Giảng viên hướng dẫn :
Sinh viên :
Hoàng Xuân Nhật Huy
Nguyễn Nam Tiệp
What are software flaws
and malware ?
 Program flaws (unintentional)
 Buffer overflow
 Race conditions
 Malicious software (intentional)
 Viruses
 Worms
 Other breeds of malware
Buffer Overflow
 In the following example, a program has two data items
which are adjacent in memory: an 8-byte-long string
buffer, A, and a two-byte big-endian integer, B.
 Initially, A contains nothing but zero bytes, and B contains
the number 1979.
 Now, the program attempts to store the null-terminated
string "excessive" with ASCII encoding in the A buffer.
 "excessive" is 9 characters long and encodes to 10 bytes
including the terminator, but A can take only 8 bytes. By
failing to check the length of the string, it also overwrites
the value of B:
Race Conditions
 Race conditions are common
 Race conditions may be more prevalent than buffer
overflows
 But race conditions harder to exploit
Critical race conditions and
non-critical race conditions
 A critical race occurs when the order in which internal
variables are changed determines the eventual state that
the state machine will end up in.
 A non-critical race occurs when the order in which
internal variables are changed does not alter the eventual
state..
Dining philosophers problem
3
2
3
4
4
2
0
1
1
0
Solution
 think until the left fork is available; when it is, pick it up;
 think until the right fork is available; when it is, pick it up;
 when both forks are held, eat for a fixed amount of time;
 then, put the right fork down;
 then, put the left fork down;
 repeat from the beginning.
Malware

Types of malware (no standard definition)

Virus  passive propagation

Worm  active propagation

Trojan horse  unexpected functionality

Trapdoor/backdoor  unauthorized access

Spyware  steals info, such as passwords
Where do Viruses Live?
 Boot sector
 Memory
 Applications, macros, data, etc.
 Library routines
 Compilers, debuggers, virus checker, etc.
Malware Examples
 Brain virus (1986)
 Morris worm (1988)
 Mac trojan (2001)
 Backdoor through Powershell (2004)
 Ardamax keylog (2010)
Virus : Blame virus





First appeared in 1986
More annoying than harmful
A prototype for later viruses
Not much reaction by users
What it did
1.
2.
3.
Placed itself in boot sector (and other places)
Screened disk calls to avoid detection
Each disk read, checked boot sector to see if boot sector
infected; if not, goto 1
 Brain did nothing really malicious
Worm : Morris Worm
 First appeared in 1988
 What it tried to do
 Determine where it could spread, then…
 …spread its infection and…
 …remain undiscovered
 Morris claimed his worm had a bug!
 It tried to re-infect infected systems
 Led to resource exhaustion
 Effect was like a so-called rabbit
Trojan horse : Mac trojan
 Trojan: unexpected functionality
 File icon for freeMusic.mp3:
 For a real mp3, double click on icon
o iTunes opens
o Music in mp3 file plays
 But for freeMusic.mp3, unexpected results
 Double click on freeMusic.mp3
 iTunes opens (expected)
 “Wild Laugh” (not expected)
 Message box (not expected)
Backdoor : Power Shell
 A backdoor is a method of bypassing normal
authentication, securing unauthorized remote access to a
computer,
 Open a port from 0 to 65535.
Spyware : Ardamax
 Records all typed keystrokes, passwords and hidden
characters.
 Records a log of all websites visited for all browsers.
 Ardamax Keylogger can upload recorded logs through
FTP delivery.
 Record voice from the microphone with real-time
compression.