outline for today’s lecture administrative: –potential extension on program 4 (not on webpage...
TRANSCRIPT
![Page 1: Outline for Today’s Lecture Administrative: –Potential extension on Program 4 (not on webpage yet) Thursday Dec. 15 at 11:59pm (1 week more) –Exam will](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56649f165503460f94c2cb0c/html5/thumbnails/1.jpg)
Outline for Today’s LectureAdministrative:
– Potential extension on Program 4 (not on webpage yet)
• Thursday Dec. 15 at 11:59pm (1 week more)
– Exam will include a very easy question based on Xen/Linux assignments
– Course evaluations• need volunteer to deliver;
stop me 10 minutes from end-of-classtime.• Answer question about your opinion of Linux vs. alternative.
Objective: – Viruses and worms
![Page 2: Outline for Today’s Lecture Administrative: –Potential extension on Program 4 (not on webpage yet) Thursday Dec. 15 at 11:59pm (1 week more) –Exam will](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56649f165503460f94c2cb0c/html5/thumbnails/2.jpg)
Viruses and Worms
• Virus = program can reproduce itself by attaching its code to another executable program– Activated by executing its host
• Worm = program which replicates itself and causes execution of new copy– Self-contained– Hijacks or creates a new process
![Page 3: Outline for Today’s Lecture Administrative: –Potential extension on Program 4 (not on webpage yet) Thursday Dec. 15 at 11:59pm (1 week more) –Exam will](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56649f165503460f94c2cb0c/html5/thumbnails/3.jpg)
Lifecycle of an Attack
ProbePenetrate
Persist
Propagate
Paralyze
Scan portsPing addressesGuess passwordsGet address email address book
Mail attachmentsBuffer overflowsBackdoorsMacros
Create / modify filesInfect boot sectorModify registryWeaken security settingsHide and disguise actions
Use email clientBring up own SMTPor http serversftp
Do damageDestroy dataDenial of ServiceLeak information
![Page 4: Outline for Today’s Lecture Administrative: –Potential extension on Program 4 (not on webpage yet) Thursday Dec. 15 at 11:59pm (1 week more) –Exam will](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56649f165503460f94c2cb0c/html5/thumbnails/4.jpg)
History of Worms
1982 – PARC envisions works as an administrative mechanism to perform legit tasks on distributed system
1988 – Morris worm is the first Internet worm (with dramatic consequences)
…2001 – Code Red2003 – Slammer, Blaster2004 – Sasser, Witty
![Page 5: Outline for Today’s Lecture Administrative: –Potential extension on Program 4 (not on webpage yet) Thursday Dec. 15 at 11:59pm (1 week more) –Exam will](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56649f165503460f94c2cb0c/html5/thumbnails/5.jpg)
The Morris Internet Worm
• Nov. 1988, Robert Morris, Cornell grad student• Consisted of two programs
– bootstrap to upload worm– the worm itself
• Worm first hid its existence• Next replicated itself on new machines
– rsh– finger name@site - overflow finger daemon’s stack with long string– Bug in sendmail to mail bootstrap & exec it– Tried to break user passwords and go on
• Too aggressive – let 1 in 7 re-infects live• Caught and convicted
![Page 6: Outline for Today’s Lecture Administrative: –Potential extension on Program 4 (not on webpage yet) Thursday Dec. 15 at 11:59pm (1 week more) –Exam will](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56649f165503460f94c2cb0c/html5/thumbnails/6.jpg)
Stopping Attacks
• CERT – Computer Emergency Response Team – collects info on system flaws that can be attacked. Fields reports of security break-ins
• Traditional timeline of attack
Application released
with bug
Vulnerability announced
& patchreleased
Attack releasedBad guys
create attack
Good guyspatch fast
Often < 1 day
![Page 7: Outline for Today’s Lecture Administrative: –Potential extension on Program 4 (not on webpage yet) Thursday Dec. 15 at 11:59pm (1 week more) –Exam will](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56649f165503460f94c2cb0c/html5/thumbnails/7.jpg)
How Viruses Work
• Virus usually written in assembly language• Inserted into another program
– use tool called a “dropper”
• Virus dormant until program executed– then infects other programs– eventually executes its “payload”
• possibly waits for significant date
![Page 8: Outline for Today’s Lecture Administrative: –Potential extension on Program 4 (not on webpage yet) Thursday Dec. 15 at 11:59pm (1 week more) –Exam will](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56649f165503460f94c2cb0c/html5/thumbnails/8.jpg)
How Viruses Work
• An executable program• with a parasitic virus at the front• at the end• spread over free space within program (cavity virus)
![Page 9: Outline for Today’s Lecture Administrative: –Potential extension on Program 4 (not on webpage yet) Thursday Dec. 15 at 11:59pm (1 week more) –Exam will](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56649f165503460f94c2cb0c/html5/thumbnails/9.jpg)
Boot sector viruses1st hide the real boot sector
When booted, copies virus into memory, making it a memory resident virus
Then boots the OS
Device driver infected with virus, loads it at boot time.
