CH3_Program Security.pdf

Full Transcript

Chapter 3

Programs and Programming
Security
2022

P rograms and P rogramming 1/1
 Introduction

Security failures can be result from intentional or
non-malicious causes; both can cause harm.
When a human makes a mistake, called an
error, in performing some software activity, the
error may lead to a fault.
A failure is a departure from the system’s
required behavior.
Every failure has at least one fault.
Security engineers use flaw to describe both faults
and failures.
P rograms and P rogramming 2/1
 Unintentional (Non-malicious)
Programming

A program flaw can be a fault affecting the correctness of
the programs result - cause integrity failing.

A flaw from a benign user can be exploited by someone
maliciously.

In this chapter we examine several programming flaws
that have security implications such as buffer overflow,
backdoor and integer overflow.

P rograms and P rogramming 3/1
 Buffer overflow
A memory buffer is an area in the computer's
memory (RAM) meant for temporarily storing
data, such as user input data.
A buffer overflow is a situation where a
running program attempts to write data outside
the allocated memory buffer, which is not
intended to store this data.
Buffer overflows often come from innocent
programmer oversights or failures to document
and check for excessive data.

P rograms and P rogramming 4/1
 Buffer Overflow Example
When a username with a maximum of 8 bytes
is expected and a username with 10 bytes is
given and written to the buffer. Then buffer
overflow occurs when it is not prevented from
happening.

P rograms and P rogramming 5/1
 Controlling Buffer overflow I

When working with fixed-length buffers, you should
always use code sizeof to calculate the size of a
buffer, and then make sure you don't put more data
into the buffer than it can hold.
P rograms and P rogramming 6/1
 Controlling Buffer overflow II
As you can see, the strcpy function merely writes
the entire string into memory, overwriting
whatever came after it.
The strncpy function truncates the string to the
correct length, but without the terminating null
character. When this string is read, then, all of
the bytes in memory following it, up to the next
null character.
Only the strlcpy function is fully safe, truncating
the string to one byte smaller than the buffer size
and adding the terminating null character

P rograms and P rogramming 7/1
What happens when a buffer overflow
occurs?
When a memory buffer overflow occurs and
data is written outside the buffer, the running
program may become unstable, crash or
return corrupt information.
The overwritten parts of memory may have
contained other important data for the
running application which is now overwritten
and not available to the program anymore.
Buffer overflows can even run other
(malicious) programs or commands and result
in arbitrary code execution.
P rograms and P rogramming 8/1
 Memory Allocation I

Memory is a limited but flexible resource; any
memory location can hold any piece of code or
data. To make managing computer memory
efficient, operating systems jam one data
element next to another, without regard for data
type, size, content, or purpose.
Computers use a pointer or register known as
a program counter that indicates the next
instruction.

P rograms and P rogramming 9/1
 Memory Allocation II

Conditional instructions such as IF(), branch
instructions such as loops (WHILE, FOR) and
unconditional transfers such as GOTO or CALL
divert the flow of execution, causing the
hardware to put a new destination address into
the program counter.

P rograms and P rogramming 10 / 1
 Backdoor

A backdoor or trapdoor is undocumented access
point.
It is a means to access a computer system or
encrypted data that bypasses the system's customary
security mechanisms.

A developer may create a backdoor so that an
application or operating system can be accessed for
troubleshooting or other purposes.

P rograms and P rogramming 11 / 1
 Integer Overflow I

An Integer Overflow is the condition that
occurs when the result of an arithmetic
operation, such as multiplication or addition,
exceeds the maximum size of the integer type
used to store it.

P rograms and P rogramming 12 / 1
 Integer Overflow II
Example:
If the word size is 8 bit (byte), the unsigned integer
values that it accepts is between 0 and 255.
unsigned byte c,d;
If c = 200(11001000)
d = 100(01100100)
c+d = 300(00000001 00101100), which is more
than the max value 255(11111111), so the
higher byte will be rejected and c+d will be
read as 44 (300 mod 256)=44.
P rograms and P rogramming 13 / 1
 Integer Overflow III

Example:
int a=20000, b=30000, c ; // int values is -32768 to +32767
c = a+b; // c value exceeded +32767

P rograms and P rogramming 14 / 1
 Malicious Code - Malware

Malicious code comes in many forms under
many names. In this part we explore three of the
most popular forms: viruses, Trojan horses, and
worms.
Malicious code or rogue programs or
malware (short for MALicious softWARE) is the
general name for programs planted by a
program’s writer or distributor with malicious
intent to cause unanticipated or undesired
effects.

P rograms and P rogramming 15 / 1
 Viruses
A virus is a program that can replicate itself and
pass on malicious code to other non-malicious
programs by modifying them.

