Chapter 3 – Program SecuritySection 3.1 Secure Programs

Section 3.2 Nonmalicious Program ErrorsSection 3.3 Viruses and Other Malicious Code

In this SectionProgramming errors with security

implicationsMalicious Code

Program Development and ControlsControls to protect against flaws in execution

Programs (lots of them)have errorsHow do we keep programs from flaws?How do we protect computing resources

against programs that contain flaws?

Secure ProgramsWhat is a secure program?Everyone has there own requirement of

secure.Part of assessing software qualityDoes it meet security requirements in

specification? (is requirements complete?)

In general, we often look at quantity and types of faults for evidence of security (or lack of it). We track these things.

Who’s Fault is it?Finding lots of faults in software early.

NOT GOOD.Early approaches were “Penetrate” and then

“Patch”NOT GOOD.

Repairing with a patch is a narrow focus and not the more important requirements.

Patches can cause other problems.Non obvious side effectsFix one places – fails anotherPerformance or function suffers

Types of FlawsValidation error (incomplete or inconsistent):

permissions checksDomain error: controlled access to dataSerialization and aliasing: program flow

orderInadequate identification and authentication:

basis for authorizationBoundary condition violation: failure on first

or last caseOther exploitable logic errors

Unexpected BehaviorUnexpected behavior is a program security

flaw.Does the program behave as it was designed?Behavior can be:

Vulnerability (class of fault)Flaw (fault or failure)

Flaw (human)InadvertentIntentional

Nonmalicious Program ErrorsBuffer Overflows

Excess information provided – overfilling the bucket

Buffer – space in which data is held (array or string)

char sample[10] or char sample[i]For (i=0; I<=9; i++)

sample[i] = ‘A’;sample[10] = ‘B’;

Figure 3-1  Places Where a Buffer Can Overflow.

Nonmalicious Program ErrorsIncomplete Mediation

Supplying the wrong type of data being requested.Supplying the wrong length of data being

requested.Problem

System Fails Supply of Bad Data

Must be checked by programmerClient side verses Server Side

Time-of-Check to Time-of-Use ErrorsOld bait-n-switch

Viruses and Other Malicious CodeWhy worry about it?

HarmWhat is it?

Unexpected or undesired effects in program or data caused by an agent intent on damage.

Agent is the writer of the codeMistakes are not malicious (human error)Virus – program that replicates itself to other

programs by altering the program code. Transient virus – runs when host runs Resident virus – resides in memory (active as a stand

alone)

Trojan Horse – in addition to primary effect, has a second, non-obvious malicious effect. Passwords

Logic Bomb – only on a conditionTime bomb – only at certain timeTrapdoor (backdoor) – other means of

privileged access; intentional and non-intentional

Worm – spreads virus via network Rabbit – replicates to exhaust recourses

Viruses can append, surround and integrate

Figure 3-4  Virus Appended to a Program.

Figure 3-5  Virus Surrounding a Program.

Figure 3-6  Virus Integrated into a Program.

Figure 3-7  Virus Completely Replacing a Program.

Viruses (Continued)Document Virus

Within the format of a documentMacro Virus

Appealing Qualities for Virus WritersHard to detectNot easily destroyedSpreads widelyRe-infects easilyEasy to createMachine and OS independent

Viruses (Continued)Where do they live?

One-Time Execution Virus – come in on EMAIL; these are popular

Boot Sector Virus From the bootsrap (bootup); bootse ctor of the hard

disk

Viruses (Continued)Where do they live?

Memory-Resident Viruses Terminate and Stay Resident (TSR) Infects Windows System Registry to reload

ApplicationsMacrosScriptsLibrariesImagesDocuments

Viruses (Continued)Virus Signatures

Viruses are no completely invisibleThey all leave a signature pattern (DNA)Patterns are found with Virus ScannersVirus patterns

Always at same location Top of file location File size grows Strange code; jump statements Hash or checksum change (later chapters)

Figure 3-9  Recognizable Patterns in Viruses.

Viruses (Continued)Transmission PatternsPolymorphic Virus – every changing virusEncrypting Virus – tries to hide

PreventionCommercial software applicationsTest all softwareOpening attachmentsMake system imagesKeep copies of executable files and data filesVirus Detection Software

Viruses (Continued)Truths and Misconceptions about Viruses

Viruses infect only Windows (False)Viruses can modify “hidden” or “read-only” files

(True)Files only appear in executable files (False)Viruses spread only on disks or only through EMAIL

(false)Viruses cannot remain in memory when power is off

(True/False)Viruses can not infect hardware. (True/False)Viruses can be malevolent, benign or benevolent

(True)