Infected:
f
d D
Dissection of
f two
software vulnerabilities
and what you can do to protect yourself
Xinming Ou
Xinming
Ou
Dustin Seabourn
Computing and Information Sciences Department
Kansas State University
Oct 5, 2009
October 2009 IT Security Training
KANSAS STATE UNIVERSITY
1
We all hear of computer malware
• Viruses, Worms, Bots, Rootkits, Spyware, …
Viruses Worms Bots Rootkits Spyware
– Malware is just computer programs with malicious intent (Malicious‐softWare)
malicious intent (Malicious
softWare)
• But how do they get onto your computer?
But how do they get onto your computer?
Oct 5, 2009
October 2009 IT Security Training
KANSAS STATE UNIVERSITY
2
First path
path: You installed them!
• Common
Common‐sense
sense Test 1:
Test 1:
– You got an email with the subject line: “You received a greeting card from Hallmark!”, and an received a greeting card from Hallmark!
and an
attachment file “Card.jpg .exe”.
– Should you open the attachment? Should you open the attachment?
Oct 5, 2009
October 2009 IT Security Training
KANSAS STATE UNIVERSITY
3
First path
path: You installed them!
• Common
Common‐sense
sense Test 2:
Test 2:
– You browsed to the website of company “Wonderful”
Wonderful and wanted to watch a video posted and wanted to watch a video posted
there. When you clicked the link, a window popped up which said : “In order to view this movie, you need to install the Wonderful video player provided by company Wonderful.”, and there were two buttons bellow: “Install”
h
b
b ll
“I
ll” and d
“Cancel”.
– Which button would you click? Whi h b tt
ld
li k?
Oct 5, 2009
October 2009 IT Security Training
KANSAS STATE UNIVERSITY
4
First path
path: You installed them!
• Common
Common‐sense
sense Test 3:
Test 3:
– You wanted to install a free PDF printer driver found on the Web At the beginning of the
found on the Web. At the beginning of the installation, a license agreement dialog popped up and there is this sentence in the agreement: “In installing this software, you agree that a browser toolbar will be installed which will collect certain usage information…”.
i f
i
”
– Do you want to agree to the EUL? Oct 5, 2009
October 2009 IT Security Training
KANSAS STATE UNIVERSITY
5
Key Points
• When
When you run a program, you are essentially you run a program you are essentially
giving out everything you can do on your computer to the program
computer to the program
– It is like giving out your house key to somebody, and wait for him to return the key to you when he
and wait for him to return the key to you when he is done!
– If you want to run a program, you better have the you a o u a p og a , you be e a e e
same kind of trust in the program as you would for someone you want to give your house key to.
Oct 5, 2009
October 2009 IT Security Training
KANSAS STATE UNIVERSITY
6
Second Path
Path: You are hacked!
• Common
Common‐sense
sense Test 4:
Test 4:
– You got an email with the subject line: “You received a greeting card from Hallmark!”, and an received a greeting card from Hallmark!
and an
attachment file “Card.jpg”.
– Should you open the attachment? Should you open the attachment?
Oct 5, 2009
October 2009 IT Security Training
KANSAS STATE UNIVERSITY
7
Second Path
Path: You are hacked!
• Common
Common‐sense
sense Test 5:
Test 5:
– In light of the death of Michael Jackson, you searched the Web for his songs You found one at
searched the Web for his songs. You found one at a website with a link to a music file which can be opened by your music player. – Shall you open the music file?
Oct 5, 2009
October 2009 IT Security Training
KANSAS STATE UNIVERSITY
8
Second Path
Path: You are hacked!
• Common
Common‐sense
sense Test 6:
Test 6:
– You went to a website, on which there is a link to something you are interested in
something you are interested in. – Shall you click on that link?
