Anti-Malware Research

Researchers in academia and in the antivirus/antispyware industry are investigating more effective, holistic technological solutions for reducing malicious code threats to software in deployment. Stephen Posniak delivered a presentation entitled Combined Hardware/Software Solutions to Malware and Spam Control [63]to the 2005 Virus Bulletin Conference that provides a reasonable survey of current solutions in this area. The problem of

detection and eradication of malicious code embedded in software during its development is also being investigated by several researchers.

From 2002–2003, researchers in the Princeton [University] Architecture Laboratory for Multimedia and Security published the results of their efforts to develop a hardware-based secure return address stack [64] that would prevent malicious code insertions that resulted from buffer overflows, and a runtime execution monitor [65] that would detect and prevent execution of malicious code embedded in operational software.

More recently, the Function Extraction for Malicious Code (FX/MC) project [66] within the Survivable Systems Engineering group at the Carnegie Mellon University Software Engineering Institute (CMU SEI) has applied formal methods and function theory to the problem of performing automated calculations of program behaviors to define behavior signatures, with the goal of obtaining precise information on structure and functionality of malicious code so that anti-malware strategies can be more effectively tailored. The SEI researchers intend for the core FX technology to be more widely applicable to the analysis of software, e.g., for the detection of errors and vulnerabilities, and for the validation of the “goodness” of authentication, encryption, filtering, and other security functions implemented by software.

Researchers in New Mexico Tech’s IA Center of Excellence are researching advanced static analysis techniques for detection of malicious code and analysis of malicious executables.[67]

The Hiding and Finding Malicious Code [68] project at the Johns Hopkins University did not attack the problem of detecting and preventing malicious code head on, but instead investigated techniques for creating and hiding malicious code, with the objective of gaining a better understanding of such techniques in order to enable the creation of more effective malicious code detection measures.

Software Security Assurance State-of-the-Art Report (SOAR) 5 Assumptions and Constraints.5 Assumptions and Constraints.

Section 3 Why is Software at Risk?

A great deal of malicious code research is being done under the larger umbrella of research into security and trustworthiness of electronic and Internet-based voting.

References

15 We have adapted Ross Anderson’s definition of “system” in Ross Anderson, Security Engineering: a Guide to Building Dependable Systems (New York: John Wiley and Sons, 2001). “A software-intensive system is a collection of products or components predominantly implemented in software.” These products/components may include application, data, communications, middleware, and operating system products/components as well as the firmware and hardware products/components of the physical platforms on which those software components are hosted. According to Anderson, a system also includes the people that interact with, oversee, regulate, or otherwise observe the system, and the processes, procedures, policies that govern and influence the operations of the system’s technological and non-technological elements. For purposes of this document, unless otherwise stated, “system”

refers to the technological elements of the system, and excludes the non-technological elements.

16 Andy Ozment, “Research Statement” [web page] (Cambridge, UK: University of Cambridge, ca. 2006).

Available from: http://www.cl.cam.ac.uk/~jo262/research.html

17 This is not a new problem. It was documented by Andy Ozment of the University of Cambridge in his research statement, and almost 10 years earlier in virtually identical language by Ed Felten, et al. in Edward Felten and Drew Dean (Princeton University), Secure Mobile Code: Where Do We Go From Here?, in Proceedings of the DARPA Workshop on Foundations for Secure Mobile Code, March 1997.

Felten and Dean wrote, “The market is (for the moment, at least) asking for feature-packed, quickly developed, insecure software. Until the market changes, little progress will be made commercially.”

18 Ryan Naraine, “Paying for Flaws Pays Off for iDefense,” eWeek (March 3, 2005).

Available from: http://www.eweek.com/article2/0,1759,1772418,00.asp

19 Organization for Internet Safety (OIS), “Guidelines for Security Vulnerability Reporting and Response, V2.0” [web page] (Houston, TX: OIS).

Available from: http://www.oisafety.org/guidelines/

20 Robert P. Abbott, et al. (National Bureau of Standards), The RISOS Project: Security Analysis and Enhancements of Computer Operating Systems, interagency report no. NBSIR 76-1041 (Gaithersburg, MD: National Bureau of Standards, April 1976).

