Week 6 - Monday



What did we talk about last time?
Quantum cryptography
Non-malicious program errors


Incomplete mediation happens with a
system does not have complete control over
the data that it processes
Example URL:
 http://www.security.com/query.php?date=2012March20

Wrong URL:
 http://www.security.com/query.php?date=2000Hyenas

The HTML generates the URL, but the URL
can be entered manually




For a website, a carelessly altered URL might
just mean a 404 error
For a program, bad data could cause any
number of faults and failures
Malicious attackers could change data or
mount an SQL injection attack to destroy or
reveal database internals
Values should always be checked and
sanitized
It seems like things happen instantly in a computer
Many operations, especially those on files, may be put
into a queue of work
 Imagine you give the OS a data structure with this
command:



File
Command
MyFile.txt
Change byte 4 to 'A'
After it is authorized but before it can be executed,
you change it to:
File
Command
YourFile.txt
Delete file




A program might have a way to access its
private internal data
These access points are called backdoors or
trapdoors
During development, these backdoors can be
really useful for debugging
In production, they cause a security risk,
either because the developers can have
control they shouldn't or because other
attackers can exploit the backdoor

Integer overflow and underflow
 Someone ordered -2 billion oranges?

Unterminated C-style string
 A C-style string ends with the null character ('\0')
 Without the null character, string processing functions
might keep reading (or writing) into memory

Race conditions
 In multi-threaded environments, data can be updated
by multiple threads, leading to inconsistent (and
unpredictable) results





Therac-25 was a radiation therapy machine built by
the Atomic Energy of Canada Limited
It was the successor to the Therac-6 and Therac-20
machines
The machine had low power and high power modes
The low power mode shot a beam directly at the
patient
The high power mode created X-rays by shooting the
beam at a target, spread these X-rays with a
flattening filter, shaped the beam with movable
blocks, and tested the strength of the beam with an Xray ion chamber





In some situations, the high power beam was
activated without the spreader in place
The software and hardware systems did not
catch this particular problem
Over 100 times the intended dose was given
At least 2 people died and there were at least
6 overdoses total
Software bugs actually kill people!





A certain unusual combination of keystrokes had
to happen within 8 seconds
There were no hardware interlocks to prevent
the problem if the user overrode the error code
Error codes were not well-documented and were
displayed as a number
Software was reused from previous models that
did have hardware interlocks
Arithmetic overflow caused safety checks to fail
in some cases




The software/hardware combination had
never been tested before use
Personnel did not believe complaints due to
confidence in the system
Code was not independently reviewed
Errors were easily overridden


Obviously, it’s a problem
It’s very difficult to stop
 You never really know what’s getting installed on
your computer
 You’re downloading thousands of files from the
Internet every day
 Even if you had the source code for every
program, could you catch all the dangerous stuff?

Malicious code has been around since at least
1970
Malicious code (or a rogue program) is our
blanket term for any code that has undesirable
effects that were intentionally designed
 The agent is the person who writes the code
 A virus is a program that can replicate itself and
add malicious code to nonmalicious programs

 A transient virus runs when its host program is
running
 A resident virus lives in memory and can be active
anytime





Terminology is inconsistent
Popular culture tends to call everything a virus
Sometimes we will too, but here are some other terms:
Type
Characteristics
Virus
Attaches itself to a program and propagates copies of itself to other programs
Trojan horse
Contains unexpected, additional functionality
Logic bomb
Triggers action when condition occurs
Time bomb
Triggers action when specified time occurs
Trapdoor
Allows unauthorized access to functionality
Worm
Propagates copies of itself through a network
Rabbit
Replicates itself without limit to exhaust resources
Almost all of these are, by definition, Trojan horses
Worms differ from viruses primarily because they spread across networks



A virus is not dangerous unless it is active
Just having an infected file on your hard drive
won’t cause a problem unless it is accessed
But files get opened all the time
 Programs call other programs
 Just previewing files can be dangerous
 E-mail programs open attachments automatically

How do these viruses infect code?

