|
Malicious Logic
What is malicious logic Defenses Computer Security: Art and Science ©2002-2004 Matt Bishop
|
|
|
|
Malicious Logic
Set of instructions that cause site security policy to be violated Computer Security: Art and Science ©2002-2004 Matt Bishop
|
|
|
|
Example
Shell script on a UNIX system: cp /bin/sh /tmp/.xyzzy chmod u+s,o+x /tmp/.xyzzy rm ./ls ls $* Place in program called “ls” and trick someone into executing it You now have a setuid-to-them shell! Computer Security: Art and Science ©2002-2004 Matt Bishop
UNIX assigns a user-id to each user. The user-id ranges from 0 to 65,535. Each login name corresponds to a single user-id. More than one login name could be mapped to the same user-id. A special class of programs called setuid program create processes that have effective uids of the owner of the program, rather than the user process that initiates it. So, rights are that of the owner. chmod u+s - set the setuid bit O+x – for owner + execute permissions Together it means, change the permission to owners’s permission and allow owner to execute it. If the root runs this program, then you now have a shell calle /tmp/,xyzzy that has root access. So, you can later login and run that shell with root access. ‹#›
|
|
|
|
Trojan Horse
Program with an overt purpose (known to user) and a covert purpose (unknown to user) Often called a Trojan Named by Dan Edwards in Anderson Report Example: previous script is Trojan horse Overt purpose: list files in directory Covert purpose: create setuid shell Computer Security: Art and Science ©2002-2004 Matt Bishop
|
|
|
|
Violation of security policy
It is a violation if a user is tricked into running the modified “ls” script. It is not a violation if a user accidentally typed in the first two statements. Therefore, it is difficult to detect intent and hence whether it is malicious or not. Computer Security: Art and Science ©2002-2004 Matt Bishop
|
|
|
|
Example: NetBus
Designed for Windows NT system Victim uploads and installs this Usually disguised as a game program, or in one Acts as a server, accepting and executing commands for remote administrator This includes intercepting keystrokes and mouse motions and sending them to attacker Also allows attacker to upload, download files Computer Security: Art and Science ©2002-2004 Matt Bishop
Patch.exe, SysEdit.exe (server name) Modifies system registry, so it starts automatically on system startup Back Orifice – smaller and can gain access and then download NetBus Use anti-virus software to detect and remove. NetBuster pretends to be NetBus. NetBus = NetPrank in Swedish. ‹#›
|
|
|
|
Replicating Trojan Horse
Trojan horse that makes copies of itself Also called propagating Trojan horse Early version of animal game used this to delete copies of itself Hard to detect 1976: Karger and Schell suggested modifying compiler to include Trojan horse that copied itself into specific programs including later version of the compiler 1980s: Thompson implements this Computer Security: Art and Science ©2002-2004 Matt Bishop
|
|
|
|
Thompson's Compiler
Modify the compiler so that when it compiles login , login accepts the user's correct password or a fixed password (the same one for all users) Then modify the compiler again, so when it compiles a new version of the compiler, the extra code to do the first step is automatically inserted Recompile the compiler Delete the source containing the modification and put the undoctored source back Computer Security: Art and Science ©2002-2004 Matt Bishop
The program in question was actually the preprocessor cpp(1), not the compiler proper (ccom). Question: how do you fix this? Your login source is right, and if you get suspicious and check your compiler source, it is too. You can even recompile both!
|
|
|
|
The Login Program
Computer Security: Art and Science ©2002-2004 Matt Bishop login source correct compiler login executable user password login source doctored compiler login executable magic password user password or logged in logged in
Top part: giving the login program to the undoctored compiler gets you the correct login executable. Bottom part: giving the login program to the doctored compiler gets you a login program that accepts either the right password or the magic password. In both cases it is the same login source.
