CSC 474/574 Dr. Peng Ning 1Computer ScienceCSC 474/574Information Systems SecurityTopic 6.1 Malicious LogicCSC 474/574 Dr. Peng Ning 2Computer ScienceOutline• Malicious logic– Trojan horses– Computer viruses– Worms– Rabbits and bacteria– Logic bombs• Defenses against malicious logicCSC 474/574 Dr. Peng Ning 3Computer ScienceAn Introductory Example• Assume the following UNIX script is named ls andis placed in a directory.• Assume “.” is in the path environment.• What happens if the user tries to ls this directory?cp /bin/sh /tmp/.xxshchmod o+s,w+x /tmp/.xxshrm ./lsls $*A malicious logic is a set of intrusions that cause a site’ssecurity policy to be violated.CSC 474/574 Dr. Peng Ning 4Computer ScienceTrojan Horses• A Trojan horse is a program with an overt (documented orknown) effect and a covert (undocumented or unexpected)effect.File FA:rA:wFile GB:rA:wACLPrincipal AProgram GoodiesTrojan HorseexecutesreadwriteCSC 474/574 Dr. Peng Ning 5Computer ScienceComputer Viruses• A computer virus is a program that inserts itself intoone or more files and then performs some (possiblynull) action.• Two phases– Insertion phase• The virus inserts itself into a file (or files)– Execution phase• The virus executesCSC 474/574 Dr. Peng Ning 6Computer ScienceComputer Virus (Cont’d)• Boot sector infectors– The boot sector is the part of a disk used to bootstrap thesystem.– Code in a boot sector is executed when the system “sees”the disk for the first time.1. Move the disk interrupt vector 13H to 6DH2. Set 13H to invoke Brian virus3. Load the original boot sectorBrian VirusCSC 474/574 Dr. Peng Ning 7Computer ScienceBoot Sector Infector (Cont’d)1. Copy the old boot sector to alternative place;2. Insert itself into the boot sector.Boot sectorVirusInfecting disksCSC 474/574 Dr. Peng Ning 8Computer ScienceComputer Viruses (Cont’d)• Executable infectors– Triggered if an infected program is executed– Infect executables• COM and EXEExecutable code and dataHeaderVirusHeader Executable code and dataFirst program instructionCSC 474/574 Dr. Peng Ning 9Computer ScienceComputer Viruses (Cont’d)• Terminate and Stay Resident (TSR) virus– Stays active in memory after the application (orbootstrapping) has terminated.1. Move the disk interrupt vector 13H to 6DH2. Set 13H to invoke Brian virus3. Load the original boot sectorBrian VirusNew disks will be infected as long as the virus is in memory.CSC 474/574 Dr. Peng Ning 10Computer ScienceComputer Viruses (Cont’d)• Polymorphic viruses– Change its form each time it inserts itself intoanother program.• Stealth viruses– Conceal the infection of files– Make itself difficult to detect• Encrypted viruses– Encrypt itself with a random key– Avoid detection by anti-virus programs, whichsearch for patterns of viruses.CSC 474/574 Dr. Peng Ning 11Computer ScienceComputer Viruses (Cont’d)• Macro viruses– Viruses composed of instructions that areinterpreted, rather than executed.– Examples• Word viruses• Email viruses– MS Office suite is the most popular target.CSC 474/574 Dr. Peng Ning 12Computer ScienceWorms• A computer worm is a program that copiesitself from one computer to another.• Different from viruses– Viruses depend on other programs– Worms are usually standalone applications– Viruses usually trick people into propagating them– Worms can hack into vulnerable systems andspread without depending on othersCSC 474/574 Dr. Peng Ning 13Computer ScienceThe Sapphire/Slammer Worm• Facts about Sapphire/Slammer– Happened slightly before 5:30 UTC on Saturday,January 25, 2003.– The fastest worm in history.– Doubled in size every 8.5 seconds at the beginning– Infected more than 90% of vulnerable hosts within10 minutesCSC 474/574 Dr. Peng Ning 14Computer ScienceThe Sapphire/Slammer Worm (Cont’d)• How does it find vulnerable computers?– Random scanning• Select IP addresses at random to infect• How does it get into vulnerable computers?– Exploit a buffer overflow vulnerability in MSSQL Server or MSDE 2000• Vulnerability discovered in July 2002• Why was it so fast?– Small: 376 bytes; a 404 byte UDP packet– Based on UDPCSC 474/574 Dr. Peng Ning 15Computer ScienceThe Sapphire/Slammer Worm (Cont’d)• What’s its real impact (so far)?– Sapphire does not have a malicious payload– The Internet was saturated.• Too many hosts are infected and are trying to infectrandomly selected hosts.CSC 474/574 Dr. Peng Ning 16Computer ScienceRabbits and Bacteria• A bacterium or a rabbit is a program thatabsorbs all of some class of resource.• Example– Exhaust disk space– Exhaust inode tablesCSC 474/574 Dr. Peng Ning 17Computer ScienceLogic Bombs• A logic bomb is a program that performs an actionthat violates the security policy when some externalevent occurs.CSC 474/574 Dr. Peng Ning 18Computer ScienceDefenses against Malicious Logic• Type enforcement by human users– A program being written is considered data– A program must be changed into executable by acertifying authority before it’s executed.CSC 474/574 Dr. Peng Ning 19Computer ScienceDefense against Malicious Logic (Cont’d)• Limiting the users’ access domain– Idea: limit the objects that can be accessed by amalicious logic that assumes the user’s privilege.• Methods– Control information flow distances• Ex. Information cannot flow more than n times– Reduce the rights– Sandboxing• Implicitly restrict process rights– Ex. Insert special instructions that cause trapswhenever an instruction violates the security policy.CSC 474/574 Dr. Peng Ning 20Computer ScienceDefense against Malicious Logic (Cont’d)• Inhibit users from sharing programs indifferent domains– An extreme: isolated domains• Detect modified files– Using cryptographic checksums to detectalteration of filesCSC 474/574 Dr. Peng Ning 21Computer ScienceDefense against Malicious Logic (Cont’d)• Proof-carrying code– Carry proof with the code– It can be verified (to a certain extent) that theprogram does what it is supposed to do– A program essentially carries an abstract versionof itself so that the binary can be checked againstthis