SlideShare a Scribd company logo

Lecture # 14: Salami and Linearization Attacks

D
Dr. Ramchandra Mangrulkar

Module 2: Advanced System Security and Digital Forensics

Engineering
1 of 11
Download to read offline
Lecture #14: Salami and Linerization Attacks Program and OS Security -Part III Dr.Ramchandra Mangrulkar September 2, 2020 Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 1 / 11
Contents Malicious and Non-Malicious programming errors Targeted Malicious codes Salami Attack Linearization Attack Covert Channel Control against Program threats Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 2 / 11
Targeted Malicious codes malicious code is written - for a particular system, - for a particular application, - and for a particular purpose. the attacker or the code writer studies the system carefully identifying its weaknesses. Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 3 / 11
Salami Attack The way odd bits of meat and fat are fused together in a sausage or salami. A salami attack merges bits of seemingly inconsequential data to yield powerful results. Programs often disregard small amounts of money in their computations, as when there are fractional pennies as interest or tax is calculated. An example of salami slicing, also known as penny shaving, is the fraudulent practice of stealing money repeatedly in extremely small quantities, usually by taking advantage of rounding to the nearest cent (or other monetary unit) in financial transactions. a programmer modifies the arithmetic routines such as interest computations. Typically, the calculations are carried out to several decimal places beyond the customary 2 or 3 kept for financial records. If the programmer arranges to collect these fractions of pennies in a separate account, a sizable fund can grow with no warning to the financial institution. An embezzler removed 0:20to0.30 from hundreds of accounts two or three times a year. Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 4 / 11
In Short Salami attack is Programmer ”Slices off ” Money Slices are hard for victim to detect Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 5 / 11
Example : Salami Attack The classic tale of a salami attack involves interest computation. Suppose your bank pays 6.5 percent interest on your account. The interest is declared on an annual basis but is calculated monthly. If, after the first month, your bank balance is $102.87, the bank can calculate the interest in the following way. For a month with 31 days, we divide the interest rate by 365 to get the daily rate, and then multiply it by 31 to get the interest for the month. Thus, the total interest for 31 days is 31/365*0.065*102.87 = $0.5495726. Since banks deal only in full cents, a typical practice is to round down if a residue is less than half a cent, and round up if a residue is half a cent or more. However, few people check their interest computation closely, and fewer still would complain about having the amount $0.5495 rounded down to $0.54, instead of up to $0.55. Most programs that perform computations on currency recognize that because of rounding, a sum of individual computations may be a few cents different from the computation applied to the sum of the balances. More Examples http://www.mekabay.com/nwss/116p--salami_fraud.pdf Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 6 / 11
Salami Attacks in Literature Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 7 / 11
Linerization Attack eXtended Sparse Linearization (XSL) attack a method of cryptanalysis for block ciphers attack was first published in 2002 by researchers Nicolas Courtois and Josef Pieprzyk in AES, shorten the amount of time it takes to retrieve the secret message without having the key Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 8 / 11
Linerization Attack Example Cracking Password based on Password Verification time (Password = ”S123N456”) For Efficiency, Check made one char at a time Can attacker take advantage of it Correct Password; Verification Time Maximum Incorrect password; Verification Time Minimum Attacker tries all 1 char String and finds ”S” takes longer time Attacker tries all 2 char String ”S*” and finds ”S1” takes longer time and so on... attacker is able to get serial number one char at a time Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 9 / 11
Advantages of Linearization Suppose serial number is 8 characters and each has 128 possible values 1288 = 256 possible serial numbers attacker would guess in 255 tries with Linearization Attack, the work is about 8 £ (128=2) = 29 Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 10 / 11
Problem Suppose password length is 2 characters and each has 32 possible values [ A-Z and 0-5]. With Linearization Attack, how many tries it will require to break the password. Home work http://cse.iitkgp.ac.in/~abhij/publications/XL_ SGE-InfoSecHiComNet11.pdf Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 11 / 11

