This document discusses computer network security and program security issues. It covers two types of program flaws: non-malicious and malicious. Non-malicious flaws are accidental, like buffer overflows which can overwrite memory and crash programs. Malicious flaws are intentional harm, like viruses, Trojan horses, and worms that spread secretly. The document explains different types of malicious code and how they work, such as by attaching to programs, replacing code, or exploiting system weaknesses like the boot sector. It also covers desirable virus traits and various locations where malicious code can hide, like memory-resident programs or macro functions.
The Security Problem
Program Threats
System and Network Threats
Cryptography as a Security Tool
User Authentication
Implementing Security Defenses
Firewalling to Protect Systems and Networks
Computer-Security Classifications
An Example: Windows XP
Web application security is the process of securing confidential data stored online from unauthorized access and modification. This is accomplished by enforcing stringent policy measures.
A web threat is any threat that uses the World Wide Web to facilitate cybercrime. Web threats use multiple types of malware and fraud, all of which utilize HTTP or HTTPS protocols, but may also employ other protocols and components, such as links in email or IM, or malware attachments or on servers that access the Web.
The Security Problem
Program Threats
System and Network Threats
Cryptography as a Security Tool
User Authentication
Implementing Security Defenses
Firewalling to Protect Systems and Networks
Computer-Security Classifications
An Example: Windows XP
Web application security is the process of securing confidential data stored online from unauthorized access and modification. This is accomplished by enforcing stringent policy measures.
A web threat is any threat that uses the World Wide Web to facilitate cybercrime. Web threats use multiple types of malware and fraud, all of which utilize HTTP or HTTPS protocols, but may also employ other protocols and components, such as links in email or IM, or malware attachments or on servers that access the Web.
Malicious Software,Terminology of malicious programme,Malicious programs,Nature of Viruses,Virus Operation-four phases or life cycle of virus,Virus Structure,Types of Viruses,Anti-Virus Software
Know about the 2019 latest Top 10 types of Cyber Security threats against enterprises. Malware phishing schemes attacks on industrial systems. Every IT person should know the top 10 cyber threat.
You've seen the headlines. You're beginning to understand the importance of cybersecurity. Where do you begin? It's important to understand the common methods of attack and ways you can begin to protect your organization today. For more information on our cybersecurity education please visit FPOV.com/edu.
The state of being protected against the unauthorized use of information, especially electronic data, or the measures are taken to achieve this.
"the growing use of mobile applications is posing a risk to information security"
buffer overflow occurs when a program or process attempts to write more data to a fixed length block of memory, or buffer, than the buffer is allocated to hold. ... Exploiting a buffer overflow allows an attacker to control or crash the process or to modify its internal variables
Malicious Software,Terminology of malicious programme,Malicious programs,Nature of Viruses,Virus Operation-four phases or life cycle of virus,Virus Structure,Types of Viruses,Anti-Virus Software
Know about the 2019 latest Top 10 types of Cyber Security threats against enterprises. Malware phishing schemes attacks on industrial systems. Every IT person should know the top 10 cyber threat.
You've seen the headlines. You're beginning to understand the importance of cybersecurity. Where do you begin? It's important to understand the common methods of attack and ways you can begin to protect your organization today. For more information on our cybersecurity education please visit FPOV.com/edu.
The state of being protected against the unauthorized use of information, especially electronic data, or the measures are taken to achieve this.
"the growing use of mobile applications is posing a risk to information security"
buffer overflow occurs when a program or process attempts to write more data to a fixed length block of memory, or buffer, than the buffer is allocated to hold. ... Exploiting a buffer overflow allows an attacker to control or crash the process or to modify its internal variables
This is for educational purposes only and not to be used as a means to scam or attack.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners.
1.8 Exercises1. Distinguish between vulnerability, threat, and con.docxhacksoni
1.8 Exercises
1. Distinguish between vulnerability, threat, and control.
2. Theft usually results in some kind of harm. For example, if someone steals
your car, you may suffer financial loss, inconvenience (by losing your mode of
transportation), and emotional upset (because of invasion of your personal
property and space). List three kinds of harm a company might experience from
theft of computer equipment.
3. List at least three kinds of harm a company could experience from electronic
espionage or unauthorized viewing of confidential company materials.
4. List at least three kinds of damage a company could suffer when the integrity
of a program or company data is compromised.
5. List at least three kinds of harm a company could encounter from loss of
service, that is, failure of availability. List the product or capability to which
access is lost, and explain how this loss hurts the company.
6. Describe a situation in which you have experienced harm as a consequence of
a failure of computer security. Was the failure malicious or not? Did the attack
target you specifically or was it general and you were the unfortunate victim?