21 Carl E. Landwehr, et al., A Taxonomy of Computer Program Security Flaws, With Examples, report no.

NRL/FR/5542-93-9591 (Washington, DC: Naval Research Laboratory, November 19, 1993).

Available from: http://chacs.nrl.navy.mil/publications/CHACS/1994/1994landwehr-acmcs.pdf.

Also published in: ACM Computing Surveys 26, no.3 (September 1994).

Available from: http://doi.acm.org/10.1145/185403.185412

22 Bishop’s paper was published only a few months before Taimur Aslam published his master’s dissertation with a nearly identical title: Taimur Aslam, “A Taxonomy of Security Faults in the Unix Operating System” (PhD dissertation, Purdue University, Lafayette, IN, August 1995).

23 Matt Bishop and D.A.. Bailey, A Critical Analysis of Vulnerability Taxonomies, tech. report no. CSE-96-11 (Davis, CA: University of California, September 1996).

Available from: http://seclab.cs.ucdavis.edu/projects/vulnerabilities/scriv/ucd-ecs-96-11.pdf or http://www.cs.ucdavis.edu/research/tech-reports/1996/CSE-96-11.pdf.

In late 2005, the anonymous author of the “Writing Secure Software” blog published a less formal analysis of the various vulnerability taxonomies in circulation. See “Trusted Consultant, Threat and Vulnerabilities Classification, Taxonomies,” “Writing Secure Software” blog, December 26, 2006.

Available from: http://securesoftware.blogspot.com/2005/12/threat-vulnerabilities-classification.html

Software Security Assurance State-of-the-Art Report (SOAR)

5 Assumptions and Constraints.6 Context.

Section 3 Why is Software at Risk?

24 Wenliang Du and Aditya Mathur, “Categorization of Software Errors That Led to Security Breaches,” in Proceedings of the National Information Systems Security Conference, 1998.

Available from: http://www.cis.syr.edu/~wedu/Research/paper/nissc98.ps

25 “OWASP Top Ten Project” [web page] (Columbia, MD: Open Web Application Security Project).

Available from: http://www.owasp.org/index.php/OWASP_Top_Ten_Project

26 SANS Institute, How to Eliminate the Ten Most Critical Internet Security Threats, Version 1.32 (Bethesda, MD: The SANS Institute, January 18, 2001).

Available from: http://www.sans.org/top20/2000/10threats.doc or http://www.sans.org/top20/2000/10threats.rtf.

In 2004, SANS published a revised version: SANS Top 20 Internet Security Vulnerabilities, Version 5.0 (Bethesda, MD: The SANS Institute, October 8, 2004).

Available from: http://www.sans.org/top20/2004/

27 Frank Piessens (Catholic University of Leuven), A Taxonomy (With Examples) of Software Vulnerabilities in Internet Software, report no. CW 346 (Leuven, Belgium: Catholic University of Leuven, 2002).

Available from: http://www.cs.kuleuven.ac.be/publicaties/rapporten/cw/CW346.abs.html 28 The MITRE Corporation, “CVE: Common Vulnerabilities and Exposures” [website] (Bedford, MA:

MITRE). Available from: http://cve.mitre.org/

29 Fortify Software Inc., “CLASP: Comprehensive, Light Application Security Process” [web page]

(Palo Alto, CA: Fortify Software Inc.)

Available from: http://www.fortifysoftware.com/security-resources/clasp.jsp

30 Michael Howard, David LeBlanc, and John Viega, 19 Deadly Sins of Software Security: Programming Flaws and How to Fix Them, 1st ed. (Emeryville, CA: McGraw-Hill/Osborne, 2005).

31 Katrina Tsipenyuk, Brian Chess, and Gary McGraw, “Seven Pernicious Kingdoms: a Taxonomy of Software Security Errors,” IEEE Security and Privacy 6 (November–December 3, 2005).

Available from: http://vulncat.fortifysoftware.com/docs/tcm_taxonomy_submission.pdf 32 Gary McGraw (Digital), “Software Security: Building Security In,” [website] (Herndon, VA).

Available from: http://www.swsec.com/

33 Sam Weber, Paul A. Karger, and Amit Paradkar, “A Software Flaw Taxonomy: Aiming Tools at Security,”

ACM SIGSOFT Software Engineering Notes 4 (July 30, 2005).

