Running code securely An overview of threats and countermeasures

Running code securely

An overview of

threats and countermeasures

Almut Herzog

Overview over protective technology

for end users

z

anti-virus software

– anti-spyware z

personal firewall

z

backup

z

encryption

– ssl and other network encryption, ssh, file encryption,

password storage ÆLecture on Network Security z

knowledge

– smooth surface: keep updated, shut down unnecessary

Malicious code – some names,

not a taxonomy

z Virus– a program that recursively and explicitly copies a possibly evolved version of itself.

z Worm– a network virus: mailers and mass-mailer worms, octopus (exist on more than one computer on the network), rabbit (single copy that moves around)

z Logic bombs– programmed malfunction of a legitimate application; Easter eggs (non-malicious, give credit to developers, MS flight simulator, Spyware? Adware?)

z Trojan horse– useful functionality to entice or subversion of an existing tool (ps, ls, password, logon screen), backdoors (listen on port).

z Germs– first-generation virus, not attached to an infected file but plain, readable code.

z Exploits– specific to one or more vulnerabilities, shows that a vulnerability can be exploited.

z Downloaders– installs a set of other items on a machine

z Dialers– modem users are directed to a premium-rate Internet connection.

z Droppers– installer for first-generation virus code.

z Injectors– dropper that installs virus code in memory, also network injector

z Auto rooters– break into new machines using an exploit to gain root access automatically

z Kits (virus generators)– generate new computer viruses automatically

z Spammer programs– send unsolicited messages (spim – instant messaging, spit – SMS)

z Flooders– stage an DoS attack

z Keyloggers– capture keystrokes

z Rootkits– used after an attacker has broken into a computer system and gained root-level access to change legitimate programs into Trojan horses

z Miscellaneous– joke programs (lock screen randomly), hoaxes (chain letters), adware, spyware.

Virus self-protection techniques

= how viruses protect themselves from being found

z tunnelling virusinstalls on the layer below, preferably on the very lowest layer

z armoured virus, armoured against (fast) attempts by anti-virus analysts to find out about the virus code

– encryption, obfuscation, match checksums rather than strings, anti-debugging

z aggressive retrovirusdisables countermeasures

z code evolution

– encryption, oligomorphic changes the decryptor, polymorphic mutates decryptor, metamorphic evolves code (NOP, recompile on host, …)

Virus classification according to

payload

z

no payload, virus replicates only

accidentally destructive

z

non-destructive (display message, open/close CD

tray etc.)

z

somewhat destructive: flip bitmap, stop service

highly destructive

– overwrite data (format HD), data diddler, encrypt, HW

destruction (overheat), DoS on local or remote host, steal data

Virus file infection strategies

z Overwriting virus: overwrites/destroys a file on disk with virus code, usually starting at the beginning of the file

– Random overwriting virus overwrites at a random position in the host file, may not execute but destroys host

z Appending virus: appends virus code to host code, host starts by jumping to the end

Program Code

Virus Code

Overwriting virus that changes host size

Program Code Program Code Virus Code

Overwriting virus that does not change host size

Program Code Program Code Virus Code

Random overwriting virus

Program Code Program Code Virus Code Appending virus JMP

Virus file infection strategies

z Prepending virus: virus code first, then full host code

– Classic parasitic virusprepends virus code and appends overwritten code to the end of the host file z Amoeba infectionprepend + append virus code

Program Code Program Code Virus Code Prepending virus Program Code Program Code Virus Code

Classic parasitic virus

Program Code Virus (Head) Amoeba Program Code Virus (Tail)

Virus file infection strategies

z Cavity virusdoes not increase file size, overwrites unused portions of the host file

– Fractioned cavity virus: virus code scattered in the file, program starts with modified entry point that points to virus code

z Compressing virus compresses host file to hide size increase due to virus code infection

Program Code Cavity virus Program Code Virus Compressing virus Program Code Packed Program Code Virus Code + decompressor

Virus file infection strategies

z Embedded decryptor:decryptor scattered in host file, overwritten code saved at the end, host starts by invoking the decryptor that uncompresses and launches appended virus code z Embedded decryptor and virus body: both decryptor and virus body are scattered in the file,

overwritten parts are appended Program Code Program Code JMP Virus Code saved blocks De cr yp t or Embedded Encryptor

Virus file infection strategies

z Entry-point obscuring (EPO):an arbitrary instruction is replaced by a jump to the virus code

Program Code Program Code EP Virus Code JMP Program_Code Virus Code JMP

(1) first instruction is jump

to virus code (2) arbitrary instruction is jump to virus code

Virus file infection strategies

z Possible future infection techniques:code builders (build virus out of the legal host instructions)

Program Code ASKDITUOVEITUIDEOIEPLAKS JDFLIRTOEPRSDFCNMXJDFH QOQDJRIEPXBNMIALUWSPZS Program Code ASKDITUOVEITUIDEOIEPLAKS JDFLIRTOEPRSDFCNMXJDFH QOQDJRIEPXBNMIALUWSPZS Code Builder JMP ‘V’+’I’+’R’+’U’+’S’