7. Describe two examples of vulnerabilities in automobiles for which auto
manufacturers have instituted controls. Tell why you think these controls are
effective, somewhat effective, or ineffective.
8. One control against accidental software deletion is to save all old versions of
a program. Of course, this control is prohibitively expensive in terms of cost of
storage. Suggest a less costly control against accidental software deletion. Is
your control effective against all possible causes of software deletion? If not,
what threats does it not cover?
9. On your personal computer, who can install programs? Who can change
operating system data? Who can replace portions of the operating system? Can
any of these actions be performed remotely?
10. Suppose a program to print paychecks secretly leaks a list of names of employees
earning more than a certain amount each month. What controls could be instituted to
limit the vulnerability of this leakage?
11. Preserving confidentiality, integrity, and availability of data is a restatement of the
concern over interruption, interception, modification, and fabrication. How do the
first three concepts relate to the last four? That is, is any of the four equivalent to one
or more of the three? Is one of the three encompassed by one or more of the four?
12. Do you think attempting to break in to (that is, obtain access to or use of) a
computing system without authorization should be illegal? Why or why not?
13. Describe an example (other than the ones mentioned in this chapter) of data
whose confidentiality has a short timeliness, say, a day or less. Describe an example
of data whose confidentiality has a timeliness of more than a year.
14. Do you currently use any computer security control measures? If so, what?
Against what attacks are you trying to protect?
15. Describe an example i ...
The digital world is plagued by cyber threats that have the potential to cause widespread damage to businesses, organizations, and individuals. One of the most common types of cyber attacks is the buffer overflow attack. This article will explore the concept of remote buffer overflow attacks, their consequences, and prevention measures.
Cybersecurity has become a primary concern in today’s digital age. The increasing number of cyber-attacks highlights the importance of understanding the vulnerabilities that exist in computer systems and how to protect against them. One such vulnerability is a remote buffer overflow exploit. In this article, we will explore what a remote buffer overflow exploit is and how to use Python to create one.The digital world is plagued by cyber threats that have the potential to cause widespread damage to businesses, organizations, and individuals. One of the most common types of cyber attacks is the buffer overflow attack. This article will explore the concept of remote buffer overflow attacks, their consequences, and prevention measures.
Cybersecurity has become a primary concern in today’s digital age. The increasing number of cyber-attacks highlights the importance of understanding the vulnerabilities that exist in computer systems and how to protect against them. One such vulnerability is a remote buffer overflow exploit. In this article, we will explore what a remote buffer overflow exploit is and how to use Python to create one.The digital world is plagued by cyber threats that have the potential to cause widespread damage to businesses, organizations, and individuals. One of the most common types of cyber attacks is the buffer overflow attack. This article will explore the concept of remote buffer overflow attacks, their consequences, and prevention measures.
Cybersecurity has become a primary concern in today’s digital age. The increasing number of cyber-attacks highlights the importance of understanding the vulnerabilities that exist in computer systems and how to protect against them. One such vulnerability is a remote buffer overflow exploit. In this article, we will explore what a remote buffer overflow exploit is and how to use Python to create one.The digital world is plagued by cyber threats that have the potential to cause widespread damage to businesses, organizations, and individuals. One of the most common types of cyber attacks is the buffer overflow attack. This article will explore the concept of remote buffer overflow attacks, their consequences, and prevention measures.
Cybersecurity has become a primary concern in today’s digital age. The increasing number of cyber-attacks highlights the importance of understanding the vulnerabilities that exist in computer systems and how to protect against them. One such vulnerability is a remote buffer overflow exploit. In this article, we will explore what a remote buffer overflow exploit is and how to use Python to create one.The digital world is plagued
Any One Need Notes, PPT, Or Books Related to computer then Text us on 03007064299 or Email sososofar@gmail.com .We will upload it on slide share or email you.........
Security and Ethical Challenges Contributors Kim Wanders.docxedgar6wallace88877
Security and Ethical Challenges
Contributors: Kim Wandersee, Les Pang
Computer Security
Computer Security Goals
Computer security must be viewed in a holistic manner and provide an end-to-end protection
as data moves through its lifecycle. Data originates from a user or sensor, passes over a
network to reach a computing system that hosts software. This computer system has software
and processes the data and stores in in a storage device. That data is backed up on a device
and finally archived. The elements that handle the data need to be secure. Computer security
pertains to all the means to protect the confidentiality, integrity, availability, authenticity,
utility, and possession of data throughout its lifecycle.
Confidentiality: A security principle that
works to ensure that data is not disclosed to
unauthorized persons.
