eece 412-17-malicious logic - courses (reflecting · pdf filewhat’s the difference...
TRANSCRIPT
![Page 1: EECE 412-17-malicious logic - Courses (reflecting · PDF fileWhat’s the difference between computer ... Virus signatures used by antivirus scanners. 25 ... EECE_412-17-malicious_logic.ppt](https://reader031.vdocuments.mx/reader031/viewer/2022030506/5ab3f0467f8b9ab47e8b6f7e/html5/thumbnails/1.jpg)
Copyright © 2004 Konstantin Beznosov
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A
Malicious Logic
EECE 412
Session 17
![Page 2: EECE 412-17-malicious logic - Courses (reflecting · PDF fileWhat’s the difference between computer ... Virus signatures used by antivirus scanners. 25 ... EECE_412-17-malicious_logic.ppt](https://reader031.vdocuments.mx/reader031/viewer/2022030506/5ab3f0467f8b9ab47e8b6f7e/html5/thumbnails/2.jpg)
2
Last Session Recap
Security policies
Integrity Policies• Biba integrity model
• Clark-Wilson integrity modelHybrid Policies
• Chinese Wall model
• Clinical Information Systems Security policy(self-study)
• ORCON model
• RBAC model
![Page 3: EECE 412-17-malicious logic - Courses (reflecting · PDF fileWhat’s the difference between computer ... Virus signatures used by antivirus scanners. 25 ... EECE_412-17-malicious_logic.ppt](https://reader031.vdocuments.mx/reader031/viewer/2022030506/5ab3f0467f8b9ab47e8b6f7e/html5/thumbnails/3.jpg)
3
Outline
Types of malicious logic
Theory & Malware
• Viruses
• Worms
• etc.
Protection and Detection Techniques
![Page 4: EECE 412-17-malicious logic - Courses (reflecting · PDF fileWhat’s the difference between computer ... Virus signatures used by antivirus scanners. 25 ... EECE_412-17-malicious_logic.ppt](https://reader031.vdocuments.mx/reader031/viewer/2022030506/5ab3f0467f8b9ab47e8b6f7e/html5/thumbnails/4.jpg)
Copyright © 2004 Konstantin Beznosov
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A
Malicious Logic
![Page 5: EECE 412-17-malicious logic - Courses (reflecting · PDF fileWhat’s the difference between computer ... Virus signatures used by antivirus scanners. 25 ... EECE_412-17-malicious_logic.ppt](https://reader031.vdocuments.mx/reader031/viewer/2022030506/5ab3f0467f8b9ab47e8b6f7e/html5/thumbnails/5.jpg)
5
Malicious Code Types
Trojan horse
virus
worm
rabbit/bacterium
logic bomb
trapdoor/backdoor
![Page 6: EECE 412-17-malicious logic - Courses (reflecting · PDF fileWhat’s the difference between computer ... Virus signatures used by antivirus scanners. 25 ... EECE_412-17-malicious_logic.ppt](https://reader031.vdocuments.mx/reader031/viewer/2022030506/5ab3f0467f8b9ab47e8b6f7e/html5/thumbnails/6.jpg)
6
Non-malicious program errors
buffer overflow• data replaces instructions
incomplete mediation• sensitive data are in exposed, uncontrolled
condition
time-of-check to time-of-use errors• leaving opportunity to changing data/request
after it was checked/authorized and before itwas used/processed
mistakes in using security mechanisms
![Page 7: EECE 412-17-malicious logic - Courses (reflecting · PDF fileWhat’s the difference between computer ... Virus signatures used by antivirus scanners. 25 ... EECE_412-17-malicious_logic.ppt](https://reader031.vdocuments.mx/reader031/viewer/2022030506/5ab3f0467f8b9ab47e8b6f7e/html5/thumbnails/7.jpg)
7
Whys
Why is malicious logic bad?
Why should we know how it works?
![Page 8: EECE 412-17-malicious logic - Courses (reflecting · PDF fileWhat’s the difference between computer ... Virus signatures used by antivirus scanners. 25 ... EECE_412-17-malicious_logic.ppt](https://reader031.vdocuments.mx/reader031/viewer/2022030506/5ab3f0467f8b9ab47e8b6f7e/html5/thumbnails/8.jpg)
8
Trojan Horses
has overt and covert effects• Examples of overt and cover effects?
propagating Trojan horse
Thompson’s experiment with a Trojan horse1. Add TH to a login program source code
• login + TH = login’
2. Add TH to the complier
• complier + TH = complier’
• compile’( login ) = login’
3. Add TH to the old compiler to build new compiler’
• compile( compiler ) = compiler’
• compile’( login ) = login’
• “Reflections on trusting trust”
![Page 9: EECE 412-17-malicious logic - Courses (reflecting · PDF fileWhat’s the difference between computer ... Virus signatures used by antivirus scanners. 25 ... EECE_412-17-malicious_logic.ppt](https://reader031.vdocuments.mx/reader031/viewer/2022030506/5ab3f0467f8b9ab47e8b6f7e/html5/thumbnails/9.jpg)
Copyright © 2004 Konstantin Beznosov
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A
Computer Viruses
![Page 10: EECE 412-17-malicious logic - Courses (reflecting · PDF fileWhat’s the difference between computer ... Virus signatures used by antivirus scanners. 25 ... EECE_412-17-malicious_logic.ppt](https://reader031.vdocuments.mx/reader031/viewer/2022030506/5ab3f0467f8b9ab47e8b6f7e/html5/thumbnails/10.jpg)
10
What’s a Computer Virus?