Oct 5, 2009
October 2009 IT Security Training
KANSAS STATE UNIVERSITY
9
Key Points
• You
You can get malware even without invoking a can get malware even without invoking a
malicious executable file
– There
There may be vulnerabilities
may be vulnerabilities in your computer
in your computer’ss software—operating system or applications
– Software vulnerabilities can be exploited when exposed to malicious input
• If a vulnerable but otherwise benign program receives a malicious input, it can cause malicious code to be executed with your privilege
Oct 5, 2009
October 2009 IT Security Training
KANSAS STATE UNIVERSITY
10
Demonstration
Oct 5, 2009
October 2009 IT Security Training
KANSAS STATE UNIVERSITY
11
Drive-by
Drive
by Download
• What you have just seen is called “drive‐by download”
– Your computer gets compromised while browsing the Web through a vulnerability in the browser, one of its plugins, or some other program that is invoked automatically on downloaded files
downloaded files
• A successful exploit gives an attacker full privilege on a computer who can then
computer, who can then
–
–
–
–
–
change your computer’s settings
install other malicious programs
steal your personal information
t l
li f
ti
use your computer to attack other computers
and many more…
Oct 5, 2009
October 2009 IT Security Training
KANSAS STATE UNIVERSITY
12
Perhaps we shall stay at “good” websites?
1.3%
% of the incoming
g search q
queries to Google’s
g
search engine
g
returned
at least one malicious URL in the result page.
Provos, et al., 2008
Oct 5, 2009
October 2009 IT Security Training
KANSAS STATE UNIVERSITY
13
How about anti
anti-malware
malware software?
Provos, et al., 2008
Provos, et al., 2008
Oct 5, 2009
October 2009 IT Security Training
KANSAS STATE UNIVERSITY
14
There is a theoretical limit on how well
you can detect
d t t malicious
li i
content
t t
Turing machine, 1936.
Mathematical model of computing
Oct 5, 2009
The von Neumann architecture, 1945.
Prevailing model of modern computers, which to some degree is an implementation of Turing Machine
October 2009 IT Security Training
KANSAS STATE UNIVERSITY
15
The difficulty of detecting malware
automatically
t
ti ll
• Undecidability of the Halting Problem:
Undecidability of the Halting Problem:
– No Turing Machine can figure out the behavior of an arbitrary Turing Machine
an arbitrary Turing Machine
• Implication for us:
– There
There can be no general mechanized process for can be no general mechanized process for
determining what a piece of code may do
• That’s
That’s why no anti‐malware system can be why no anti malware system can be
both sound and complete!
Oct 5, 2009
October 2009 IT Security Training
KANSAS STATE UNIVERSITY
16
What we can do to reduce the risk
• Keep
Keep your software up
your software up‐to‐date
to date
• Do not browse the web until you have updated your system
updated your system
• Have some anti‐malware system could help reduce the attack surface
d
h
k f
– But do not think you are safe and can do whatever you want
h
• Think twice before you click!
Oct 5, 2009
October 2009 IT Security Training
KANSAS STATE UNIVERSITY
17
Thank you!
Questions?
Oct 5, 2009
October 2009 IT Security Training
KANSAS STATE UNIVERSITY
18
Total #vulnerabilities reported in NVD
Oct 5, 2009
October 2009 IT Security Training
KANSAS STATE UNIVERSITY
19
How can you be hacked? #1
Affected program: all service programs that accept incoming network connections, e.g. your computer’s OS
If one of these programs has a vulnerability, a remote attacker can gain full privilege on the computer, i.e. he can do whatever he wants on the computer Oct 5, 2009
October 2009 IT Security Training
KANSAS STATE UNIVERSITY
20
Mitigation of remote service exploit
Firewal
l
A firewall can restrict access to the vulnerable service, only if you know where the bad guys may come from. It also gives you a centralized place to control which program is allowed to accept incoming network connections.
If an unpatched Windows machine is exposed to the Internet, it can be infected in just minutes, which is much shorter than the ti
time it takes to download/install all the updates!
it t k t d
l d/i t ll ll th
d t !
Oct 5, 2009
October 2009 IT Security Training
KANSAS STATE UNIVERSITY
21
User-assisted
User
assisted vulnerability
Affected program: all user‐invoked programs that may be exposed to malicious input, e.g. pretty much everything! If one of these programs has a vulnerability, and is exposed to a maliciously crafted input, a remote attacker can gain full privilege on the computer, i.e. he can do whatever he wants on the computer
h t
h
t
th
t
Oct 5, 2009
October 2009 IT Security Training
KANSAS STATE UNIVERSITY
22