Integrity: A security principle that makes sure
that information and systems are not
modified maliciously or accidentally.
Availability: A security principle that assures
reliable and timely access to data and
resources by authorized individuals.
Authenticity: A security principle that the
data, transactions, communications or
documents are genuine, valid, and not
fraudulent.
Utility: A security principle that addresses
that the information is usable for its intended
purpose. .
Possession: A security principle that works to
ensure that data remains under the control of
the authorized individuals.
Figure 1. Parkerian Hexad (PH) security model.
The Parerian Hexad (PH) model expands on the Confidentiality, Integrity, and Availability (CIA)
triad that has been the basic model of Information Security for over 20 years. This framework is
used to list all aspects of security at a basic level. It provides a complete security framework to
provide the means for information owners to protect their information from any adversaries
and vulnerabilities. It adds Authenticity, Utility, and Possession to CIA triad security model. It
addresses security aspects for data throughout its lifecycle.
The Center for Internet Security has identified 20 controls necessary to protect an organization
from known cyber-attack. The first 5 controls will provide effective defense against the most
common cyber-attacks, approximately 85% of attacks. The 5 controls are:
1. Inventory of Authorized and Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software
4. Continuous Vulnerability Assessment and Remediation
5. Controlled User of Administrative Privileges
A full explanation of all 20 controls is available at the Center for Internet Security website.
Search for CIS controls.
Security Standards and Regulations
The National Institute of Standards and Technology (NIST), Computer Security Division, provides
security standards in its Federal Information Processing Standards (.
Security and Ethical Challenges Contributors Kim Wanders.docxfathwaitewalter
Security and Ethical Challenges
Contributors: Kim Wandersee, Les Pang
Computer Security
Computer Security Goals
Computer security must be viewed in a holistic manner and provide an end-to-end protection
as data moves through its lifecycle. Data originates from a user or sensor, passes over a
network to reach a computing system that hosts software. This computer system has software
and processes the data and stores in in a storage device. That data is backed up on a device
and finally archived. The elements that handle the data need to be secure. Computer security
pertains to all the means to protect the confidentiality, integrity, availability, authenticity,
utility, and possession of data throughout its lifecycle.
Confidentiality: A security principle that
works to ensure that data is not disclosed to
unauthorized persons.
Integrity: A security principle that makes sure
that information and systems are not
modified maliciously or accidentally.
Availability: A security principle that assures
reliable and timely access to data and
resources by authorized individuals.
Authenticity: A security principle that the
data, transactions, communications or
documents are genuine, valid, and not
fraudulent.
Utility: A security principle that addresses
that the information is usable for its intended
purpose. .
Possession: A security principle that works to
ensure that data remains under the control of
the authorized individuals.
Figure 1. Parkerian Hexad (PH) security model.
The Parerian Hexad (PH) model expands on the Confidentiality, Integrity, and Availability (CIA)
triad that has been the basic model of Information Security for over 20 years. This framework is
used to list all aspects of security at a basic level. It provides a complete security framework to
provide the means for information owners to protect their information from any adversaries
and vulnerabilities. It adds Authenticity, Utility, and Possession to CIA triad security model. It
addresses security aspects for data throughout its lifecycle.
The Center for Internet Security has identified 20 controls necessary to protect an organization
from known cyber-attack. The first 5 controls will provide effective defense against the most
common cyber-attacks, approximately 85% of attacks. The 5 controls are:
1. Inventory of Authorized and Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software
4. Continuous Vulnerability Assessment and Remediation
5. Controlled User of Administrative Privileges
A full explanation of all 20 controls is available at the Center for Internet Security website.
Search for CIS controls.
Security Standards and Regulations
The National Institute of Standards and Technology (NIST), Computer Security Division, provides
security standards in its Federal Information Processing Standards ( ...
A friendly introduction to differential equationsEducation
A friendly introduction to differential equations Authored by Mohammed K A Kaabar
In this book, there are five chapters: The Laplace Transform, Systems of Homogenous Linear Differential Equations (HLDE), Methods of First and Higher Orders Differential Equations, Extended Methods of First and Higher Orders Differential Equations, and Applications of Differential Equations. In addition, there are exercises at the end of each chapter above to let students practice additional sets of problems other than examples, and they can also check their solutions to some of these exercises by looking at "Answers to Odd-Numbered Exercises" section at the end of this book. This book is a very useful for college students who studied Calculus II, and other students who want to review some concepts of differential equations before studying courses such as partial differential equations, applied mathematics, and electric circuits II.