Recommended

Cyber Threat Prediction using ML
Cyber Threat Prediction using MLCyber Threat Prediction using ML
Cyber Threat Prediction using MLIRJET Journal
 
The only way to survive is to automate your SOC
The only way to survive is to automate your SOCThe only way to survive is to automate your SOC
The only way to survive is to automate your SOCRoberto Sponchioni
 
Taking the offensive Security Leaders V9.1
Taking the offensive Security Leaders V9.1Taking the offensive Security Leaders V9.1
Taking the offensive Security Leaders V9.1Fernando Romero
 
XSS.pdf
XSS.pdfXSS.pdf
XSS.pdfOkan YILDIZ
 
XSS.pdf
XSS.pdfXSS.pdf
XSS.pdfOkan YILDIZ
 
The Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted AttacksThe Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted AttacksTrend Micro
 
Cyber_Security_Action_Plan_2016
Cyber_Security_Action_Plan_2016Cyber_Security_Action_Plan_2016
Cyber_Security_Action_Plan_2016John T. Araneo
 
Economic-Cybercrime-Report
Economic-Cybercrime-ReportEconomic-Cybercrime-Report
Economic-Cybercrime-ReportDr Steve Strickland
 

Recommended

Cyber Threat Prediction using ML
Cyber Threat Prediction using MLCyber Threat Prediction using ML
Cyber Threat Prediction using MLIRJET Journal
 
The only way to survive is to automate your SOC
The only way to survive is to automate your SOCThe only way to survive is to automate your SOC
The only way to survive is to automate your SOCRoberto Sponchioni
 
Taking the offensive Security Leaders V9.1
Taking the offensive Security Leaders V9.1Taking the offensive Security Leaders V9.1
Taking the offensive Security Leaders V9.1Fernando Romero
 
XSS.pdf
XSS.pdfXSS.pdf
XSS.pdfOkan YILDIZ
 
XSS.pdf
XSS.pdfXSS.pdf
XSS.pdfOkan YILDIZ
 
The Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted AttacksThe Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted AttacksTrend Micro
 
Cyber_Security_Action_Plan_2016
Cyber_Security_Action_Plan_2016Cyber_Security_Action_Plan_2016
Cyber_Security_Action_Plan_2016John T. Araneo
 
Economic-Cybercrime-Report
Economic-Cybercrime-ReportEconomic-Cybercrime-Report
Economic-Cybercrime-ReportDr Steve Strickland
 
Blockchain#2.pdf
Blockchain#2.pdfBlockchain#2.pdf
Blockchain#2.pdfDr. Ramchandra Mangrulkar
 
Blockchain#1.pdf
Blockchain#1.pdfBlockchain#1.pdf
Blockchain#1.pdfDr. Ramchandra Mangrulkar
 
Blockchain#3.pdf
Blockchain#3.pdfBlockchain#3.pdf
Blockchain#3.pdfDr. Ramchandra Mangrulkar
 
Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)
Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)
Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)Dr. Ramchandra Mangrulkar
 
Lecture #32: Forensic Duplication
Lecture #32: Forensic DuplicationLecture #32: Forensic Duplication
Lecture #32: Forensic DuplicationDr. Ramchandra Mangrulkar
 
Lecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Lecture #32: Digital Forensics : Evidence Handling, Validation and ReportingLecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Lecture #32: Digital Forensics : Evidence Handling, Validation and ReportingDr. Ramchandra Mangrulkar
 
LEcture #28-#30
LEcture #28-#30LEcture #28-#30
LEcture #28-#30Dr. Ramchandra Mangrulkar
 
Lecture #31 : Windows Forensics
Lecture #31 : Windows ForensicsLecture #31 : Windows Forensics
Lecture #31 : Windows ForensicsDr. Ramchandra Mangrulkar
 
