Chapter 3 – Program Security
Section 3.1 Secure Programs
Section 3.2 Nonmalicious Program Errors
Section 3.3 Viruses and Other Malicious Code
In this Section
 Programming errors with security implications
 Malicious Code
Program Development and Controls
 Controls to protect against flaws in execution
 Programs (lots of them)have errors
 How do we keep programs from flaws?
 How do we protect computing resources against
programs that contain flaws?
Secure Programs
 What is a secure program?
 Everyone has there own requirement of secure.
 Part of assessing software quality
 Does it meet security requirements in specification?
(is requirements complete?)
 In general, we often look at quantity and types of
faults for evidence of security (or lack of it). We track
these things.
Who’s Fault is it?
 Finding lots of faults in software early.
 NOT GOOD.
 Early approaches were “Penetrate” and then “Patch”
 NOT GOOD.
 Repairing with a patch is a narrow focus and not the
more important requirements.
 Patches can cause other problems.
 Non obvious side effects
 Fix one places – fails another
 Performance or function suffers
Types of Flaws
 Validation error (incomplete or inconsistent):
permissions checks
 Domain error: controlled access to data
 Serialization and aliasing: program flow order
 Inadequate identification and authentication: basis for
authorization
 Boundary condition violation: failure on first or last
case
 Other exploitable logic errors
Unexpected Behavior
 Unexpected behavior is a program security flaw.
 Does the program behave as it was designed?
 Behavior can be:
 Vulnerability (class of fault)
 Flaw (fault or failure)
 Flaw (human)
 Inadvertent
 Intentional
Nonmalicious Program Errors
 Buffer Overflows
 Excess information provided – overfilling the bucket
 Buffer – space in which data is held (array or string)
char sample[10] or char sample[i]
For (i=0; I<=9; i++)
sample[i] = ‘A’;
sample[10] = ‘B’;
Figure 3-1 Places Where a Buffer Can Overflow.
Nonmalicious Program Errors
 Incomplete Mediation
 Supplying the wrong type of data being requested.
 Supplying the wrong length of data being requested.
 Problem


System Fails
Supply of Bad Data
 Must be checked by programmer
 Client side verses Server Side
 Time-of-Check to Time-of-Use Errors
 Old bait-n-switch
Viruses and Other Malicious Code
 Why worry about it?
 Harm
 What is it?
 Unexpected or undesired effects in program or data
caused by an agent intent on damage.
 Agent is the writer of the code
 Mistakes are not malicious (human error)
 Virus – program that replicates itself to other programs
by altering the program code.


Transient virus – runs when host runs
Resident virus – resides in memory (active as a stand alone)
 Trojan Horse – in addition to primary effect, has a
second, non-obvious malicious effect.
 Passwords
 Logic Bomb – only on a condition
 Time bomb – only at certain time
 Trapdoor (backdoor) – other means of privileged
access; intentional and non-intentional
 Worm – spreads virus via network
 Rabbit – replicates to exhaust recourses
 Viruses can append, surround and integrate
Figure 3-4 Virus Appended to a Program.
Figure 3-5 Virus Surrounding a Program.
Figure 3-6 Virus Integrated into a Program.
Figure 3-7 Virus Completely Replacing a Program.
Viruses (Continued)
 Document Virus
 Within the format of a document
 Macro Virus
 Appealing Qualities for Virus Writers
 Hard to detect
 Not easily destroyed
 Spreads widely
 Re-infects easily
 Easy to create
 Machine and OS independent
Viruses (Continued)
 Where do they live?
 One-Time Execution Virus – come in on EMAIL; these
are popular
 Boot Sector Virus

From the bootsrap (bootup); bootse ctor of the hard disk
Viruses (Continued)
 Where do they live?
 Memory-Resident Viruses


Terminate and Stay Resident (TSR)
Infects Windows System Registry to reload
 Applications
 Macros
 Scripts
 Libraries
 Images
 Documents
Viruses (Continued)
 Virus Signatures
 Viruses are no completely invisible
 They all leave a signature pattern (DNA)
 Patterns are found with Virus Scanners
 Virus patterns





Always at same location
Top of file location
File size grows
Strange code; jump statements
Hash or checksum change (later chapters)
Figure 3-9 Recognizable Patterns in Viruses.
Viruses (Continued)
 Transmission Patterns
 Polymorphic Virus – every changing virus
 Encrypting Virus – tries to hide
 Prevention
 Commercial software applications
 Test all software
 Opening attachments
 Make system images
 Keep copies of executable files and data files
 Virus Detection Software
Viruses (Continued)
 Truths and Misconceptions about Viruses
 Viruses infect only Windows (False)
 Viruses can modify “hidden” or “read-only” files (True)
 Files only appear in executable files (False)
 Viruses spread only on disks or only through EMAIL
(false)
 Viruses cannot remain in memory when power is off
(True/False)
 Viruses can not infect hardware. (True/False)
 Viruses can be malevolent, benign or benevolent (True)