HAL/S (High-order Assembly Language/Shuttle) is a real-time aerospace programming language, best known for its use in the Space Shuttle program. It was designed by Inter-metrics in the 1970s for NASA. HAL/S is written in XPL, a dialect of PL/I.
Harnessing WebAssembly for Real-time Stateless Streaming PipelinesChristina Lin
Traditionally, dealing with real-time data pipelines has involved significant overhead, even for straightforward tasks like data transformation or masking. However, in this talk, we’ll venture into the dynamic realm of WebAssembly (WASM) and discover how it can revolutionize the creation of stateless streaming pipelines within a Kafka (Redpanda) broker. These pipelines are adept at managing low-latency, high-data-volume scenarios.
HEAP SORT ILLUSTRATED WITH HEAPIFY, BUILD HEAP FOR DYNAMIC ARRAYS.
Heap sort is a comparison-based sorting technique based on Binary Heap data structure. It is similar to the selection sort where we first find the minimum element and place the minimum element at the beginning. Repeat the same process for the remaining elements.
1. Chapter No 3 Computer Network Security
Written by Engr. Muhammad Waseem 1
Program security
Two types of program flaws
Non-malicious program flaws
Malicious program flaws
Non malicious program errors
Being human, programmers and other developers make many mistakes, most of which are
unintentional and non-malicious. Many such errors cause program malfunctions but do not lead to
more serious security vulnerabilities.
Buffer overflows
Incomplete mediation
Time-of-check to time-of-use errors
Buffer overflow
A buffer overflow is the computing equivalent of trying to pour two liters of water into a one-
liter pitcher: Some water is going to spill out and make a mess. And in computing, what a mess these
errors have made.
A buffer (or array or string) is a space in which data can be held. A buffer resides in memory. Because
memory is finite, a buffer's capacity is finite. For this reason, in many programming languages the
programmer must declare the buffer's maximum size so that the compiler can set aside that amount of
space.
The computer equivalent of trying to pour two litre of water into a one-litre pitcher
A buffer is a space in which data can be held
Since memory is finite, so is the buffer
The programmer must declare the buffer size
char sample[10] sets a side ten bytes of memory
The compiler sets aside 10 bytes to store this buffer, one byte for each of the ten elements of the array,
sample[0] through sample[9]. Now we execute the statement
sample[10]=‘A’;
sample[i]=‘A’;
All program and data are in memory during execution, sharing the space with the OS, other
code and resident routines
If the extra character overwrites user’s data, it may affect the program’s results but not other
programs
If it overflows into the user’s program area, and overwrites an instruction to be executed the
machine will try to execute 0x41
Security implications
If the buffer overflows into system code space, the attacker merely inserts overflow data that
correspond to the machine code for instructions. The attacker may make use of the stack pointer or the
return register. Sub procedures calls are handled with a stack, a data structure in which the most recent
item inserted is the next one removed (last arrived, first served).An alternative style of buffer overflow
2. Chapter No 3 Computer Network Security
Written by Engr. Muhammad Waseem 2
occurs when parameter values are passed into a routine, especially when the parameters are passed to a
web server on the Inter-net.
The attacker may replace code in system space by other instructions which will cause
control to be transferred to the attacker with OS privileges
The attacker could replace the return address
Identify what you are trying to protect.
Determine what you are trying to protect them from.
Determine how likely the threats are.
Implement steps that protect your assets in a cost effective manner
Review the process continuously making improvements when you find a weakness
Incomplete mediation
Incomplete mediation is another security problem that has been with us for decades. Attackers
are exploiting it to cause security problems.
Failure to perform “sanity checks” on data can lead to random or carefully planned flaws.
http://www.somesite.com/subpage/userinput¶m1=(808)555-
1212¶m2=2002Jan01
What if param2 were 1800Jan01? Or 1800Feb30? Or 2048Min32? Or
1Aardvark2Many?
A routine could fail on a data type error
Receiving program generates wrong result
The receiving program might have a default condition
The two parameters look like a telephone number and a date. Probably the client's (user's) web
browser enters those two values in their specified format for easy processing on the server's side. What
would happen if parm2 were submitted as 1800Jan01? Or 1800Feb30? Or 2048Min32? Or
1Aardvark2Many?
Something would likely fail. As with buffer overflows, one possibility is that the system would fail
catastrophically, with a routine's failing on a data type error as it tried to handle a month named "Min"
or even a year (like 1800) which was out of range. Another possibility is that the receiving program
would continue to execute but would generate a very wrong result. (For example, imagine the amount
of interest due today on a billing error with a start date of 1 Jan 1800.) Then again, the processing
server might have a default condition, deciding to treat 1Aardvark2Many as 3 July 1947. The
possibilities are endless.
