Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.
-
date post
21-Dec-2015 -
Category
Documents
-
view
222 -
download
3
Transcript of Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.
Mobile Code and Worms
By
Mitun Sinha
Pandurang Kamat
04/16/2003
Mobile Code
And Mobile Code Security
Part I
What is mobile code?
First, What Is Code?
Code is a series of commands, and (usually) contains no or little information.
Code can be executed, and running code most often requires some outside information (data) to work on.
Programs, applications, operating systems, games, calculators, media players, word processors and viruses are examples of code.
Resumes, pictures, videos, music, lists of numbers, and your ex-girlfriend’s social security number are examples of data.
And how is it different from data?
Today, we constantly download or make web pages, movies, music and pictures then send them to friends and family. Data has definitely been successfully mobilized.
If I download Half-life, install and play it on my computer, then FTP it to a friend so he can install and play it*, could we then say that Half-life counts as mobile code?
Enter the Internet
* Legal battle with Sierra sold seperately
Mobile code is…
a general term used to refer to processes (executable code) that migrate and execute at remote hosts
any code that is specifically designed to be able to transport itself from one machine to another
Mobile code is…
a general term used to refer to processes (executable code) that migrate and execute at remote hosts
any code that is specifically designed to be able to transport itself from one machine to another
Mobile code is…
able to transport itself
fairly autonomous
often platform-independent
code that is moved from one host to another with or without interaction with the user
Examples of mobile code
Java applets and Java scripts ActiveX controls Visual Basic macros and scripts Dynamic e-mail Viruses, trojan horses, worms The agents in The Matrix
Instead of moving large amounts of data around, move the computation to the data.
Add functionality anywhere anytime
Make distributed systems simpler, more flexible
Natural for network software
What is mobile code good for?
Every rose…
What is the problem with mobile code?
SECURITY
Part II
Mobile Code Security
A Tale of Two Problems
Malicious Code Problem
Malicious Host Problem
Malicious Code Problem
Mobile code that arrives at your workstation and intentionally or unintentionally causes you harm
Four attack classes: – invasion of privacy– denial of service – antagonism– system modification
Example?
Antagonism– meant to annoy or show off– no real damage to files or system– display of unwanted graphics or text
System modification– deletion of data or system files– capturing hard drive space – for e.g.
to host shareware server
Example?
Invasion of privacy– read surfing history– read directory listings– steal files
Denial of service– re-aim browser– stealing CPU cycles– Web spoofing
Web Spoofing - example Steal control of user’s view of web and
simulate normal operation Classic man-in-the-middle attack
Mobile code is smart
A firewall attempts to “block” Java in HTML by scanning port 80 (HTTP port) for the <APPLET> tag
Javascript can dynamically construct the <APPLET> tag once past the firewall
Counter-measures
Java applets and Java scripts ActiveX controls Visual Basic macros and scripts Dynamic e-mail Viruses, trojan horses, worms The agents in The Matrix
Examples of mobile code
Microsoft’s security (Yeah right!) Internet site zones of trust ActiveX control signing and marking Macro signing Attachment warnings
SUN’s JAVA 2 Security Identity
– Origin– Signature – not same as origin!
Policy – Set by user(!!) or system administrator (still
bad) Good ol’ Sandboxing Signatures use variation of X.509v3
Trusted third party that allows developers to digital sign their code
Consumers can feel safe in knowing that signed code is safe and has not been altered or tampered with – IF they trust the third party
Verisign Digital Signing
Verisign Digital Signing
Verisign works with:- Microsoft Authenticode and VBA- Netscape Object Signing- Sun Java signing
Techniques used include industry-standard cryptographic methods learnt in class – like RSA and PKI
Questions?