A virus can be either transient or resident.
A transient virus depends on the life of its host;
runs and terminates with it. (During its execution,
the transient virus may spread its infection to other
programs.)
A resident virus locates itself in memory; it can
then remain active or be activated as a stand-alone
program, even after its attached program ends.

P rograms and P rogramming 16 / 1
 Worms

A Worm is a program that spreads copies of itself
through a network.
Worm programs, sometimes called “crawlers”
seek out machines on which they can install small
pieces of code to gather such data, For example a
bot.
Bot
A bot (short for robot), is a kind of worm used in vast
numbers by search engine hosts like Bing and
Google. (So it is not necessarily malicious)
Bots run on any computer on which they can
install themselves. Their purpose is to scan
accessible web content continuously and report
back to their controller any new content they
have found. In this way, the agents find new
pages, enabling the search engines to return
these results in response to individuals’ queries.
Zombie, is when your computer controlled by
external entities so your computer becomes like a
zombie
P rograms and P rogramming 17 / 1
 Trojan Horse
Trojan horse: program with benign apparent
effect but it hides malicious effect.

Examples
As an example of a computer Trojan horse, consider
a login script that solicits a user’s identification and
password, passes the identification information on to
the rest of the system for login processing, but also
retains a copy of the information for later, malicious
use. In this example, the user sees only the login
occurring as expected, so there is no reason to
suspect that any other, unwelcome action took place.

P rograms and P rogramming 19 / 1
Other Malicious Code

P rograms and P rogramming 20 / 1
P rograms and P rogramming 21 / 1
The main aspects of malicious code
infections

harm: how they affect users and systems
transmission and propagation: how
they are transmitted and replicate.
activation: how they gain control and
install themselves so that they can reactivate
stealth: how they hide to avoid detection

P rograms and P rogramming 22 / 1
Malicious code can be divided into
three categories
Nondestructive. Examples of behavior are
sending a funny message or flashing an image on
the screen, it may include virus hoaxes.
Destructive. This type of code corrupts files,
deletes files, damages software, or executes
commands to cause hardware stress or breakage.
Commercial or criminal intent. An infection
of this type tries to take over the recipient’s
computer, installing code to allow a remote agent to
cause the computer to perform actions on the
agent’s signal or to forward sensitive data to the
agent.
P rograms and P rogramming 23 / 1
 Transmission and Propagation I

How malicious codes are transmitted and replicate,
and how they cause further transmission:

1. Setup and Installer Program Transmission Attached File.
2. Autorun

Kinds of virus attachment:
1. Appended viruses: The virus performs its task and then
transfers to the original program. Typically, the user is
unaware of the effect of the virus if the original program
still does all that it used to.

P rograms and P rogramming 24 / 1
 Transmission and Propagation II
2. Viruses That Surround a Program: a virus runs the
original program but has control before and after its execution.
A virus writer might want to prevent the virus from being
detected. Such as, the virus writer creates an executable file,
names it with an inappropriate extension, and sends it to the
victim, describing it as a picture or a necessary code add-in or
something else desirable. The unwitting recipient opens the
file and, without intending to, executes the malicious code.
3. Integrated Viruses: the malicious code can replace an
entire target. In this case, the user may perceive the loss of
the original program.

P rograms and P rogramming 25 / 1
Transmission and Propagation III

P rograms and P rogramming 26 / 1
 Countermeasures I
Countermeasures for Users: User Vigilance
Use only commercial software acquired from reliable,
well-established vendors.
Test all new software on an isolated computer.
Open attachments - only when you know them to be
safe.
Recognize that any web site can be potentially harmful.
Make and retain backup copies of executable system
files.
Install anti-viruses software.

P rograms and P rogramming 27 / 1
 Countermeasures II
For Developres: Penetration Testing for Security

Penetration testing is a strategy often used in
computer security. Sometimes it is called ethical hacking,
because it involves the use of a team of experts trying to
crack the system being tested (as opposed to trying to
break into the system for unethical reasons). With this
knowledge, the team attempts to identify and exploit the
systems particular vulnerabilities.

P rograms and P rogramming 28 / 1
 Countermeasures III

Virus Detectors: Virus scanners are tools that
look for signs of malicious code infection.
Virus detectors are powerful but not all-powerful.
 Countermeasures III
Tools need to be updated frequently with new
patterns. (signature)
Virus Signatures: A virus cannot be
completely invisible. Code must be stored
somewhere, and must be in memory to execute.
A virus executes in a particular way, using certain
methods to spread. Each of these characteristics
yields a pattern, called a signature.
The virus’s signature is important for virus
scanners.

P rograms and P rogramming 30 / 1