Time-to-check to time-of-use errors
Its Involves in synchronization.
Modern OSs and processors usually change the order of instruction execution to increase
performance.
Instructions that appear to be adjacent may not be executed immediately after each other,
because of intentionally changed order or the effects of other processes in concurrent
execution.
3. Chapter No 3 Computer Network Security
Written by Engr. Muhammad Waseem 3
we want to make sure that only those who should access an object are allowed that access
Every requested access must be governed by an access policy stating who is allowed access to
what, then the request must be mediated by an access policy enforcement agent
An incomplete mediation problem occurs if the access is not checked universally. It is also
known as a serialization or synchronization flaw.
A person draws five $20 bills from his pocket, carefully counts them and places them in front
of the seller. When the seller turns around to make his bill, he takes back one $20 bill, hands
over the stack of bills, takes his buy and leaves
An application request access to a file and passes a data structure. The mediator stores the
filename locally and checks for access rights. While the mediator checks for access, the user
may modify the locally stored file name and gain access to a different file
The problem is called a time-of-check to time-of-use flaw because it exploits the delay between the
two times. That is, between the time the access was checked and the time the result of the check was
used, a change occurred, invalidating the result of the check.
Security implication
Checking one action and performing another is an example of ineffective access control. We must be
wary whenever there is a time lag, making sure that there is no way to corrupt the check's results
during that interval.
Solutions:
Digital signatures and certificates. Time-of-check is when someone signs and
time-of-use is when anyone verifies the signature. If the private key is exposed,
the key must be revoked
Failures due to non-malicious flaws
ARPANET had hard coded 347 as the size of the node table
When a host’s node table reached 348, it crashed
Viruses and other malicious code
Malicious code can be a program or part of a program; a program part can even attach itself to
another (good) program so that malicious effect occurs whenever the good program runs.occurs
whenever the good program runs.
Much of the work done by programs is invisible to users. How can you tell if a game program
does nothing in addition to its expected interaction with you?
Malicious people can make programs serve as vehicles to access and change data and other
programs
Unanticipated or undesired effects in program parts
Example of Malicious code-possibilities
Write a message to the screen
Stopping a running program
Generating a sound
Erasing a stored file
Kinds of malicious code
Virus
4. Chapter No 3 Computer Network Security
Written by Engr. Muhammad Waseem 4
Trojan horse
Logic bomb
Backdoor
Worm
Rabbit
Code Type Characteristics
Virus Attaches itself to program and propagates
copies of itself to other programs
Trojan
horse
Contains unexpected, additional
functionality
Logic
bomb
Triggers action when condition occurs
Time
bomb
Triggers action when specified time occurs
Trapdoor Allows unauthorized access to functionality
Worm Propagates copies of itself through a
network
Rabbit Replicates itself without limit to exhaust
resource
Virus
A program that can pass on malicious code to other non-malicious programs by modifying
them
Virus can be transient or resident
Transient virus’s life depends on the life of its host: the virus runs when the host does
A resident virus locates itself in memory
A program that pass on malicious code to other non malicious (program) by modifying them. Infects a
program by attaching the program . A good program, once infected becomes a carrier and infects other
program.
5. Chapter No 3 Computer Network Security
Written by Engr. Muhammad Waseem 5
Trojan horse
Trojans are malicious programs that perform actions that have not been authorized by the user.
These actions can include: Deleting data, blocking data, Modifying data, and Copying data,
disrupting the performance of computers or computer networks.
A Trojan horse is malicious code that, in addition to its primary effect, has a second,
nonobvious malicious effect.
As an example of a computer Trojan horse, consider a login script that solicits a user’s
identification and password, passes the identification information on to the rest of the system
for login processing, but also retains a copy of the information for later, malicious use.
Logic bomb
A logic bomb is a class of malicious code that “detonates” or goes off when a specified
condition occurs.
A time bomb is a logic bomb whose trigger is a time or date.
Backdoor
A trapdoor or backdoor is a feature in a program by which someone can access the program
other than by the obvious, direct call, perhaps with special privileges.
For instance, an automated bank teller program might allow anyone entering the number
990099 on the keypad to process the log of everyone’s transactions at that machine.
Worm
A worm is a program that spreads copies of itself through a network.
The primary difference between a worm and a virus is that a worm operates through networks,
and a virus can spread through any medium (but usually uses copied program or data files).
Additionally, the worm spreads copies of itself as a standalone program, whereas the virus
spreads copies of itself as a program that attaches to or embeds in other programs.