Lecture #25 : Oauth 2.0
Lecture #25 : Oauth 2.0Lecture #25 : Oauth 2.0
Lecture #25 : Oauth 2.0Dr. Ramchandra Mangrulkar
 
Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)Dr. Ramchandra Mangrulkar
 
Lecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security BreachLecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security BreachDr. Ramchandra Mangrulkar
 
Lecture #22 : Web Privacy & Security Breach
Lecture #22 : Web Privacy & Security BreachLecture #22 : Web Privacy & Security Breach
Lecture #22 : Web Privacy & Security BreachDr. Ramchandra Mangrulkar
 
Lecture #21: HTTPS , SSL & TLS
Lecture #21: HTTPS , SSL & TLSLecture #21: HTTPS , SSL & TLS
Lecture #21: HTTPS , SSL & TLSDr. Ramchandra Mangrulkar
 
Lecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application SecurityLecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application SecurityDr. Ramchandra Mangrulkar
 
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)Lecture #15: Buffer Overflow Attack (Non Malicious Attack)
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)Dr. Ramchandra Mangrulkar
 
Lecture #12,#13 : Program and OS Security -Part I
Lecture #12,#13 : Program and OS Security -Part ILecture #12,#13 : Program and OS Security -Part I
Lecture #12,#13 : Program and OS Security -Part IDr. Ramchandra Mangrulkar
 
Lecture #9 : Single Sign on and Federation Identity Management
Lecture #9 : Single Sign on and Federation Identity ManagementLecture #9 : Single Sign on and Federation Identity Management
Lecture #9 : Single Sign on and Federation Identity ManagementDr. Ramchandra Mangrulkar
 
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityLecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityDr. Ramchandra Mangrulkar
 
Lecture #6: Multilevel Security Models
Lecture #6: Multilevel Security ModelsLecture #6: Multilevel Security Models
Lecture #6: Multilevel Security ModelsDr. Ramchandra Mangrulkar
 
Lecture #7: Bell Lapdula and Biba Model of Multilevel Security
Lecture #7: Bell Lapdula and Biba Model of Multilevel SecurityLecture #7: Bell Lapdula and Biba Model of Multilevel Security
Lecture #7: Bell Lapdula and Biba Model of Multilevel SecurityDr. Ramchandra Mangrulkar
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionDr.Costas Sachpazis
 
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptxExploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptxnull - The Open Security Community
 

More Related Content

More from Dr. Ramchandra Mangrulkar

Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)
Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)
Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)Dr. Ramchandra Mangrulkar
 
Lecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Lecture #32: Digital Forensics : Evidence Handling, Validation and ReportingLecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Lecture #32: Digital Forensics : Evidence Handling, Validation and ReportingDr. Ramchandra Mangrulkar
 
Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)Dr. Ramchandra Mangrulkar
 
Lecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application SecurityLecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application SecurityDr. Ramchandra Mangrulkar
 
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)Lecture #15: Buffer Overflow Attack (Non Malicious Attack)
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)Dr. Ramchandra Mangrulkar
 
Lecture #12,#13 : Program and OS Security -Part I
Lecture #12,#13 : Program and OS Security -Part ILecture #12,#13 : Program and OS Security -Part I
Lecture #12,#13 : Program and OS Security -Part IDr. Ramchandra Mangrulkar
 
Lecture #9 : Single Sign on and Federation Identity Management
Lecture #9 : Single Sign on and Federation Identity ManagementLecture #9 : Single Sign on and Federation Identity Management
Lecture #9 : Single Sign on and Federation Identity ManagementDr. Ramchandra Mangrulkar
 
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityLecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityDr. Ramchandra Mangrulkar
 
Lecture #7: Bell Lapdula and Biba Model of Multilevel Security
Lecture #7: Bell Lapdula and Biba Model of Multilevel SecurityLecture #7: Bell Lapdula and Biba Model of Multilevel Security
Lecture #7: Bell Lapdula and Biba Model of Multilevel SecurityDr. Ramchandra Mangrulkar
 