Available from: http://portal.acm.org/citation.cfm?id=1082983.1083209&coll=GUIDE&dl=GUIDE&CFID=

15151515&CFTOKEN=6184618

34 Herbert Thompson and Scott Chase, The Software Vulnerability Guide (Boston, MA: Charles River Media, 2005).

35 Fortify Software, “Fortify Taxonomy: Software Security Errors” [web page] (Palo Alto, CA: Fortify Software).

Available from: http://www.fortifysoftware.com/vulncat/

36 Mark Dowd, John McDonald, and Justin Schuh, The Art of Software Security Assessment, Identifying and Preventing Software Vulnerabilities, 1st ed. (Boston, MA: Addison-Wesley Professional, 2006).

37 “OWASP Top Ten Project” [web page], op cit.

38 “CVE” [website], op cit.

39 Steve Christey (MITRE Corporation), PLOVER: Preliminary List of Vulnerability Examples for Researchers, version 0.14 (Bedford, MA: The MITRE Corporation, August 2, 2005).

Available from: http://www.cve.mitre.org/docs/plover/

40 “CWE: Common Weakness Enumeration” [website] (Bedford MA: The MITRE Corporation).

Available from: http://cwe.mitre.org/

41 “OVAL: Open Vulnerability Assessment Language” [website] (Bedford MA: The MITRE Corporation).

Available from: http://oval.mitre.org/

Software Security Assurance State-of-the-Art Report (SOAR) 5 Assumptions and Constraints.7

Section 3 Why is Software at Risk?

42 “VEDEF: Vulnerability and Exploit Description and Exchange Format” [website] (Amsterdam, The Netherlands: Trans European Research and Academic Networks Association [TERENA] Task Force-Computer Security Incident Response Team [TF-CSIRT]).

Available from: http://www.vedef.org/ or

http://www.secdef.org/vedef/. (As of 2 April 2007, neither of these web sites was accessible, apparently due to reconfigurations in progress.)

43 Algirdas Avizienis, et al., “Basic Concepts and Taxonomy of Dependable and Secure Computing,” IEEE Transactions on Dependable and Secure Computing 1, no. 1 (January–March 2004).

44 GAO, Defense Acquisitions: Knowledge of Software Suppliers Needed to Manage Risk, report no.

GAO-04-678 (Washington, DC: GAO, May 2004).

Available from: http://www.gao.gov/docdblite/summary.php?rptno=GAO-04-678&accno=A10177, and Defense Science Board, Final Report of the Defense Science Board Task Force on Globalization and Security, annex IV of Vulnerability of Essential US Systems Incorporating Commercial Software (Washington, DC: OUSD/AT&L, December 1999).

Available from: http://www.acq.osd.mil/dsb/reports/globalization.pdf 45 Gary Beach, “Offshore Costs,” CIO Magazine (March 1, 2003).

Available from: http://www.cio.com/archive/030103/publisher.html

46 Such foreign employees may be holders of permanent resident green cards or of temporary worker [H1-B], business [B-1], student [F-1], or exchange [J-1] visas. Note that Federal procurement rules, except for those covering national security systems, are not allowed to restrict vendors to employing only US citizens. Nonetheless, since September 11, 2001, immigration restrictions have been imposed that have greatly curtailed the number of foreign workers admitted into the United States from countries whose governments are hostile to the United States. As a result, many firms that used to hire such workers have begun complaining about the negative impact such restrictions are having in terms of the available labor pool and reduced productivity.

47 Navyug Mohnat, “Why ‘India Inside’ Spells Quality,” DataQuest (October 27, 2003).

Available from: http://www.dqindia.com/content/advantage/103102703.asp

48 Defense Science Board, Final Report of the Defense Science Board Task Force on Globalization and Security, op cit.

49 GAO. Offshoring of Services: an Overview of the Issues, report no. GAO-06-5 (Washington, DC: GAO, November 2005).

Available from: http://www.gao.gov/docdblite/summary.php?rptno=GAO-06-5&accno=A42097, and GAO, Offshoring: US Semiconductor and Software Industries Increasingly Produce in China and India, report no. GAO-06-423 (Washington, DC: GAO, September 2006).

Available from: http://www.gao.gov/new.items/d06423.pdf 50 GAO, High-Risk Series (Washington, DC: GAO, January 2007).