Rabbit
Some literature also defines a rabbit as a virus or worm that self-replicates without bound, with
the intention of exhausting some computing resources.
A rabbit might create copies of itself and store them on disk, in an effort to completely fill the
disk,
How viruses attach
Virus can attach itself to program or data by: •Appending itself, so virus code is activated when
program is run. (Variation: Virus code before and after program.) •Integrating itself into program,
so virus code is spread out over its target program. Integrating itself into data, e.g. as an executable
text macro.
A virus will do nothing and will not spread unless it is executed. There are many ways to
ensure that a virus is executed
A setup program may call dozens or even hundreds of other programs, on the distribution disk,
already residing on the computer, or resident in memory
Human intervention is necessary to start the process
Email attachments
The virus code can be embedded in an executable file attachment
Objects such as graphics files can contain code to be executed by the editor, so they can be
transmission agents for viruses
6. Chapter No 3 Computer Network Security
Written by Engr. Muhammad Waseem 6
Appended viruses
A program virus attaches itself to a program; then, whenever the program is run, the virus is activated.
This kind of attachment is usually easy to program.
Usually a virus inserts a copy of itself before the first executable instruction in a program.
This kind of attachment is Simple and usually effective
Typically the user does not notice the effects of the virus since the program does its job as
usual
Viruses that surround a program
An alternative to the attachment is a virus that runs the original program but has control before
and after a program execution.
a virus writer might want to prevent the virus from being detected. If the virus is stored on
disk, its presence will be given away by its file name, or its size will affect the amount of space
used on the disk.
A virus’ presence may be given away by the file size of the program, so the virus writer may
infect the file listing display program to regain control after the file listing is generated but
before it is displayed
Integrated viruses and replacements
When the virus replaces some of its target, integrating itself into the original code of the target.
The virus writer has to know the exact structure of the original program to know where to
insert which pieces of the virus.
Could replace the entire target
7. Chapter No 3 Computer Network Security
Written by Engr. Muhammad Waseem 7
Document viruses
Most popular
Which is implemented within a formatted document, such as a written document, a database, a
slide presentation, or a spreadsheet.
These documents are highly structured files that contain both data (words or numbers) and
commands (such as formulas, formatting controls, links).
User sees only the contents of the document, so the virus writers includes the virus in the
commands
How viruses gain control
The virus (V) has to be invoked instead of the target (T).
The virus has to either seem to be the target, or has to push the target out of the way and
become a substitute
A virus could replace a target by assuming its name
The virus can overwrite the target on disk
How viruses gain control
The virus can change the pointers in the file tables so that the virus is located instead of the
target
Desirable qualities in viruses
Hard to detect
Not easily destroyed or deactivated.
Spreads widely
Re-infect its home program or other programs
Easy to create
8. Chapter No 3 Computer Network Security
Written by Engr. Muhammad Waseem 8
Machine independent and OS independent
Few viruses meet all these criteria. The virus writer chooses from these objectives when deciding what
the virus will do and where it will reside.
The challenge for the virus writer was to write code that would be executed repeatedly so that the virus
could multiply. One execution is enough to ensure widespread distribution. Many viruses are
transmitted by e-mail, using either of two routes.
Homes for viruses
One time execution
Boot sector viruses
Memory-resident viruses
Other homes
One-time execution
Majority of viruses today execute only once, spreading their infection and causing their effect
in that one execution
A virus often arrives as an email attachment of a document virus and is executed just by
opening it
Boot sector viruses
A given hardware platform can run many different OS
The boot sector contains a boot loader to load the particular OS into memory and run it
To accommodate large boot loaders, chaining is used
The virus may break the chain anywhere and insert itself
Appeal: virus gains control early, when no detection tool is running, and is invisible to file
listing
When a computer is started, control begins with firmware that determines which hardware components
are present, tests them, and transfers control to an operating system. The boot sector is an especially
appealing place to house a virus. The virus gains control very early in the boot process, before most
detection tools are active, so that it can avoid, or at least complicate, detection. The files in the boot
area are crucial parts of the operating system.
Memory resident viruses
Some parts of the operating system and most user programs execute, terminate, and disappear, with
their space in memory being available for anything executed later. For very frequently used parts of
the operating system and for a few specialized user programs, it would take too long to reload the
program each time it was needed. Such code remains in memory and is called "resident" code
9. Chapter No 3 Computer Network Security
Written by Engr. Muhammad Waseem 9
Some portions of the OS and a few specialized user programs would take too long to reload
each time they are needed, so they are kept in memory and are called resident code
e.g., routines that interpret keys pressed on the keyboard, error control, alarm clock
Virus writers also like to attach viruses to resident code because the resident code is activated many
times while the machine is running
Other homes for viruses
One popular home for a virus is an application program. Many applications, such as word processors
and spreadsheets, have a "macro" feature, by which a user can record a series of commands and repeat
them with one invocation. Such programs also provide a "start-up macro" that is executed every time
the application is executed.