How Viruses Work
![Page 10: Outline for Today’s Lecture Administrative: –Potential extension on Program 4 (not on webpage yet) Thursday Dec. 15 at 11:59pm (1 week more) –Exam will](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56649f165503460f94c2cb0c/html5/thumbnails/10.jpg)
How Viruses Work
• After virus has captured interrupt, trap vectors– Syscall trap a good one. Can look for exec calls
• After OS has retaken printer interrupt vector• After virus has noticed loss of printer interrupt vector and recaptured it
![Page 11: Outline for Today’s Lecture Administrative: –Potential extension on Program 4 (not on webpage yet) Thursday Dec. 15 at 11:59pm (1 week more) –Exam will](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56649f165503460f94c2cb0c/html5/thumbnails/11.jpg)
Macros
Applications like Word or Excel allow macros that get executed via keystroke or menu
Attach a macro to open file function and you are off and running
Can be sent in email attachments
Some emailers automatically open attachments
How Viruses Work
![Page 12: Outline for Today’s Lecture Administrative: –Potential extension on Program 4 (not on webpage yet) Thursday Dec. 15 at 11:59pm (1 week more) –Exam will](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56649f165503460f94c2cb0c/html5/thumbnails/12.jpg)
How Viruses Spread
• Virus placed where likely to be copied
• When copied– infects programs on hard drive, floppy– may try to spread over LAN
• Attach to innocent looking email– when it runs, use mailing list to replicate
![Page 13: Outline for Today’s Lecture Administrative: –Potential extension on Program 4 (not on webpage yet) Thursday Dec. 15 at 11:59pm (1 week more) –Exam will](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56649f165503460f94c2cb0c/html5/thumbnails/13.jpg)
Stopping Attacks
• Identifying viruses and worms before they execute – antivirus – trusted code only
• Catch’em in the act of misbehaving before they do harm
• Monitoring and controlling what suspicious code can do – interpreters and sandboxing
![Page 14: Outline for Today’s Lecture Administrative: –Potential extension on Program 4 (not on webpage yet) Thursday Dec. 15 at 11:59pm (1 week more) –Exam will](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56649f165503460f94c2cb0c/html5/thumbnails/14.jpg)
Antivirus and Anti-Antivirus Techniques
(a) A program(b) Infected program, metadata giveaways(c) Compressed infected program(d) Encrypted virus(e) Compressed virus with encrypted compression code
![Page 15: Outline for Today’s Lecture Administrative: –Potential extension on Program 4 (not on webpage yet) Thursday Dec. 15 at 11:59pm (1 week more) –Exam will](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56649f165503460f94c2cb0c/html5/thumbnails/15.jpg)
Antivirus and Anti-Antivirus Techniques
Examples of a polymorphic virusAll of these examples do the same thing
Mutation engine – code that morphs the signature part of the virus each time it spreads
![Page 16: Outline for Today’s Lecture Administrative: –Potential extension on Program 4 (not on webpage yet) Thursday Dec. 15 at 11:59pm (1 week more) –Exam will](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56649f165503460f94c2cb0c/html5/thumbnails/16.jpg)
Antivirus and Anti-Antivirus Techniques
• Integrity checkers - checksums• Behavioral checkers• Virus avoidance
– good OS– install only shrink-wrapped software– use antivirus software– do not click on attachments to email– avoid active content– frequent backups
• Recovery from virus attack– halt computer, reboot from safe disk, run antivirus
![Page 17: Outline for Today’s Lecture Administrative: –Potential extension on Program 4 (not on webpage yet) Thursday Dec. 15 at 11:59pm (1 week more) –Exam will](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56649f165503460f94c2cb0c/html5/thumbnails/17.jpg)