Virus in-memory strategies

z

single-tasking operating system

– non-resident/direct action: virus code looks for new targets

to infect before letting the host program run

– memory-resident: virus code loads itself in memory (stays resident) and then lets host program run

z hooks interrupt handler

– swapping virus: executed upon interrupt, finds target of attack, infects and terminates

z

multi-tasking operating system

Worms

z worm = network virus, does not need to infect files to propagate

z structure of a worm

1. target locatorfinds new victims in address books, news groups, search engines, by contacting more or less random IP addresses

2. infection propagatortransfers to new node and gets control through e-mail with social engineering, backdoor, exploit vulnerability

3. (optional)remote control so author can control infected nodes

4. (optional) life-cycle managerif worm commits suicide

5. (optional) payload: many do not have any, DoS, spam relay

6. (optional) self-trackersends away spread info

z future of worms: worm communication protocol and plug-in API

Anti-Virus software

– scan files when opened, created or closed

z challenge: must do all the searching in a limited amount of time – scan only first and last 2, 4 or 8 kB of a file

– scan only around the entry point (after first jump or call instruction)

– earlier: access raw disk, today: too many file systems and disk controllers

Anti-Virus software strategies

z first-generation: search pre-defined areas of files or system areas for given signature strings

– wildcards, mismatch (slow), bookmarks (offset to virus body start + offset to virus detection string)

z second-generation

– no more NOP confusion, two signature, compare checksum of constant bytes

z algorithmic scanning: signatures have evolved into code

z code emulation

z geometric detection, integrity checks

z heuristics for detecting previously unknown viruses

– code execution starts in the last section, suspicious flags, incorrect

virtual size, suspicious code redirection

z inoculation

z access control, sandbox

Disinfection

z

Erase virus from disk

–

reverse of the infection strategy, only possible if

the virus has not destroyed the host program

z

Terminate infected process

–

which may not be so easy:

z keep-alive/twin processes

Spyware

z

Def.:

– “Any softwareintended to aid an unauthorisedperson or

entity in causing a computer, without the knowledge of the computer’s user or owner, to divulge private information.”,

– “softwareprograms that act as data sensorsand illicitly collect and transmit informationabout end users, and then send it back to a third party”,

z

sources: pop-ups, free downloads, shareware,

drive-by downloads

Spyware classification

z cookies and web bugs

– invisibly keeping track of people

z adware

z browser hijackers, browser changers, browser plugins

– alter start page, change browser security settings, insert toolbars/buttons, spoof sites, deny access to sites, monitor surf habits

z extortion ware

– installs spyware,

informs user and demands payment to uninstall

z keyloggers

– capture every keystroke (passwords, credit card information)

z tracks, spybots

z trojan, bundleware

– masks as a harmless or desirable application

Spyware effects

z

slow down computer (at strange rates/patterns),

especially start-up

z

destabilise computer

z

hijack browser start page

z

prevent starting certain programs (IE, virus,

anti-spyware)

z

cannot be removed

z

hidden tasks

z

privacy data collection

Anti-Spyware

z

Much like anti-virus software

–

signature-based

–

behaviour-based (Windows Defender)

mixture

z

For testing:

Personal Firewall

z

(all) realised in software

z

(all) make the computer invisible by not

answering to any packets, drop all

unsolicited incoming packets

z

(all) control incoming connections

z

(some) control outgoing connections

Personal Firewalls – Problems

z

A software firewall resides on the target of attack.

z

Evil programs may attach themselves with DLLs to

regular programs.

z

An evil process may modify the memory of an

allowed application.

z

Attacker can use a driver to inject the packets below

the level where the process filtering is done, and

then he only has to worry about the packet filter.

Last year’s project: Usability and

security of personal firewalls

z

two use cases

–

making a successful outgoing connection with

WinSCP to remote-und.ida.liu.se

–

setting up an FTP server and only allowing one

specific host to connect to it

z

two misuse cases

–

port scanning

–

replacing an application

Backup strategies

z

no one needs a backup, until they need one

z

strategies

–

unstructured

–

full + incremental/differential

mirror + reverse

–

continuous

z

reasonable backup media for home users:

Knowledge: A checklist

z

A Home User's Security Checklist for

Windows

http://www.securityfocus.com/columnists/220

z

Do your own risk analysis and assess your security.

When to choose what: risk analysis

z

Identify the assets

– data, hardware, network, services

z

Identify threats

– a possible danger to your system: spy, hacker, disgruntled employees, blackout, flood, theft, break down,

virus/worm/spyware/adware infection z

Identify vulnerabilities

– Absence or weakness of a countermeasure, a condition that

has the potential to allow a threat to occur

– no mail/network encryption used, closeness to a river,

cheap locks, exposed area

Typical Risk Analysis

z

Identify the assets, threats, vulnerabilities,

countermeasures

z

Identify the risk = probabilities for attack

P, costs for replacement of assets C

and costs for countermeasures C

z

Mathematically: Only if P·C

> C

is it feasible to

install the countermeasure.

z

Practically: How to quantify the cost of volatile assets

such as knowledgeable staff, good reputation,