Libraries are also excellent places for malicious code to reside. Because libraries are used by many
programs, the code in them will have a broad effect. Executing code in a library can pass on the viral
infection to other transmission media. Compilers, loaders, linkers, runtime monitors, runtime
debuggers, and even virus control programs are good candidates for hosting viruses because they are
widely shared.
Application macros
Libraries
Compilers, linkers
Runtime monitors, runtime debuggers
Anti-virus
Virus signatures
A virus cannot be completely invisible
Code must be stored somewhere and must be in memory to execute.
A virus executes in a particular way and uses a certain method to spread
Each of these characteristics yields a tell-tale (presence of something) pattern called a
signature.
A virus scanner that can automatically detect and, in some cases, remove viruses. The scanner searches
memory and long-term storage, monitoring execution and watching for the signatures of viruses
.When the scanner recognizes a known virus's pattern, it can then block the virus, inform the user, and
deactivate or remove the virus. A virus scanner is effective only if it has been kept up-to-date
Virus effects and causes
Virus Effect How It Is Caused
Attach to executable program
Modify file directory
Write to executable program file
Attach to data or control file
Modify directory
Rewrite data
Append to data
Append data to self
Remain in memory handler address
Intercept interrupt by modifying interrupt
10. Chapter No 3 Computer Network Security
Written by Engr. Muhammad Waseem 10
table
Load self in no transient memory area
Infect disks
Intercept interrupt
Intercept operating system call (to format disk, for example)
Modify system file
Modify ordinary executable program
Conceal self-falsify result
Intercept system calls that would reveal self and
Classify self as "hidden" file
Spread infection
Infect boot sector
Infect systems program
Infect ordinary program
Infect data ordinary program reads to control its execution
Prevent deactivation de-activation
Activate before deactivating program and block
Store copy to rein fact after deactivation
Execution patterns
A virus writer may want a virus to do several things at the same time
Spread infection
Avoid detection
Cause harm
Most virus writers seek to avoid detection for themselves and their creations. Because a disk's boot
sector is not visible to normal operations (for example, the contents of the boot sector do not show on
a directory listing) One virus can erase files, another an entire disk; one virus can prevent a computer
from booting, and another can prevent writing to disk. The damage is bounded only by the creativity
of the virus's author
Transmission patterns
A virus is effective only if it has some means of transmission from one location to another.
Viruses can travel
During the boot process
Over a network connection
Host’s execution
Remain in memory to infect other diskettes
Since a virus can execute any instructions a program can, virus travel is not confined to any single
medium or execution pattern.
Polymorphic viruses
The virus signature may be the most reliable way for a virus scanner to identify a virus
A clever virus writer can cause something other than specific strings to be in portions where a virus
scanner would look for those strings.
11. Chapter No 3 Computer Network Security
Written by Engr. Muhammad Waseem 11
A virus that can change its appearance is called a polymorphic virus (Poly means "many"
and morph means "form".)
Two-form virus can be treated as two independent viruses, so the virus writer will want a large
or unlimited number of forms
A polymorphic virus has to randomly reposition all parts of itself and randomly change all
fixed data
A virus may randomly intersperse harmless instructions throughout its code
A simple variety of polymorphic virus uses encryption under various keys to make the stored form of
the virus different. These are sometimes called encrypting viruses.
Prevention of virus infection
The only way to prevent the infection of a virus is not to share executable code with an infected
source.
This was easy to do because it was easy to tell if a file was executable or not.
Today’s files are more complex, and a seemingly no executable file can contain executable.
Programs are usually configured to activate this code automatically, such as open attachments.
The file type is hidden in a field at the start of a file, so Windows would try to open an
executable file with a non-executable extension, with the appropriate program, failing which
the executable code will be run
Since you cannot know which sources are infected, assume that every outside source is
infected
Prevention
Use only software acquired from reliable and well-established vendors
Test all software on an isolated computer Test the computer with a copy of an up-to-date
virus scanner, created before running the suspect program. Only if the program passes these
tests should it be installed on a less isolated machine.
Open attachments only when you know them to be safe an attachment from an unknown
source is of questionable safety. You might also distrust an attachment from a known source
but with a peculiar message.
Make a recoverable system image and store it safely if your system does become infected,
this clean version will let you reboot securely because it overwrites the corrupted system files
with clean copies.
