Viruses and Malicious Code

Questions and Answers

What does the term 'CIA' refer to in the context of program security?

• Central Intelligence Agency
• Critical Information Assessment
• Certified Information Assurance
• Confidentiality, Integrity, Availability (correct)

What is a 'fault' considered from a system perspective?

• A departure from the system's required behavior
• The expected system response
• An outside view of the system, as seen by the user
• An inside view of the system, as seen by the developers (correct)

What are program security flaws caused by?

• User settings
• System updates
• Appropriate program behavior
• A program vulnerability (correct)

In what ways can program flaws be categorized?

Inadvertent and malicious (D)

What occurs when a program writes more data to a buffer than it can hold?

Buffer overflow (D)

What is a potential consequence of a buffer overflow?

Program crash (C)

What is incomplete mediation?

Inconsistent checking of access to resources (B)

What kind of security vulnerability arises from the Time-of-Check to Time-of-Use (TOCTOU) error?

When a system state is not consistently verified between check and use (B)

What is the term used for programs that operate on data, taking action only when data triggers it?

Standard programs (D)

Malicious code can be hidden and set to activate only when a specific condition is met. What is the general term for this condition?

Trigger (C)

What term describes the general name for unanticipated effects in programs caused by an agent intent on causing damage?

Malicious code (C)

What type of malicious code attaches itself to a program and propagates copies of itself to other programs?

Virus (D)

What is a program that appears to perform a normal function but contains hidden malicious functions?

Trojan Horse (B)

What is a 'logic bomb'?

Code triggered by a specific condition (A)

What type of malicious code replicates itself without limit to exhaust resources?

Rabbit (A)

What is the purpose of a 'virus signature'?

Detecting and removing viruses (C)

What files can a virus attach itself to in MS-DOS and MS-Windows?

System files (A)

What is a key characteristic of polymorphic viruses?

They change their appearance. (D)

When preventing viruses, what type of software should be used?

Commercial software acquired from reliable vendors (B)

What is the focus of targeted malicious code?

A particular system for a particular purpose (C)

A program is considered secure if it enforces the expected confidentiality, integrity, and availability.

True (A)

fixing faults is one approach to judging security quality.

True (A)

A failure is the system's required behavior.

False (B)

A fault is an outside view of the system, as seen by the user.

False (B)

A program security flaw is inappropriate program behavior caused by a program vulnerability.

True (A)

Program flaws are divided into two categories: intentional human errors, and maliciously induced flaws.

False (B)

A buffer is a space in which data can be held, which can grow infinitely.

False (B)

A program crashing will never lead to an attacker executing malicious code.

False (B)

Incomplete mediation occurs when access to resources is not consistently checked.

True (A)

Time-of-Check to Time-of-Use errors refer to a system's state being consistently verified.

False (B)

Programs are always security threats, meaning they are a vulnerability every time they run.

False (B)

Malicious code can only be an entire program on its own.

False (B)

A virus can attach itself to a program, and propagate copies of itself to other programs.

True (A)

A worm contains unexpected additional functionality.

False (B)

A logic bomb triggers action when a specific time occurs.

False (B)

A rabbit replicates itself with a limit to avoid exhausting resources.

False (B)

A resident virus locates itself in memory and remains active, even after its attached program ends.

True (A)

A Trojan Horse has both a primary effect, and a malicious effect.

True (A)

A vaccine might allow someone to access the program other than by the obvious call.

False (B)

A worm can spread through copying program data files using any medium.

False (B)

Flashcards

Program Security Flaw

Inappropriate program behavior caused by a program vulnerability.

Buffer

A space in memory where data can be held, with a finite capacity.

Buffer Overflow

Occurs when a program writes more data to a buffer than it can hold.

Incomplete Mediation

Occurs when access to resources isn't consistently checked, potentially allowing unauthorized exploitation.

TOCTOU Errors

Vulnerabilities when system state isn't verified between access check and resource use, enabling manipulation.

Malicious Code

A program or part of a program with the intent to cause harm.

Malicious Code/Rogue Program

General name for unanticipated or undesired effects in programs, caused by an agent intent on damage.

Virus

Attaches itself to program and propagates copies of itself to other programs.

Trojan Horse

Contains unexpected additional functionality.

Trapdoor/Backdoor

Allows unauthorized access to functionality.

Worm

Propagates copies of itself through a network.

Logic Bomb

Triggers action when condition occurs.

Time Bomb

Triggers action when specific time occurs.

Rabbit

A virus or worm that replicates itself without limit to exhaust resources.

Virus

A program that can replicate itself and pass on malicious code to other non-malicious programs

Trojan Horse

A malicious code that, in addition to primary effect, has a malicious effect.

Trapdoor

A feature to access the program in a non-standard way

Worm

Spreads copies of itself through a network.

Virus Signature

The virus characteristics that enable detection.

Targeted Malicious Code

Malicious code written for a specific system, application, and purpose.

Assessing Software Quality

Assessing software security from the perspective of a program or programmer.

Failure (in System)

A departure from the system's required behavior.

Penetrate and Patch

Early security approach focused on finding and fixing flaws.

Transient Virus

A virus that runs only when its host program executes and terminates when the host ends.

Resident Virus

A virus that locates itself in memory and remains active, even after its attached program ends.

Storage Pattern (Virus)

Viruses attach themselves to programs stored on disks, code start becomes signature.

Execution Pattern (Virus)

A virus writer wants a virus to carry out various actions at the same time.

Transmission Pattern

Means of transmission from one location to another

Polymorphic Viruses

Viruses that change appearances to avoid detection.

Preventing Viruses

Take actions so no outside sources are trusted until tested.

Trapdoor: code development

A feature added during code development to test the modules and allow access in events of error.