Available from: http://www.gao.gov/new.items/d07310.pdf 51 IRC, Hard Problems List, Version 2.0, op cit.

52 James A. Lewis, Foreign Influence on Software Risks and Recourse (Washington, DC: Center for Strategic and International Studies Press, March 2007).

Available from: http://www.csisbookstore.org/index.asp?PageAction=VIEWPROD&ProdID=166 53 Ibid. 20.

54 William Aspray, Frank Mayadas, and Moshe Y. Vardi, eds., Globalization and Offshoring of Software: a Report of the ACM Job Migration Task Force, report no. ACM 0001-0782/06/0200 (New York, NY:

Association for Computing Machinery, 2006).

Available from: http://www.acm.org/globalizationreport/

Software Security Assurance State-of-the-Art Report (SOAR)

5 Assumptions and Constraints.8

Section 3 Why is Software at Risk?

55 Eric Rongley, “Using China for Offshore Software Development,” China Tech News (January 22, 2007).

Available from: http://www.chinatechnews.com/2007/01/22/4882-using-china-for-offshore-software-development-eric-rongley-ceo-of-bleum/, and

“IT Infrastructure and Security” [web page] (North Vancouver, British Columbia, Canada: InnoInco).

Available from: http://www.innoinco.com/how_we_work/infrastructure.html

56 “Data Privacy and Security Concerns in Outsourcing” [web page] “India: Outsource2India.”

Available from: http://www.outsource2india.com/why_india/articles/data_privacy.asp 57 Andrew P. Moore, Robert J. Ellison, and Richard C. Linger (Carnegie Mellon University Software

Engineering Institute [CMU SEI]), Attack Modeling for Information Security and Survivability, technical note no. CMU/SEI-2001-TN-001 (Pittsburgh, PA: CMU SEI, March 2001).

Available from: http://www.sei.cmu.edu/pub/documents/01.reports/pdf/01tn001.pdf

58 Greg Hoglund and Gary McGraw, “Exploiting Software: How to Break Code,” Chapter 2, Boston, MA:

Addison-Wesley, 2004.

59 Stephen Posniak, “Combined Hardware/Software Solutions to Malware and Spam Control” (paper presented at the Virus Bulletin Conference, October 2003).

Available from: http://csrc.nist.gov/fasp/FASPDocs/network-security/Posniak-VB05.pdf 60 “Virus Bulletin” [website] (Abingdon, Oxfordshire, UK: Virus Bulletin Ltd.).

Available from: http://www.virusbtn.com/

61 “Security relevant” software is a portion of software that (based on system architecture) does not itself function to enforce system security policy but can subvert the enforcement of it.

62 “The Underhanded C Contest” [website] (Binghamton, NY: Binghamton University).

Available from: http://bingweb.binghamton.edu/~scraver/underhanded/ or http://www.brainhz.com/underhanded/

63 Posniak, Combined Hardware/Software Solutions to Malware and Spam Control, op cit.

64 Ruby B. Lee, et al., “Enlisting Hardware Architecture to Thwart Malicious Code Injection,” in Proceedings of the International Conference on Security in Pervasive Computing, March 2003, 237–252.

Available from: http://palms.ee.princeton.edu/PALMSopen/lee03enlisting.pdf

65 A. Murat Fiskiran and Ruby B. Lee, “Runtime Execution Monitoring (REM) to Detect and Prevent Malicious Code Execution,” in Proceedings of the International Conference on Computer Design, October 2004: 452–457.

Available from: http://palms.ee.princeton.edu/PALMSopen/fiskiran04runtime.pdf 66 CMU SEI ( Pittsburgh, PA) “Function Extraction for Malicious Code (FX/MC)” [web page]

Available from: http://www.cert.org/sse/fxmc.html

67 “Malware Analysis and Malicious Code Detection” [web page] (Socorro: New Mexico Tech Computer Science Department).

Available from: http://www.cs.nmt.edu/research.html#malware

68 Lucas Ballard, et al., Group 2 Report on Hiding Code (November 11, 2005).

Available from: http://www.cs.jhu.edu/~sdoshi/index_files/Task2.pdf

Software Security Assurance State-of-the-Art Report (SOAR) 5 Assumptions and Constraints.9

Section 3 Why is Software at Risk?

Secure Systems

In document Security (Page 82-88)