Program that
1. “infects” other programs with itself, and
2. performs some (possibly null) action
Is a virus also a Trojan horse?
![Page 11: EECE 412-17-malicious logic - Courses (reflecting · PDF fileWhat’s the difference between computer ... Virus signatures used by antivirus scanners. 25 ... EECE_412-17-malicious_logic.ppt](https://reader031.vdocuments.mx/reader031/viewer/2022030506/5ab3f0467f8b9ab47e8b6f7e/html5/thumbnails/11.jpg)
11
Classification of Virus Types
PolymorphicViruses
Macro Viruses
NoYes
Resident inmemory
Multipartiteviruses
TSR Viruses
Stealth Viruses
EncryptedViruses
Executableinfectors
Boot sectorinfectors
Changes formEncryptsitself
Concealinfection
interpreted
executableexecutable
Boot sector
How hideHow runWhat infect
Virus Type
![Page 12: EECE 412-17-malicious logic - Courses (reflecting · PDF fileWhat’s the difference between computer ... Virus signatures used by antivirus scanners. 25 ... EECE_412-17-malicious_logic.ppt](https://reader031.vdocuments.mx/reader031/viewer/2022030506/5ab3f0467f8b9ab47e8b6f7e/html5/thumbnails/12.jpg)
12
Examples of Viruses
NoYes
Resident inmemory
Encroacher virus
Stealth (a.k.a.,IDF) Virus
Jerusalem virus
Brain virus
Changes formEncryptsitself
Concealinfection
interpreted
executableexecutable
Boot sector
How hideHow runWhat infectVirusExample
![Page 13: EECE 412-17-malicious logic - Courses (reflecting · PDF fileWhat’s the difference between computer ... Virus signatures used by antivirus scanners. 25 ... EECE_412-17-malicious_logic.ppt](https://reader031.vdocuments.mx/reader031/viewer/2022030506/5ab3f0467f8b9ab47e8b6f7e/html5/thumbnails/13.jpg)
Copyright © 2004 Konstantin Beznosov
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A
Computer Worms
![Page 14: EECE 412-17-malicious logic - Courses (reflecting · PDF fileWhat’s the difference between computer ... Virus signatures used by antivirus scanners. 25 ... EECE_412-17-malicious_logic.ppt](https://reader031.vdocuments.mx/reader031/viewer/2022030506/5ab3f0467f8b9ab47e8b6f7e/html5/thumbnails/14.jpg)
14
What’s a Computer Worm?
“a program that
1. can run independently and
2. can propagate a fully working version ofitself to other machines.”
E. Spafford in “A Failure to Learn from the Past”
What’s the difference between computerworms and viruses?
![Page 15: EECE 412-17-malicious logic - Courses (reflecting · PDF fileWhat’s the difference between computer ... Virus signatures used by antivirus scanners. 25 ... EECE_412-17-malicious_logic.ppt](https://reader031.vdocuments.mx/reader031/viewer/2022030506/5ab3f0467f8b9ab47e8b6f7e/html5/thumbnails/15.jpg)
Copyright © 2004 Konstantin Beznosov
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A
Other Forms of Malicious Logic
![Page 16: EECE 412-17-malicious logic - Courses (reflecting · PDF fileWhat’s the difference between computer ... Virus signatures used by antivirus scanners. 25 ... EECE_412-17-malicious_logic.ppt](https://reader031.vdocuments.mx/reader031/viewer/2022030506/5ab3f0467f8b9ab47e8b6f7e/html5/thumbnails/16.jpg)
16
rabbit/bacterium
• replicates itself without limit to exhaust resource
logic bomb
• goes off when specific condition occurs
trapdoor/backdoor
• allows system access through undocumented means
![Page 17: EECE 412-17-malicious logic - Courses (reflecting · PDF fileWhat’s the difference between computer ... Virus signatures used by antivirus scanners. 25 ... EECE_412-17-malicious_logic.ppt](https://reader031.vdocuments.mx/reader031/viewer/2022030506/5ab3f0467f8b9ab47e8b6f7e/html5/thumbnails/17.jpg)
Copyright © 2004 Konstantin Beznosov
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A
Malware Theory
![Page 18: EECE 412-17-malicious logic - Courses (reflecting · PDF fileWhat’s the difference between computer ... Virus signatures used by antivirus scanners. 25 ... EECE_412-17-malicious_logic.ppt](https://reader031.vdocuments.mx/reader031/viewer/2022030506/5ab3f0467f8b9ab47e8b6f7e/html5/thumbnails/18.jpg)
18
Could we detect any malware?
