(General purpose) Program security These ideas apply also to OS and DB. Read Chapter 3.
What does it mean for a pgm to be secure? Depends whom you ask.
• Takes a long time to break its security con-trols.
• Has run for 9 weeks with no failure. • Contains no potential security flaw.
A program fault is an unexpected (bad) behav-ior of a pgm Which program is more secure? 1. pgm with 100 faults discovered and fixed. 2. a similar pgm with 20 faults discovered and
Early computer security was “penetrate and patch”.
Not a good solution because:
• narrow focus on a fault ignores the context.
• fault may have nonobvious side effects.
• fixing one problem may cause another.
• fault not fixed because the fixed system wouldn’t work.
A better approach to computer security (via software engineering).
Program security flaw = pgm behavior not what designers intended or users expected. Flaws may be either inadvertent human errors or malicious, intentional flaws.
Unintentional human error are more common than deliberate malicious ones, and they cause more damage.
Computer security terms differ IEEE standard terms: error, fault, failure
Program security is hard and we can’t avoid all flaws because:
• pgms are complicated; it is hard to de-scribe all unexpected behavior. A thm in CS 526 says that it is NP-complete to de-cide whether a program is secure.
• software engineering advances faster than security
But we can still do something and make most programs secure.
Landwehr et al. [1994] classified flaws as:
• Intentional flaws 1. malicious
2. nonmalicious
• Inadvertent errors:
1. validation: incomplete or inconsistent permission check
2. domain: controlled access to data
3. serialization and aliasing: program flow order
4. failed authorization due to bad identifi-cation/authentication
5. boundary condition violation: first or last case failure
Three classic nonmalicious program errors (pre-Internet)
1. Buffer overflows
Memory is finite and so are arrays and strings (buffers).
Example:
int buff[10];
for (i=0; i<10; i++) buff[i]=2;
buff[10]=3;
The last instruction may write 3 into 1. the user’s data
2. the user’s program code 3. another user’s data
4. another user’s program code 5. system data
A malicious attacker who knows about a buffer overflow error in a program he can use may use the error to write malicious code.
Data may become code.
Overflow a stack to change parameters. Example: passwd, browser URL parameter
Control: test after each input character; OS memory protection.
Control: use only string utilities with bounded length.
Control: paging may help: different pages for intructions and data.
2. Incomplete mediation (checking)
Not checking whether input data is valid or in range.
Example: date 17 Jan 2012 okay, 37 Jat 1843 not okay.
Control: check input correctness or use drop-down box.
Example: Ebusiness, order form returns total price, and customer changes it.
3. Time-of-check to time-of-use error. Synchronization problem
Check before use; approve in ”work ticket”; user changes the request in the ticket before the order is executed.
Example: open file (one you may open); after approval, change file name to one you may not open.
Control: copy the ticket so the user can’t ac-cess it.
If it is too big to copy and must remain acces-sible to the user, then save its hash value.
Undocumented access point.
Often added during pgm development for test-ing.
Also called a back door or trap door.
May be added by an intruder who succeeded once.
Integer overflow.
Consider 16-bit unsigned integer case. Max value is 216 − 1 = 65535, so 65535 + 1 = 0. Do not loop until i = 65536 or while i < 65536,
because that will never hold or aways hold. Control: know the limits for each size of inte-ger.
Null-terminated strings have variable length. A C pgm that uses such a string does not know its length until it reads the whole string.
Java stores the length of a variable string sep-arately.
Control: use only C string utilities with bounded length. Use strncpy(to,from,max),
Race condition or serialization flaw. Two processes running concurrently.
Example. Two ticket agents selling a seat on the same flight.
Example. Tripwire chooses a name for its log file, checks to see whether that name exists, and then writes into it. An attacker changes the name to the system log file and hides his work.
So far, we have discussed mostly unintentional mistakes.
Malicious code
A computer may get malicious code during in-stallation of (good) code, setup, or download of other code. Malicious code runs as you and can do anything you can. Malicious code has been around at least since 1970.
Malware definitions
Malicious code = rogue program = whole pro-gram or code that does unexpected or unin-tended actions caused by an agent intent on damage.
agent = person who wrote or distributed the malicious code.
virus = malicious code that can replicate itself by modifying nonmalicious code.
transient virus = virus that stops when its at-tached program stops.
resident virus = virus that puts itself in mem-ory and keeps going even when its attached program stops.
Worm = whole program that spreads copies of itself through a network, does not attach to other programs.
Bot (sort of robot) = worm used in huge num-bers. Some are benign and search the web for search engine hosts.
Trojan horse = malicious code that has a be-nign primary effect and a nonobvious malicious effect.
Rabbit = virus or worm that replicates without bound, exhausting time or memory.
Logic bomb = malicious code that does some-thing bad when a condition happens (a file is opened).
Time bomb = logic bomb with a certain date/-time as condition
Dropper = pgm that just copies other mal-ware, like a virus.
Trapdoor = backdoor = program feature that lets anyone have special privileges by entering a secret code.
Example: ATM program with secret PIN
May be used for maintenance or to erase record of crime
Script attack = malicious code in JavaScript that is downloaded with a page.
Spyware = pgm that intercepts and secretly communicates user activities, like login info. Zombie = malware under control of a remote pgm. It sleeps until activated.
Browser hijacker = code that redirects a browser to another site.
Rootkit = code installed in root of OS; hard to detect.
Tool or toolkit = pgm with a set of tests for vulnerabilities. Each successful test identifies a vulnerable host that can be attacked.
Scareware = false warning of malware attack; may suggest “remedial” action to fix a prob-lem, but actually creates one.