Study Notes

Chapter Overview

• Chapter focuses on viruses and malicious code
• Outlines secure programs, non-malicious program errors, viruses and other malicious code, and targeted malicious code

Secure Programs

• Security implies that the program enforces the expected CIA (Confidentiality, Integrity, Availability)
• Software security can be assessed similarly to software quality
• Practitioners look at the quantity and types of faults as evidence for a product's quality
• One approach to quality in security is fixing faults
• Human error can lead to a fault in a computer program, such as an incorrect step, command, process, or data definition
• A failure is a departure from the system's required behavior and can be discovered before or after system delivery
• A fault is an inside view from developers, while a failure is an outside view seen by the user
• Early security work was based on "penetrate and patch," which often led to less secure systems
• Comparing requirements and behavior helps, and unexpected behavior is a program security flaw

Security Flaws

• A security flaw is inappropriate program behavior caused by a program vulnerability, and can be caused intentionally or unintentionally
• Program flaws are divided into inadvertent (unintentional) human errors and malicious (intentional) flaws
• Intentional flaws have two categories: malicious and non-malicious
• Inadvertent flaws fall into six categories:
  • Validation errors, like incomplete permission checks
  • Domain errors, like controlled access to data
  • Serialization and aliasing, like program flow order
  • Inadequate identification/authentication for authorization
  • Boundary condition violation, or failure on first/last case
  • Other exploitable logic errors

Non-malicious Program Errors

• A buffer is a space where data is held in memory and has a finite capacity
• A buffer overflow happens when a program writes more data to a buffer than it can actually hold, potentially leading to adjacent memory corruption
• It can cause a program crash or allow an attacker to execute malicious code

Security Definitions

• Program security flaw: Inappropriate program behavior caused by a program vulnerability due to malicious code or poorly developed code
• Buffer (Array or String): Space in memory where data is held with finite capacity
• Buffer Overflow: Occurs when program writes more data to a buffer than it can contain leading to program crash or attacker gaining access to execute malicious code
• Incomplete Mediation: Access to resources isn't consistently checked/authorized in system operations
• Time-of-Check to Time-of-Use (TOCTOU) Errors: Security vulnerabilities when system state isn't consistently verified between access check and resource use
• Malicious code/Rogue program: General name for unanticipated/undesired effects in programs/program parts caused by an agent intent on damage

Types of Malicious Code and Their Definitions

• Virus: Attaches and propagates copies of itself to other programs
• Trojan Horse: Contains unexpected additional functionality
• Trapdoor: Allows unauthorized access to functionality
• Worm: Propagates copies of itself through a network
• Logic Bomb: Triggers action based on specified conditional occurence
• Time Bomb: Triggers action based on specific time occurrence
• Rabbit: Replicates without limits to exhaust resources, like a virus/worm

Virus Actions and Types

• Virus replication and passing malicious code to non-malicious programs by modifying them
• Program acts like a biological virus and infects healthy subjects by attaching itself to program
• Can either destroy the program or coexist with it
• Good programs can become carriers once infected
• Transient Viruses: Dependent on the life of its host
• Runs when attached program executes and terminates when its attached program ends
• Resident virus: Locates itself in memory and can remain active/activated as a stand-alone program

How Viruses Attach

• Appended Viruses

• Appends itself to program and whenever program runs, virus is activated Original program and the virus code insertion

• Viruses can have control before and after its execution

• Integrated Viruses and Replacement: -Virus replaces some of its targets integrating itself into the original code of its target

• Document Viruses: Implemented within formatted documents/databases/slide presentations Uses features of the programming language to perform malicious actions

How Viruses Gain Control

• Overwriting Target: Virus has to push target for calling itself instead of target
• Change Pointers Virus invocation can replace parts of resident operating system by modifying pointers to those resident parts such as the table of handlers for different kinds of interrupts

Ways to Implement Virus Control

• Hiding Qualities of Viruses: Qualities appealing for writers to make it harder to detect/destroy/deactivate

• Distribution: -Transmit by e-mail using direct or indirect attachments that lead to spreading malicious code

• Boot Sector Viruses: Control starts w/firmware that determines hardware components & transfers control to the OS

• Virus installation

• Virus' writer can break chain & point to the virus code & reconnect the chain after virus installation

• Virus hides in the boot area

• Hiding Viruses in Specific Systems

• On DOS and MS-Windows systems, a virus can infect system files or add entries for loaded programs to CONFIG.SYS or AUTOEXEC.BAT

• Load viruses to memory because it has broad effect and is shared between users

• Virus writers also like Attaching viruses to resident code as it is activated many times while the machine is running

• Can be attached to Applications

• Word processing and spreadsheets contain macro feature for use with code and they get the ability to be executed in the app, every time

• Libraries are Excellent places for viruses

Detection and Precautions:

• Virus scanner program signature allows a user
• Virus execution happens in a particular way by certain methods to spread which yields an informative pattern called signature
• Use Virus detectors regularly and frequently to update Daily
• The virus scanners monitors execution and watches for the signatures
• A signature is important for a scanner program

Virus Patterns

• Look for Storage patterns -Check the invariant files attached and file sizes
• Execution patterns -To affect damage or the running the harddisk.
• Polymorphic viruses - change to make the scanners ineffective
• Detection avoidance: -Polymorphic viruses: encrypting viruses contain: decryptionkey/ encrypted objects.

Virus Prevention Methods

• Use Only commercial software acquired from reliable vendors
• Make a recoverable Image file
• Write-protect the image file before booting and keep it write-protected
• Retain backup copies of executable system files and database.

Targeted Malicious Codes

• In great lengths, the security attempts to reestablish itself and operate as root to the privileged user in a Unix system