A virus can be designed so that it
starts running before the real
program does
Virus
Code
+
 Machine code for the virus is inserted
before the machine code for the
beginning of the program
 After the virus runs, it transfers control
to the real program
 The real program runs as if nothing
happened


This kind of virus is easy to write
It is also relatively easy to catch for
antivirus software
Program Code
Virus
Code
Program Code

Another possibility is viruses that surround a program, gaining
control before and after execution
 The code may not be at the beginning and end of the executable, but
that’s how the control flow works

Viruses can also be spread throughout the code
Virus
Code A
Virus
Code
Virus
Code
+
+
Program Code
Program Code
Program Code
Virus
Code B
Infected Program Code



According to the book, the most common
form of virus is a document virus
A document virus is an infected document
(instead of an executable file)
Nevertheless, the macros that can be stored
in Word, Excel, Access, and other similar
complex documents are powerful enough to
cause just as much damage as any other virus

If you are making a virus, the following
characteristics are ideal:







Hard to detect
Difficult to destroy or deactivate
Spreads infection widely
Capable of reinfecting its host or other programs
Easy to create
Machine and OS independent
It’s difficult to make a virus that meets all these
criteria



Many viruses will be executed just once
This could be on running a pirated (and
infected) file
One of the most common avenues of attack
is through an e-mail attachment





The boot sector is the part of a hard drive
that says what code to load to start your OS
The details are technical, but a boot sector
virus is one that is stored in the chain of code
that starts up your whole computer
A virus that can start this early can
circumvent or disable antivirus
It has complete control over your system
It is also not obvious from the file system


Some programs start up and then never really
die
They are low level parts of the OS that need
to keep running
 Sometimes called TSR (terminate and stay
resident)


Because these programs are always running,
they are an attractive home for a virus
Even if you delete the original infected file,
the memory resident virus can replace it



As with everything in security, the assumption is
that attackers do not play by the rules
A virus does not have to live where we expect it
to
A few other places that are sensible:
 Applications
 Libraries
 Compilers (infect programs as you create them)
 Antivirus software

Ken Thompson's seminal paper Reflections on Trusting
Trust:
 He added a backdoor to the Unix login program
 Too easy to trace, so he added a backdoor to the C
compiler to insert the backdoor in any program called
login
 Too easy to trace, so he added a backdoor in the compiler
compiler to insert code that would insert the backdoor in
any program called login
 And so on, and so on…
You can’t trust anything you didn’t completely create
yourself
 Some amount of trust is necessary




Viruses are difficult to detect, but we can still
classify them by the way they change code or
the way they execute
We call these tell-tale signs a signature
Antivirus programs work by searching for
certain signatures in code
At simplest, this is just a particular string of code in
the binary
 Often this code is at the beginning of a program so
that it gets control immediately
 Craftier viruses will put themselves other places that
get jumped to early in execution
 An antivirus program can check:

 The size of a file
 The functioning of the code compared to some standard
 It can look for suspicious execution patterns (weird JUMP
commands)
 The program against a hash digest for the program


Viruses are also suspicious because of the
way they execute
The virus should:
 Spread infection
 Avoid detection
 Cause harm



How do these behaviors look like normal
programs?
How do they look abnormal?
It’s not easy to tell…
Because virus scanners try to match strings in machine
code, virus writers design polymorphic viruses that
change their appearances
 No-ops, code that doesn’t have an impact on execution,
can be used for simple disguises
 Clever viruses can break themselves apart and hide
different parts in randomly chosen parts of code

 Similar to code obfuscation

Advanced polymorphic viruses called encrypting viruses
encrypt parts of themselves with randomly chosen keys
 A scanner would have to know to decrypt the virus to detect it