Trusted Mobile Code
When code is intentionally brought in, what can you do to protect yourself?Only download code from sources you trust – use digitally signed code
![Page 18: Outline for Today’s Lecture Administrative: –Potential extension on Program 4 (not on webpage yet) Thursday Dec. 15 at 11:59pm (1 week more) –Exam will](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56649f165503460f94c2cb0c/html5/thumbnails/18.jpg)
Mobile Code Sandboxing
Confine the effects of running (untrusted) code(a) Memory divided into 1-MB sandboxes(b) One way of checking an instruction for validity
![Page 19: Outline for Today’s Lecture Administrative: –Potential extension on Program 4 (not on webpage yet) Thursday Dec. 15 at 11:59pm (1 week more) –Exam will](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56649f165503460f94c2cb0c/html5/thumbnails/19.jpg)
Interpreted Mobile Code
Applets can be interpreted by a Web browser
![Page 20: Outline for Today’s Lecture Administrative: –Potential extension on Program 4 (not on webpage yet) Thursday Dec. 15 at 11:59pm (1 week more) –Exam will](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56649f165503460f94c2cb0c/html5/thumbnails/20.jpg)
Interpretation
• Interpreter never lets go of the program counter itself
• Interpreter can check each instruction as it is emulated
• Transfers of control flow are the danger points
• Performance cost, but can be mitigated
![Page 21: Outline for Today’s Lecture Administrative: –Potential extension on Program 4 (not on webpage yet) Thursday Dec. 15 at 11:59pm (1 week more) –Exam will](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56649f165503460f94c2cb0c/html5/thumbnails/21.jpg)
Covert Channels
Encapsulated server can still leak to collaborator via covert channels:Observable performance patterns (e.g., busy/blocked, page faulting)
Can information be leaked from “confined” processes?
![Page 22: Outline for Today’s Lecture Administrative: –Potential extension on Program 4 (not on webpage yet) Thursday Dec. 15 at 11:59pm (1 week more) –Exam will](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56649f165503460f94c2cb0c/html5/thumbnails/22.jpg)
Covert Channels
A covert channel using file locking
![Page 23: Outline for Today’s Lecture Administrative: –Potential extension on Program 4 (not on webpage yet) Thursday Dec. 15 at 11:59pm (1 week more) –Exam will](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56649f165503460f94c2cb0c/html5/thumbnails/23.jpg)
Covert Channels• Pictures appear the same
– 7-bit colors can not be distinguished from 8-bit colors
• Picture on right has text of 5 Shakespeare plays– Compressed & encrypted, inserted into low order bits of color values
ZebrasHamlet, Macbeth, Julius CaesarMerchant of Venice, King Lear
![Page 24: Outline for Today’s Lecture Administrative: –Potential extension on Program 4 (not on webpage yet) Thursday Dec. 15 at 11:59pm (1 week more) –Exam will](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56649f165503460f94c2cb0c/html5/thumbnails/24.jpg)
Is it a Technical Problem?
Lots of known solution techniques
• Access control
• Crypto
• Firewalls
• Intrusion detection
So why isn’t it a solved problem?
![Page 25: Outline for Today’s Lecture Administrative: –Potential extension on Program 4 (not on webpage yet) Thursday Dec. 15 at 11:59pm (1 week more) –Exam will](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56649f165503460f94c2cb0c/html5/thumbnails/25.jpg)
Economics
“The party who is in a position to protect a system is not the party who would suffer the results of security failure.”
Ross Anderson
Security• For whom is it built?• Who pays for it?