Computer Security Lecture Notes PDF
Document Details
Uploaded by Deleted User
Tags
Summary
These lecture notes cover various aspects of computer security from a technical point of view. Topics like viruses, worms, and denial-of-service attacks are discussed. The document also touches upon different security aspects such as detection mechanisms and security measures.
Full Transcript
Quine -- self-replicating/reproducing/copying/modifying Self-modifying codes -- used by programs that do not want to reveal their presence. Used in certain attacks, such as buff overflows Interpreted languages -- edit the source code Mobile Malcode -- malicious programs which spread from machine...
Quine -- self-replicating/reproducing/copying/modifying Self-modifying codes -- used by programs that do not want to reveal their presence. Used in certain attacks, such as buff overflows Interpreted languages -- edit the source code Mobile Malcode -- malicious programs which spread from machine to machine without the consent of the owners/operators/users Trapdoors (Back doors) -- secret entry point into a program. Allows those who know access bypassing usual security procedures Logic bomb -- one of the oldest types of malicious software Trojan horse -- programs that appear to have one function but actually perform another Modern trojan horse -- resemble a program that the user wishes to run Zombie -- program which secretly takes over another networked computer Virus -- is a piece of code that inserts into a host, including operating systems, to propagate. Dormant -- waiting on trigger event Propagation -- replicating to programs/disks Triggering -- by event to execute payload Propagation -- method by which the virus spreads itself. Macros -- usually executable files:.com,.exe,.bat System sector viruses -- infect control sectors on a disk Partition (MBR) sectors -- system sectors viruses spread easily via floppy disk infections Companion viruses -- create a.com files for each.exe files Cluster viruses -- change the DOS directory info so that directory entries point to the virus code instead of the real program Polymorphic viruses -- change with each infection Control flow permutations -- attempt to defeat scanners Virus writing tool kit -- have been created to simplify creation of new viruses Scanning -- depend on prior knowledge of a virus Integrity checking -- read entire disk and record integrity data that acts as a signature for the files and system sectors Integrity checking -- use cryptographic computation technique instead of simple checksum Interception -- monitoring for system-level routines that perform destructive acts. Good for detecting logic bombs and trojan horse Pakistani Brain Virus -- first PC Virus Pakistani Brain virus -- written by pakistani brothers to protect their copyright Chernobyl -- destructive virus Chernobyl -- designed to inflict harm Flash BIOs -- would cause permanent hardware damage to vulnerable motherboards Melissa -- Early macro virus Worms -- autonomous, active code that can replicate to remote hosts without any triggering Metaserver -- a server for information about other servers Game metaserver -- use to attack a small population Topological information -- look for local information to find new targets Passive worms -- wait for information about other targets Self-carried -- transmit itself as part of the infection process Human activation -- needs social engineering, especially for email worms None/nonfunctional -- most common, still can have significant effects through traffic and machine load Internet remote control -- code red II open backdoor on victim machines: anyone with a web browser can execute arbitrary code Morris -- first major autonomous worm. Attack multiple vulnerabilities Code Red -- First recent "fast" worm, 2^nd^ wave infected 360, 000 servers in 14 hrs CRClean -- unreleased anti code red worm Nimda -- local subnet scanning. Scalper -- released 10 days after vulnerability revealed Slammer -- spread worldwide in 10 minutes Stuxnet -- a sophisticated computer worm discovered in 2010 SCADA Systems -- specifically designed to target Siemens Step 7 software Fred Cohen -- first documented work with viruses Leo Adelman -- coined the term "virus" Virus -- a program that can infect other programs by modifying them to include a version of itself Early mail virus -- one of the earliest viruses that propagated automatically when an infected attachment is executed Morris worm -- best known classic worm Robert Morris -- released morris worm Quishing -- a cybersecurity threat in which attackers use QR codes to redirect victims to malicious websites or prompt them to download harmful content. Quishing -- the goal of this attack is to steal sensitive information, such as passwords, financial data, or personally identifiable information and use that information for other purposes, such as identity theft, financial fraud, or ransomware Denial of Service Attacks -- point-to-point network denial service Smurf -- distributed denial of service attacks Denial of Service attack -- an explicit attempt by attackers to prevent legitimate users of a service from using that service Threat model -- taxonomy from CERT Slashdot Effect -- occurs when a popular website links to a smaller website, causing a massive increase in traffic. Status -- DoS attacks increasing in frequency, severity and sophistication DNS Query attacks -- were responsible for the vast majority of overall DDoS attacks. Software and Computer Services -- was the most attacked industry in 2023 comprising 36% of all attacks. Flooding Attacks -- point-to-point attacks Distributed attacks -- hierarchical structures Corruption attacks -- application/service specific Attack using Trin00 -- scan for known vulnerabilities, then attack with UDP traffic Spoofed Source Address -- random source addresses in attack packets Subnet Spoofed Source address -- random address from address space assigned to the agent machine's subnet En route spoofed source address -- address spoofed en route from agent machine to victim Valid Source Address -- used when attack strategy requires several request/reply exchanges between an agent and the victim machine Attack rate dynamics -- agent machine sends a stream of packets to the victim Constant rate -- attack packets generated at constant rate, usually as many as resources allow Variable rate -- delay or avoid detection and response Increasing rate -- gradually increasing rate causes a slow exhaustion of victim's resources Fluctuating rate -- occasionally relieving the effect. Victim can experience period service disruptions SyN Flooding attack -- takes advantage of three way handshake. Server start "half-open" connections. These build up.. until queue is full and all additional request are blocked Point-to-point -- one sender, one receiver Reliable, in-order byte steam -- no "message boundaries" Pipelined -- TCP congestion and flow control set window size Full duplex data -- bi-directional data flow in same connection Connection-oriented -- handshaking (exchange of control msg) init's sender, receiver state before data exchange Flow controlled -- sender will not overwhelm receiver Passive RST -- transmitted upon arrival of a packet at a closed port (usually by servers) Active RST -- initiated by the client to abort a TCP connection Intrusion -- a set of actions aimed to compromise the security goals Intrusion detection -- the process of identifying and responding to intrusion activities Intrusion Prevention -- extension of ID with exercises of access control to protect computers from exploitation Features -- capture intrusion evidences Models -- piece evidences together Misuse detection - (AKA signature based) Anomaly detection -- (AKA Statistical based) Hos-Based IDSs -- using OS auditing mechanisms Network IDSs -- deploying sensors at strategic locations Firewall -- active filtering Network IDS -- passive monitoring Adaptive -- detect new intrusions Scenario-based -- correlate (multiple sources of) audit data and attack information Cost-sensitive -- model cost factors related to intrusion detection Uses of Quines - Hide code to prevent reverse engineering - Evade detection by virus/spyware scanning software Self-modifying codes - Interpreted languages -- edit the source code - Compiled languages -- binary edit the compiled code Virus phases - Dormant - Propagation - Triggering - Execution - Exploiting features/weaknesses Two primary components (Anatomy of a virus) - Propagation mechanism - Payload Virus Detection - Scanning - Integrity Checking - Interception - Combination of all three Major Worms - Morris - Code red - CRClean - Nimda - Scalper - Slammer Passive Worms - CRClean - Anti-Code Red II worms