Virus scanners cannot catch everything
Virus Effect
Virus Cause
 Modify file directory
 Write to executable program file
 Modify directory
 Rewrite data
 Append to data
 Append data to self
 Intercept interrupt by
modifying interrupt
handler address table
 Load self in nontransient memory
area
Infect disks
 Intercept interrupt
 Intercept OS system call
 Modify system file
 Modify ordinary executables
Conceal self
 Intercept system calls
 Classify self as hidden file
Spread infection
 Infect boot sector
 Infect system program
 Infect ordinary program
 Infect data ordinary program reads
Prevent deactivation
 Activate before
deactivating program
 Store copy to reinfect after
deactivation
Attach to executable program
Attach to data or control file
Remain in memory


It is impossible to prevent infection entirely
Some guidelines:
 Use only commercial software acquired from reliable,





well-established vendors
Test all new software on an isolated computer
Open attachments only when you know them to be
safe
Make a recoverable system image and store it safely
Make and retain backup copies of executable system
files
Use virus detectors regularly and update them daily






Viruses can infect only Microsoft Windows
systems
Viruses can modify hidden and read-only
files
Viruses can appear only in data files or only
in programs
Viruses spread only on disks or only
through e-mail
Viruses cannot remain in memory after a
power cycle
Viruses can be malevolent, benign, or
benevolent
False
True
False
False
True, but
so what?
True

The Brain virus is one of the oldest known
 It changed the label of disks it attacked to “BRAIN”
 It was written by two brothers from Pakistan


It copies itself to the boot sector in MS-DOS
It rewrites the system interrupt for disk reading
so that it controls reads
 If you try to look at the boot sector, it will lie to you
about what’s there


Anytime it sees an uninfected disk, it infects it
It doesn’t otherwise do anything malicious
In 1988 Robert Morris, a Cornell graduate
student, wrote an worm that infected a lot of the
Internet that existed at that time
 Serious connectivity issues happened because of
the worm and because people disconnected
uninfected system
 He claimed the point was the measure the size
of the Internet
 The worm’s goal:

1. Determine where it could spread to
2. Spread its infection
3. Remain undiscovered

It tried to find user accounts on the host
machine
 It tried 432 common passwords and compared
their hash to the list of password hashes
 Ideally, this list should not have been visible

It tried to exploit a bug in the fingerd
program (using a buffer overflow) and a
trapdoor in the sendmail mail program
 Both were known vulnerabilities that should have
been patched





Once a target was found, the worm would send
a short loader program to the target machine
The program (99 lines of C) would compile and
then get the rest of the virus
It would use a one-time password to talk to the
host
If the host got the wrong password, it would
break connection
This mechanism was to prevent outsiders from
gaining access to the worm’s code



Any errors in transmission would cause the
loader to delete any code and exit
As soon as the code was successfully
transmitted, the worm would run, encrypt
itself, and delete all disk copies
It periodically changed its name and process
identifier so that it would be harder to spot
The worm would ask machines if they were already
infected
 Because of a flaw in the code, it would reinfect
machines 1 out of 7 times
 Huge numbers of copies of the worm started filling
infected machines

 System and network performance dropped

Estimates of the damage are between $100,000 and
$97 million
 Morris was fined $10,000 and sentenced to 400 hours of
community service

The CERT was formed to deal with similar problems

Code Red appeared in 2001
 It infected a quarter of a million systems in 9 hours
 It is estimated that it infected 1/8 of the systems
that were vulnerable


It exploited a vulnerability by creating a
buffer overflow in a DLL in the Microsoft
Internet Information Server software
It only worked on systems running an MS web
server, but many machines did by default





The original version of Code Red defaced the
website that was being run
Then, it tried to spread to other machines on
days 1-19 of a month
Then, it did a distributed denial of service
attack on whitehouse.gov on days 20-27
Later versions attacked random IP addresses
It also installed a trap door so that infected
systems could be controlled from the outside

Review for exam


Read section 3.2
Finish Assignment 2
 Due tonight!

Start on Project 2