Chapter 3 (Part 2)Network SecurityChapter 3 – Program Security

Section 3.4 Targeted Malicious CodeSection 3.5 Controls Against Program

Threats

In this SectionProgram Threats

TrapdoorsSalami AttackPrivilege EscalationMan-in-the-MiddleCovert Channels

Controls Against Program ThreatsModularityMutual SuspicionHazard Analysis

Targeted Malicious CodeSo far looked at code written to affect users

and machines indiscriminatelyTargeted Malicious Code – written for a

particular system or application with a particular purpose

Similar to viruses but with the addition of new techniques

TrapdoorTrapdoor – an undocumented entry point to a module.

Inserted for code development“Hooks” to add additional future enhancements

Can be legitimate or non-legitmateSoftware Testing

Unit TestingIntegration TestingStubs and Drivers – routines that inject information

during testing Control Stubs – used to invoke debugging codeAccidently left in placePoor Error Checking

TrapdoorsPoorly defined Data

Incomplete MediationUndefined Opcodes – instructions that have

not been defined for the processorTrapdoors can be useful

Software audits may request trapdoors to be inserted

Trap doors should always be documented.

Causes of TrapdoorsForgot to removeIntentionally for TestingIntentionally left for maintenanceIntentionally left for covert means of

access

Trapdoors are not bad. They are not faults until the trapdoor is not shut.

A system is not secure if a trapdoor is present but unknown by others

Salami AttackNamed after the way scrap meat is used to form salamiSalami Attack – merges seemingly inconsequential

bits of data to yield something important Classic Salami Attacks

Missing ½ centMissing percentageTaking a bit from a bunchCharging higher fees

Why do they happen?Sometimes programmers just except small errorsCode many times it to large to look for salami type errors

RootkitsRootkit – is a piece of malicious code that

goes to great lengths not to be discoveredIf discovered tries to reestablish itselfTries to run itself as “root” on the system

(UNIX administrator)Resides between user and OSIntercepts commands in order to keep itself

hiddenRootkit Revealer – program written to reveal

rootkitsXCP rootkit – used to help prevent copying of

music

OthersPrivilege Escalation-Attack is a means for

malicious code to be launched by a user with lower privileges but run with higher privileges

Interface Illusions - spoofing an attack in which all or part of a web page is false

Keystroke Logging – keeps a copy of everything pressed

Man-in-the-Middle Attack- Malicious program exists between tow programs

Timing Attack – identify how fast something happens

Covert ChannelsCommunication information to people/systems

that should not have itUnnoticed communication and accompanies

other informationData written to a drive, sent across a network,

placed in a file or printoutStorage Channel – passes information based on

presence or non-presence of dataFile lock Channel – lock or non-lock of fileTiming Channels – varying speed in system or

not using assigned computational time

Controls Against Program ThreatsDevelopment of Controls

Specify the systemDesign the systemImplement the systemTest the systemReview the system at various stagesDocument the systemManage the systemMaintain the systems

Typically it is not one person that does all of these

Designing Secure and Usable SystemsYou can’t retrofit usable securityTools aren’t a solutionMin the upper layersKeep the customers satisfiedThink Locally; act locally

ModularitySmall self-contained unitsModularity

IsolatesHides

Keep it isolated from the effects of other components

Encapsulation – is isolationInformation Hiding – each component

hides its precise implementation of some other design decision from others.

ModularizationProcess of dividing into subtasksGoal of Modular Units

Single-purposeSmallSimpleIndependent

Advantages of ModularityMaintenanceUnderstandabilityReuseCorrectnessTesting

ModularityHigh Cohesion

All the elements of a component have a logical and functional reason for being there

Low CouplingThe degree with which a component depends

on other components in the system Encapsulation – does not mean complete

isolationInformation Hiding – a “black box” approach

Mutual SuspicionPrograms are not always trustworthyMutual suspicion – each program operates

as if other routines in the system were malicious or incorrect

Confinement – program is strictly prohibited in what system resources can be accessed

Peer ReviewsPeer reviewHazard analysisTestingGood design PredictionsStatic analysisConfiguration managementAnalysis of mistakes

Types of Peer ReviewReview- presented formallyWalk-Through – creator leads and controls

the discussionInspection – formal detailed analysis Finding a fault and dealing with it:

By learning how, when, and why errors occurBy taking action to prevent mistakesBy scrutinizing products to find the instances

and effects of errors that were missed.

Hazard Analysis/Testing Hazard Analysis – set of systematic techniques to expose potentially

hazardous system states. Hazards and Operability Studies Failure Modes and effects analysis Fault tree analysis

Testing Unit Testing Integration Testing Function Testing Performance Testing Acceptance Testing Installation Testing Regression Testing Black-box Testing Clear-box Testing Independent Testing Penetration Testing

Good DesignUsing a philosophy of fault toleranceHaving a consistent policy for handling

failuresCapturing the design rationale and historyUsing design patterns

Passive fault detection – waiting for a system to fail

Active fault detection – construct a system that reacts to a failure

Good DesignHandling Problems

Retrying – restoring the system to previous state and try again

Correcting – resorting the system to previous state and correcting some system characteristic before trying again

Reporting – restoring and reporting but not trying again

Configuration ManagementWho is making the changes

Corrective changeAdaptive changePerfective changePreventive change

Configuration Management – is the process by which we control changes during development and maintenanceConfiguration identificationConfiguration control and change managementConfiguration auditingStatus accounting