CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerCSE 543 - Computer SecurityLecture 9 - MalwareSeptember 25, 2007URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/1CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerThe Morris Worm•Robert Morris, a 23 doctoral student from Cornell•Wrote a small (99 line) program•November 3rd, 1988•Simply disabled the Internet•How it did it•Reads /etc/password, they tries the obvious choices and dictionary, /usr/dict words•Used local /etc/hosts.equiv, .rhosts, .forward to identify hosts that are related•Tries cracked passwords at related hosts (if necessary)•Uses whatever services are available to compromise other hosts•Scanned local interfaces for network information•Covered its tracks (set is own process name to sh, prevented accurate cores, re-forked itself)2CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerVulnerabilities•Network daemon vulnerabilities•Buffer overflows•Insecure programs•Remote logins allowed •User errors•Poor passwords•Administration errors•Trust in other machines (hosts.equiv)•Network information •Information about next likely victims (propagation)3CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerAre those vulnerabilities a problem today?•What was the problem with the threat model at the time of the Morris worm?•Which of these vulnerabilities are still a problem today?•Have we fixed the threat model?4CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerBuffer Overflows•One means by which the bad guys take over a host•install root kits•use as SPAM bots•use as zombies•launch other attacks•There are many attacks, but this is most prevalent•It all starts with some programmer mistake•e.g., bad softwareTEXTDATAHEAPSTACK0x000....0xfff....5Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor JaegerBuffer Overflow•How it works6Local VarBufferLocal VarReturn AddressFunc Parameters Previous FunctionNew RtnEvil CodeEvil CodeEvil CodeEvil CodeStack FramePage CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor JaegerDefenses•“Canary” on the stack–Random value placed between the local vars and the return address–If canary is modified, program is stopped–Will this address the “basic” buffer overflow?•Alternative:–Non-executable stack•Are we done?7Local VarBufferLocal VarReturn AddressFunc Parameters Previous FunctionCANARYPage CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor JaegerCode Injection•So, the problem is solved then?8CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerAddress Space Randomization•Problem: return-to-libc•Attack•Overflow buffer•Instead of running code on stack•Call an existing libc function•Randomization moves function locations to counter this attack9CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerCommercial System Defenses•Buffer overflow prevention is now common •Linux•StackGuard•Non-executable stack•Address space randomization (for the stack)•Windows Vista•Data execution prevention •Address space randomization (for all code)•Change local variable order on stack•Verify exception handlers•Function pointer obfuscation10CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerOther Ways to Gain Entry•Unfortunately, there are still lots of attack paths...•Email Attachments•Many viruses•Web •Cross-site scripting, Javascript, flawed plug-ins•Trojan horse•What does that free program do?•Others?11CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerWhat do the bad programs do?•Virus•A program that inserts itself into one or more executable files in which it will be executed with that file•Worm•A program whose code aims to propagate itself to other machines•Trojan horse•A program with an overt (documented) effect and a covert (undocumented) effect (often malicious)•Rootkits•A virus that embeds itself in the trusted computing base of the system in such a way that it cannot be detected12CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerBotnets•A set of infected systems under the control of one authority•Usually, to distribute spam•Purpose of compromise has changed...•Bots may implement antivirus•Estimated: 10 million bots•Botmasters trade/sell
View Full Document