More from Dr. Ramchandra Mangrulkar (20)

Blockchain#2.pdf
Blockchain#2.pdfBlockchain#2.pdf
Blockchain#2.pdf
 
Blockchain#1.pdf
Blockchain#1.pdfBlockchain#1.pdf
Blockchain#1.pdf
 
Blockchain#3.pdf
Blockchain#3.pdfBlockchain#3.pdf
Blockchain#3.pdf
 
Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)
Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)
Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)
 
Lecture #32: Forensic Duplication
Lecture #32: Forensic DuplicationLecture #32: Forensic Duplication
Lecture #32: Forensic Duplication
 
Lecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Lecture #32: Digital Forensics : Evidence Handling, Validation and ReportingLecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Lecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
 
LEcture #28-#30
LEcture #28-#30LEcture #28-#30
LEcture #28-#30
 
Lecture #31 : Windows Forensics
Lecture #31 : Windows ForensicsLecture #31 : Windows Forensics
Lecture #31 : Windows Forensics
 
Lecture #25 : Oauth 2.0
Lecture #25 : Oauth 2.0Lecture #25 : Oauth 2.0
Lecture #25 : Oauth 2.0
 
Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)
 
Lecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security BreachLecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security Breach
 
Lecture #22 : Web Privacy & Security Breach
Lecture #22 : Web Privacy & Security BreachLecture #22 : Web Privacy & Security Breach
Lecture #22 : Web Privacy & Security Breach
 
Lecture #21: HTTPS , SSL & TLS
Lecture #21: HTTPS , SSL & TLSLecture #21: HTTPS , SSL & TLS
Lecture #21: HTTPS , SSL & TLS
 
Lecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application SecurityLecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application Security
 
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)Lecture #15: Buffer Overflow Attack (Non Malicious Attack)
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)
 
Lecture #12,#13 : Program and OS Security -Part I
Lecture #12,#13 : Program and OS Security -Part ILecture #12,#13 : Program and OS Security -Part I
Lecture #12,#13 : Program and OS Security -Part I
 
Lecture #9 : Single Sign on and Federation Identity Management
Lecture #9 : Single Sign on and Federation Identity ManagementLecture #9 : Single Sign on and Federation Identity Management
Lecture #9 : Single Sign on and Federation Identity Management
 
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityLecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security
 
Lecture #6: Multilevel Security Models
Lecture #6: Multilevel Security ModelsLecture #6: Multilevel Security Models
Lecture #6: Multilevel Security Models
 
Lecture #7: Bell Lapdula and Biba Model of Multilevel Security
Lecture #7: Bell Lapdula and Biba Model of Multilevel SecurityLecture #7: Bell Lapdula and Biba Model of Multilevel Security
Lecture #7: Bell Lapdula and Biba Model of Multilevel Security
 

Recently uploaded

Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionDr.Costas Sachpazis
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxk795866
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSKurinjimalarL3
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx959SahilShah
 
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETEINFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETEroselinkalist12
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerAnamika Sarkar
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )Tsuyoshi Horigome
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort servicejennyeacort
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girlsssuser7cb4ff
 
HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2RajaP95
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxpurnimasatapathy1234
 
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ
 
Electronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfElectronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfme23b1001
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxJoão Esperancinha
 
power system scada applications and uses
power system scada applications and usespower system scada applications and uses
power system scada applications and usesDevarapalliHaritha
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...VICTOR MAESTRE RAMIREZ
 

Recently uploaded (20)

Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
 
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptxExploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptx
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx
 
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETEINFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girls
 
HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2
 
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptx
 
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
 
Electronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfElectronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdf
 
young call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Serviceyoung call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Service
 
POWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examplesPOWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examples
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
 
power system scada applications and uses
power system scada applications and usespower system scada applications and uses
power system scada applications and uses
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...
 

