need to produce a stable
and functional application by a deadline normally
overrides less tangible security considerations.
 Overextended technologies – Many of the core
technologies employed in web applications have
since been pushed far beyond the purposes for which
they were originally conceived. This has led to
security vulnerabilities as unforeseen side effects
emerge.
Core elements:
 Handling user access to application’s data and
functionality, to prevent user from gaining
unauthorised access.
◦ Authentication, session management, access
control
 Handling user input to application’s functions, to
prevent malformed input from causing undesirable
behaviour.
◦ Variety of inputs, approaches to input handling,
boundary validation, multistep validation and
canonicalisation
 Handling attackers, to ensure that the application
behaves appropriately when being targeted, taking
suitable defensive and offensive measures to
frustrate the attacker.
◦ Handling errors, maintaining audit logs, alerting
administrators, reacting to attacks
 Managing the application itself, by enabling
administrators to monitor its activities and configure
its functionality.
 Software Engineering disciplines
 SDLC—Design, Define, Develop, Do
 Collaborative work teams
 Reviews
 Documentation
 Configuration Management
 Project Management
 Peer reviews
 Hazard analysis
 Testing
 Good design
 Prediction
 Static analysis
 Configuration management
 Analysis of mistakes
Chapter 7: Database Security