|
|
|
|
The Compiler
Computer Security: Art and Science ©2002-2004 Matt Bishop compiler source correct compiler compiler executable login source compiler source doctored compiler compiler executable correct login executable login source rigged login executable
Top part: giving the compiler program to the undoctored compiler gets you the correct compiler executable. Bottom part: giving the compiler program to the doctored compiler gets you a compiler program that adds the bogus code to the login program,. In both cases it is the same compiler source.
|
|
|
|
Comments
Great pains taken to ensure second version of compiler never released Finally deleted when a new compiler executable from a different system overwrote the doctored compiler The point: no amount of source-level verification or scrutiny will protect you from using untrusted code Also: having source code helps, but does not ensure you’re safe Computer Security: Art and Science ©2002-2004 Matt Bishop
|
|
|
|
Computer Virus
Program that inserts itself into one or more files and performs some action Insertion phase is inserting itself into file Execution phase is performing some (possibly null) action Insertion phase must be present Need not always be executed Lehigh virus inserted itself into boot file only if boot file not infected Erased the disk if the counter was 4. Computer Security: Art and Science ©2002-2004 Matt Bishop
|
|
|
|
Pseudocode
beginvirus: if spread-condition then begin for some set of target files do begin if target is not infected then begin determine where to place virus instructions copy instructions from beginvirus to endvirus into target alter target to execute added instructions end; end; end; perform some action(s) goto beginning of infected program endvirus: Computer Security: Art and Science ©2002-2004 Matt Bishop
|
|
|
|
Trojan Horse Or Not?
Yes Overt action = infected program’s actions Covert action = virus’ actions (infect, execute) No Overt purpose = virus’ actions (infect, execute) Covert purpose = none Semantic, philosophical differences Defenses against Trojan horse also inhibit computer viruses Computer Security: Art and Science ©2002-2004 Matt Bishop
|
|
|
|
History of virus
Programmers for Apple II wrote some Not called viruses; very experimental Fred Cohen Graduate student at USC who described them Teacher (Adleman) named it “computer virus” Tested idea on UNIX systems and UNIVAC 1108 system Computer Security: Art and Science ©2002-2004 Matt Bishop
|
|
|
|
Cohen’s Experiments
UNIX systems: goal was to get superuser privileges Max time 60m, min time 5m, average 30m Virus small, so no degrading of response time UNIVAC 1108 system: goal was to spread Mechanisms of systems that did not inhibit writing using mandatory access controls did little to prohibit virus propagation. Computer Security: Art and Science ©2002-2004 Matt Bishop
Mandatory Access Control (MAC) system mechanism controls access to object, and individual cannot alter that access Rule-based access control ‹#›
|
|
|
|
First Reports
Brain (Pakistani) virus (1986) Written for IBM PCs Alters boot sectors of floppies, spreads to other floppies Computer Security: Art and Science ©2002-2004 Matt Bishop
Slows down the floppy disk drive. Does not affect hard disk drives. ‹#›
|
|
|
|
First Reports
MacMag Peace virus (1987) Written for Macintosh Prints “universal message of peace” on March 2, 1988 and deletes itself 1st anniversary of Macintosh II introduction Computer Security: Art and Science ©2002-2004 Matt Bishop
|
|
|
|
More Reports
Duff’s experiments (1987) Small virus placed on UNIX system, spread to 46 systems in 8 days Attached to a Bourne shell script Showed that viruses are not intrinsically machine-dependent Highland’s Lotus 1-2-3 virus (1989) Stored as a set of commands in a spreadsheet and loaded when spreadsheet opened Changed a value in a specific row, column and spread to other files Computer Security: Art and Science ©2002-2004 Matt Bishop
Lotus 1-2-3 is a spreadsheet program from IBM. ‹#›
|
|
|
|
Types of Viruses
Boot sector infectors Executable infectors Multipartite viruses TSR viruses Stealth viruses Encrypted viruses Polymorphic viruses Macro viruses Computer Security: Art and Science ©2002-2004 Matt Bishop
|
|
|
|
|
|
Comments