Lecture # 14: Salami and Linearization Attacks

  • 1. Lecture #14: Salami and Linerization Attacks Program and OS Security -Part III Dr.Ramchandra Mangrulkar September 2, 2020 Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 1 / 11
  • 2. Contents Malicious and Non-Malicious programming errors Targeted Malicious codes Salami Attack Linearization Attack Covert Channel Control against Program threats Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 2 / 11
  • 3. Targeted Malicious codes malicious code is written - for a particular system, - for a particular application, - and for a particular purpose. the attacker or the code writer studies the system carefully identifying its weaknesses. Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 3 / 11
  • 4. Salami Attack The way odd bits of meat and fat are fused together in a sausage or salami. A salami attack merges bits of seemingly inconsequential data to yield powerful results. Programs often disregard small amounts of money in their computations, as when there are fractional pennies as interest or tax is calculated. An example of salami slicing, also known as penny shaving, is the fraudulent practice of stealing money repeatedly in extremely small quantities, usually by taking advantage of rounding to the nearest cent (or other monetary unit) in financial transactions. a programmer modifies the arithmetic routines such as interest computations. Typically, the calculations are carried out to several decimal places beyond the customary 2 or 3 kept for financial records. If the programmer arranges to collect these fractions of pennies in a separate account, a sizable fund can grow with no warning to the financial institution. An embezzler removed 0:20to0.30 from hundreds of accounts two or three times a year. Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 4 / 11
  • 5. In Short Salami attack is Programmer ”Slices off ” Money Slices are hard for victim to detect Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 5 / 11
  • 6. Example : Salami Attack The classic tale of a salami attack involves interest computation. Suppose your bank pays 6.5 percent interest on your account. The interest is declared on an annual basis but is calculated monthly. If, after the first month, your bank balance is $102.87, the bank can calculate the interest in the following way. For a month with 31 days, we divide the interest rate by 365 to get the daily rate, and then multiply it by 31 to get the interest for the month. Thus, the total interest for 31 days is 31/365*0.065*102.87 = $0.5495726. Since banks deal only in full cents, a typical practice is to round down if a residue is less than half a cent, and round up if a residue is half a cent or more. However, few people check their interest computation closely, and fewer still would complain about having the amount $0.5495 rounded down to $0.54, instead of up to $0.55. Most programs that perform computations on currency recognize that because of rounding, a sum of individual computations may be a few cents different from the computation applied to the sum of the balances. More Examples http://www.mekabay.com/nwss/116p--salami_fraud.pdf Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 6 / 11
  • 7. Salami Attacks in Literature Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 7 / 11
  • 8. Linerization Attack eXtended Sparse Linearization (XSL) attack a method of cryptanalysis for block ciphers attack was first published in 2002 by researchers Nicolas Courtois and Josef Pieprzyk in AES, shorten the amount of time it takes to retrieve the secret message without having the key Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 8 / 11
  • 9. Linerization Attack Example Cracking Password based on Password Verification time (Password = ”S123N456”) For Efficiency, Check made one char at a time Can attacker take advantage of it Correct Password; Verification Time Maximum Incorrect password; Verification Time Minimum Attacker tries all 1 char String and finds ”S” takes longer time Attacker tries all 2 char String ”S*” and finds ”S1” takes longer time and so on... attacker is able to get serial number one char at a time Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 9 / 11
  • 10. Advantages of Linearization Suppose serial number is 8 characters and each has 128 possible values 1288 = 256 possible serial numbers attacker would guess in 255 tries with Linearization Attack, the work is about 8 £ (128=2) = 29 Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 10 / 11
  • 11. Problem Suppose password length is 2 characters and each has 32 possible values [ A-Z and 0-5]. With Linearization Attack, how many tries it will require to break the password. Home work http://cse.iitkgp.ac.in/~abhij/publications/XL_ SGE-InfoSecHiComNet11.pdf Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 11 / 11