320 likes | 450 Vues
TMK 264: COMPUTER SECURITY. CHAPTER THREE : SECURITY SYSTEM. INTRODUCTION. Consider what we mean when we say that a program is ‘secure’. We saw in chapter 1 that security implies some degree of trust that the program enforces expected confidentiality, integrity and availability.
E N D
TMK 264: COMPUTER SECURITY CHAPTER THREE : SECURITY SYSTEM Prepared By: Razif Razali
INTRODUCTION • Consider what we mean when we say that a program is ‘secure’. • We saw in chapter 1 that security implies some degree of trust that the program enforces expected confidentiality, integrity and availability. • From the point of view of a program or a programmer, how can we look at a software component or code fragment and asses its security? Prepared By: Razif Razali
VIRUSES AND OTHER MALICIOUS CODE • By themselves, programs are seldom security threats. • The programs operate on data, taking action only when data and state changes trigger it. • Much of the work done by a program is invisible to users, so they are not likely to be aware of any malicious activity. Prepared By: Razif Razali
WHAT IS THE MALICIOUS CODE? • Malicious Code or a rogue program is the general name for unanticipated or undesired effects in programs or program parts. • Cause by agents that the computer system can be affected. • The agent is the writer of the program or the person or the person who causes its distribution. • Malicious code can do anything any other program can, such as writing a message on a computer screen, stopping a running program, generating a sound or erasing a stored file. • Malicious code runs under the user authority. Prepared By: Razif Razali
KINDS OF MALICIOUS CODE Prepared By: Razif Razali
WORM • Is a self relocating computer program. • Use network to send copies to other node. • Always harm the network, where viruses always infect on targeted PC. • Can consume memory or network, bandwidth which can cause a computer to crash. • Worm is similar to virus by its design, and is considered to be a sub class of a virus. • Example: Sasser Worm, Blaster Worm, ILOVEYOU, CodeRed, Nimbda. Prepared By: Razif Razali
TROJAN HORSE • Trojan horse is a program that unlike a virus contains or installs a malicious code. • Trojan horse may appear to be useful or interesting programs to an unsuspecting user, but are actually harmful when executed. • Also known to create backdoor on your computer that gives malicious code users access to your system. Prepared By: Razif Razali
LOGIC BOMB • Also called slag code; is a programming code, inserted surreptitiously or intentionally, that is designed to execute under circumstances. • When exploded, may design to display or print a spurious message delete or corrupt data, or have other undesirable effects. Prepared By: Razif Razali
VIRUS DEFINITIONS • A computer virus is a block of executable code that would replicate itself by attaching to other files or replacing another program. • Attack of a computer or a computer system by virus spread over the network or the Internet. • A virus is a program that can pass on malicious code to other no malicious programs by modifying them. • What do computer viruses do? • A computer virus’s main purpose is to replicate itself and copy its code into as many other files as possible. Prepared By: Razif Razali
Figure: How computer virus spread Prepared By: Razif Razali
CATEGORIES OF VIRUS • A virus can be either transient or resident. • Transient • Life that depends on the life of its hosts. • The virus runs when its attached program executes and terminates when its attached program ends. • During its execution, the transient virus may have spread its infection to other programs. • Resident • Locates itself in memory; then it can remain active or be activated as a stand-alone program, even its attached program ends. Prepared By: Razif Razali
VIRUS SYMPTOMS Prepared By: Razif Razali
HOW VIRUS ATTACH? • Virus is attached by using three methods: • Appended to program • Surrounding a program • Integrating into program Prepared By: Razif Razali
Virus appended to a program • The program virus attached itself to a program, then, whenever the program is run, the virus is activated. • This kind of attachment is simple and effective. • In the simplest case, a virus inserts a copy of itself into the executable program file before the first executable instruction. • Then, all the virus instructions execute first; after the last virus instruction, control flows naturally to what used to be the first program instruction. Prepared By: Razif Razali
Figure: Virus appended to a program Prepared By: Razif Razali
Virus Surrounding & Integrating • Virus surrounding a program • Virus that runs the original program but has control before and after its executions. • Example: the virus writer might want to prevent the virus from being detected. • Virus Integrated into a program • The virus replaces some of its target, integrating itself into the original code of the target. • The virus writer has to know the exact structure of the original program and must know where to insert the piece of the virus. Prepared By: Razif Razali
HOMES FOR VIRUSES • Since a virus can be rather smaller, its code can be ‘hidden’. • Two hundred lines of a virus could be separated into one hundred packets of two lines of code. • The virus writer may find these qualities appealing in a virus: • It is hard to detect • It is not easily destroyed and deactivated. • It spread infection widely. • It can reinfect it home program or other programs. • It is easy to create. • It is machine independent and operating system independent. Prepared By: Razif Razali