Could an algorithm exist that woulddetermine if an arbitrary program
contains a malicious code?
![Page 19: EECE 412-17-malicious logic - Courses (reflecting · PDF fileWhat’s the difference between computer ... Virus signatures used by antivirus scanners. 25 ... EECE_412-17-malicious_logic.ppt](https://reader031.vdocuments.mx/reader031/viewer/2022030506/5ab3f0467f8b9ab47e8b6f7e/html5/thumbnails/19.jpg)
19
Relevant Results
There is no generic technique for
detecting all malicious logic
Detection and protection focuse on
particular aspects of specific logic
![Page 20: EECE 412-17-malicious logic - Courses (reflecting · PDF fileWhat’s the difference between computer ... Virus signatures used by antivirus scanners. 25 ... EECE_412-17-malicious_logic.ppt](https://reader031.vdocuments.mx/reader031/viewer/2022030506/5ab3f0467f8b9ab47e8b6f7e/html5/thumbnails/20.jpg)
Copyright © 2004 Konstantin Beznosov
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A
Particular Aspects of Malwareand Corresponding
Protection and Detection Techniques
![Page 21: EECE 412-17-malicious logic - Courses (reflecting · PDF fileWhat’s the difference between computer ... Virus signatures used by antivirus scanners. 25 ... EECE_412-17-malicious_logic.ppt](https://reader031.vdocuments.mx/reader031/viewer/2022030506/5ab3f0467f8b9ab47e8b6f7e/html5/thumbnails/21.jpg)
21
Malware acting both asdata and code
Approach: Keep data and code separate
Techniques
Allow files to be either modifiable or
executable but not both
Change the type of modified executable to
“data”
Require explicit actions to make data
executable
![Page 22: EECE 412-17-malicious logic - Courses (reflecting · PDF fileWhat’s the difference between computer ... Virus signatures used by antivirus scanners. 25 ... EECE_412-17-malicious_logic.ppt](https://reader031.vdocuments.mx/reader031/viewer/2022030506/5ab3f0467f8b9ab47e8b6f7e/html5/thumbnails/22.jpg)
22
Malware uses privileges ofauthorized users
Approach: Reduce the amount of damage
Techniques:
Restrict how far data can travel
Exercise the principle of least privilege
Sandboxing
![Page 23: EECE 412-17-malicious logic - Courses (reflecting · PDF fileWhat’s the difference between computer ... Virus signatures used by antivirus scanners. 25 ... EECE_412-17-malicious_logic.ppt](https://reader031.vdocuments.mx/reader031/viewer/2022030506/5ab3f0467f8b9ab47e8b6f7e/html5/thumbnails/23.jpg)
23
Malware Uses Sharing toCross Protection Domain Boundaries
Approach: Prevent data sharing
Techniques:
Assign programs lowest security levelin MLS systems
![Page 24: EECE 412-17-malicious logic - Courses (reflecting · PDF fileWhat’s the difference between computer ... Virus signatures used by antivirus scanners. 25 ... EECE_412-17-malicious_logic.ppt](https://reader031.vdocuments.mx/reader031/viewer/2022030506/5ab3f0467f8b9ab47e8b6f7e/html5/thumbnails/24.jpg)
24
Malware Alters Files
Approach: Detect Alterations
Techniques:
Signature blocks
• Tripwire
Virus signatures used by antivirus scanners
![Page 25: EECE 412-17-malicious logic - Courses (reflecting · PDF fileWhat’s the difference between computer ... Virus signatures used by antivirus scanners. 25 ... EECE_412-17-malicious_logic.ppt](https://reader031.vdocuments.mx/reader031/viewer/2022030506/5ab3f0467f8b9ab47e8b6f7e/html5/thumbnails/25.jpg)
25
Malware Performs Actions BeyondSpecification
Approach: Treat the problem as a FaultTolerance one
Techniques:
N-version programming: votes on results
Proof-carrying code: proving compliancewith safety requirements
![Page 26: EECE 412-17-malicious logic - Courses (reflecting · PDF fileWhat’s the difference between computer ... Virus signatures used by antivirus scanners. 25 ... EECE_412-17-malicious_logic.ppt](https://reader031.vdocuments.mx/reader031/viewer/2022030506/5ab3f0467f8b9ab47e8b6f7e/html5/thumbnails/26.jpg)
26
Malware Alters StatisticalCharacteristics
Approach: Detect statistical changes
Techniques:
Detecting abnormal activities on systemsor networks