application security

1. 95-752:8-1
Application Security

2. 95-752:8-2
Malicious Code
• Vulnerable Software
• Hacker toolkits
• Back/Trapdoors
• Greedy Programs / Logic bombs
• Salami Attacks
• Trapdoors
• Worms/Viruses
• Bot Networks

3. 95-752:8-3
Vulnerable Software
• Buffer overflows
• Insecure running environment
• Insecure temporary files
• Insecure program calls
• Weak encryption
• Poor programming
• “If people built buildings the way that
programmers write software, the first woodpecker
to come along would destroy civilization.”

4. 95-752:8-4
Handling Vulnerabilities
• Locating
• Dealing with vendors
• Applying patches
• Disabling services
• Reconfiguring software/services

5. 95-752:8-5
Hacker Toolkits
Programs that automatically scan for
security problems on systems
– Useful for system administrators to find
problems for fixing
– Useful for hackers to find problems for
exploitation
Examples:
– SATAN
– COPS
– ISS
Countermeasure: Detection Software

6. 95-752:8-6
Back/Trapdoors
• Pieces of code written into applications of
operating systems to grant programmers easy
access
• Useful for debugging and monitoring
• Too often, not removed
• Examples:
– Dennis Richie’s loging/compiler hack
– Sendmail DEBUG mode
• Countermeasures
– Sandboxing
– Code Reviews

7. 95-752:8-7
Logic Bombs
• Pieces of code to cause undesired effects
when event occurs
• Used to enforce licenses (time-outs)
• Used for revenge by disgruntled
• Can be hard to determine malicious
• Examples
– British accounting firm logic bomb
– British bank hack
• Countermeasures
– Personnel security

8. 95-752:8-8
Viruses
• Pieces of code that attach to existing programs
• Not distinct program
• No beneficial use – VERY destructive
• Examples:
– Michelangelo
– Love letter
• Countermeasures
– Virus detection/disinfection software

9. 95-752:8-9
Structure of a Virus
• Marker: determine if a potential carrier
program has been previously infected
• Infector: Seeks out potential carriers and
infects
• Trigger check: Establishes if current
conditions are sufficient for manipulation
• Manipulation: Carry out malicious task

10. 95-752:8-10
Types of Viruses
• Memory-resident
• Hardware
• Buffered
• Hide-and-seek
• Live-and-die
• Boot segment
• Macro

11. 95-752:8-11
Worms
• Stand-alone programs that copy themselves
from system to system
• Some use in network computation
• Examples:
– Dolphin worm (Xerox PARC)
– Code Red (2001, $12B cost)
– Morris Worm (1988, $20M cost)
• Countermeasures
– Sandboxing
– Quick patching: fix holes, stop worm

12. 95-752:8-12
Trojan Horses
• Programs that have malicious covert purpose
• Have been used for license enforcement
• Examples:
– FIX2001
– AOL4FREE
– RIDBO
• Countermeasures
– Sandboxing
– Code reviews

13. 95-752:8-13
Greedy Programs
• Programs that copy themselves
• Core wars
• Have been used in destructive web pages,
standalone programs
• Can be very difficult to show deliberate usage
• Countermeasures:
– CPU quotas on process families
– Process quotas
– Review of imported software & web pages

14. 95-752:8-14
Bot Networks
• Collections of compromised machines
• Typically, compromised by scripts
• Respond to commands, perhaps encrypted
• Examples:
Leaves
Code Red II
• Countermeasures: Vul patching, Integrity
checks