Issues of virus resident • One-Time Execution • The majority of viruses today execute only once, spreading their infection and causing their effect in that one execution. • A virus often arrives as an email attachment of a document virus. • Boot Sector Viruses • When a computer is started, control begins with firmware that determines which hardware component is present, tests them and transferred to the operating system. • A boot sector is an especially appealing place to house a virus. Prepared By: Razif Razali
Issues of virus resident • Memory Resident Viruses • Some parts of the operating system and most user programs execute, terminate and disappear, with their space in memory being available for anything executed later. • Example of resident code is the routine that interprets keys pressed on the keyboard, the code that handles error condition that arises during program executions. • Other homes for viruses • A virus that does not take up residence in one of these cozy establishments has to fend more for it. • One popular home for a virus is an application program. • Many applications, such as word processors and spreadsheet, have a ‘macro’ feature, by which a user can record a series of commands and repeat them with one invocation. Prepared By: Razif Razali
VIRUS SIGNATURE • A virus cannot be completely invisible. • Code must be stored somewhere, and the code must be in memory to execute. • Moreover, the virus executes in a particular way, using certain method to spread. • Each of these characteristics yields a telltale pattern, called a signature. • Specific strings of binary code in most viruses (except polymorphic ones) that allow antivirus software to detect them. • New viruses contain new signatures, which is why it is essential to keep signature files up to date. • The virus signature is important for creating a program, called a virus scanner. • The scanner searches memory to search the virus signatures Prepared By: Razif Razali
Figure: Example of Virus Signature Prepared By: Razif Razali
DENIAL OF SERVICE (DOS) • Also known as Distributed Denial of Service Attack. • DOS is an attempt to make a computer resource unavailable to the intended users. • It simply aims to prevent legitimate users from accessing the system. Prepared By: Razif Razali
HOW VIRUS GAIN CONTROL? • Virus can control the program by • Overwriting the part of the program • The virus can overwrite T in storage (simply replacing the copy of T in storage, for example (a)) • Changing the pointers. • Alternatively, the virus can change the pointers in the file table so that the virus is located instead of T whenever T is accessed through the file system. (See example (b)) Prepared By: Razif Razali
Figure: Virus completely replacing a program Prepared By: Razif Razali
HOW VIRUSES MAY EFFECT FILES • Viruses can affect any files; however, usually attack .com, .exe, .sys, .bin, .pif or any data files. • Increase the files size, however this can be hidden. • It can delete files as the file is run. • It can corrupt files randomly. • It can because write protect errors when executing .exe files from a write protected disk. • It can convert .exe files to .com files. • It can reboot the computer when executed. Prepared By: Razif Razali
VIRUS EFFECTS AND CAUSES Prepared By: Razif Razali
PREVENTION OF VIRUS INFECTION • The only way to prevent the infection of a virus is not to share executable code with an infected source. • Techniques used to control virus: • Use only commercial software acquired from reliable, well establish vendor. • Test all new software on an isolated computer. • Open attachments only when you know them to be safe. • Make a recoverable system image and store it safely. • Make and retain backup copies of executable system files. • Use virus detectors regularly and update them daily. Prepared By: Razif Razali
TRUTH ABOUT VIRUS • Viruses can infect only Microsoft Windows operating systems – FALSE • Viruses can modify ‘hidden’ or’ read only file’. – TRUE • Virus can appear only in data files, or only in word document, or programs – FALSE • Virus spread only on disks or only in e-mail.- FALSE • Virus cannot remain in memory after a complete power off/power on reboot – TRUE • Virus cannot infect hardware – TRUE • Virus can be malevolent, benign or benevolent - TRUE Prepared By: Razif Razali
SALAMI ATTACK • This approach gets its name from the way odd bits of meat and fat are fused together in a sausage or salami. • Some books refer salami attack as a salami shaving. • In the same way, a salami attack merges bits of seemingly inconsequential data to yield powerful result. • Example of salami attack: • With salami shaving, a programmer alters a program to subtract a very small amount of money from an account – say, two cents- and diverts the funds to the embezzler’s account. • Ideally, the sum is so small that it’s never noticed. • In a business that handles thousand of accounts, an insider could skim tens of thousands of dollars per year using this method. Prepared By: Razif Razali
CONCLUSIONS • Introduction • Virus and malicious code • What is malicious code? • Kinds of malicious code • Virus Definition • How virus attach • Appended virus • Surround a program • Integrated viruses • Home for virus • Virus signature • How viruses may effect files • Virus effect and cause • Prevention of virus infection • Truth about virus • Salami attack • Example of salami attack Prepared By: Razif Razali