Make and retain backup copies of executable system files. This way, in the event of a virus
infection, you can remove infected files and reinstall from the clean backup copies (stored in a
secure, offline location, of course).
Use virus detectors (often called virus scanners) regularly and update them daily Many of the
virus detectors available can both detect and eliminate infection from viruses
Trapdoors
A trapdoor is an undocumented entry point to a module
The trapdoor Inserted during code development, perhaps to test the module, or to provide
hooks by which to connect future modifications, or enhancements, or to allow access if the
module should fail in the future
In addition to these legitimate uses, trapdoors can allow a programmer access to a program
once it is placed in production.
12. Chapter No 3 Computer Network Security
Written by Engr. Muhammad Waseem 12
Trapdoors-Examples
Computing systems are complex structures, programmers usually develop and test systems in a
modular manner, taking advantage of the way the system is composed of modules or components.
Each small component of the system is tested first, separate from the other components, in a step
called unit testing, to ensure that the component works correctly by itself.
Components are tested together during integration testing, to see how they function as they send
messages and data from one to the other.
Rather than paste all modules together in a big bang approach, the modules are grouped into
several logical clusters of a few components each
Each cluster is tested in a way that allows testers to control and understand what might make a
component or its interface fail.
During component testing, the tester cannot use the surrounding routines that prepare input or
work with output, so they write “stubs” and “drivers” to inject data in and extract results.
These stubs and drivers are later discarded because they are replaced by the actual components.
The programmers embed debugging code into suspicious components.
To control stubs or invoke debugging code, the programmer embeds special control sequences
in the component's design, specifically to support testing.
Command insertion is a recognized testing practice, if left in place after testing, the extra
commands can become a problem.
The Internet Worm spread itself due to exactly this kind of a trapdoor in an email program
Poor error checking is another source of trapdoors
Trapdoors can be useful for system auditing or testing, but they must be documented and
access must be protected
Trapdoors-causes
Trapdoors can persist(continue firmly) in programs because the developer:
forgot to remove them
Intentionally left it there for testing
Intentionally left it for maintenance
intentionally leave them in the program as a covert means of access to the component
after it becomes an accepted part of a production system
The first case is an unintentional security blunder, the next two are serious exposures of the system's
security, and the fourth is the first step of an outright attack. It is important to remember that the fault
is not with the trapdoor itself, which can be a very useful technique for program testing, correction,
and maintenance. Rather, the fault is with the system development process, which does not ensure that
the trapdoor is "closed" when it is no longer needed. That is, the trapdoor becomes a vulnerability if no
one notices it or acts to prevent or control its use in vulnerable situations.
Covert channels
Programs that communicate information to people who shouldn’t receive it
The communication accompanies other perfectly proper communications e.g., a student may
communicate correct answer choices by coughing once for ‘a’, clearing her throat for ‘b’ and
so on
A programmer for a bank has no need to access the names or balances in depositors' accounts.
13. Chapter No 3 Computer Network Security
Written by Engr. Muhammad Waseem 13
One way for the programmer to have a covert channel is to write to a file, print it out
A programmer should not have access to data once the program is in operation.
How to create covert channels
A programmer can always find ways to communicate data values covertly. Running a program that
produces a specific output report or displays a value may be too obvious. For example, in some
installations, a printed report might occasionally be scanned by security staff before it is delivered to
its intended recipient.
The programmer can encode the data values in another innocuous report by varying the format of the
output, changing the lengths of lines, or printing or not printing certain values. For example, changing
the word "TOTAL" to "TOTALS" in a heading would not be noticed, but this creates a 1-bit covert
channel. The absence or presence of the S conveys one bit of information. Numeric values can be
inserted in insignificant positions of output fields, and the number of lines per page can be changed.
A printed report would be too obvious
Encode data values into a different report format
Storage channels: pass information by using the presence or absence of objects in storage e.g.,
lock or not lock a file to signal one bit of information.
A simple example of a covert channel is the file lock channel. In multiuser systems, files can be
"locked" to prevent two people from writing to the same file at the same time (which could corrupt the
file, if one person writes over some of what the other wrote). The operating system or database
management system allows only one program to write to a file at a time, by blocking, delaying, or
rejecting write requests from other programs. A covert channel can signal one bit of information by
whether or not a file is locked
Timing channels: pass information by the speed at which things happen e.g., using or not using
an assigned amount of computing time (quantum).
In the simple case, a multi programmed system with two user processes divides time into blocks and
allocates blocks of processing alternately to one process and the other. A process is offered processing
time, but if the process is waiting for another event to occur and has no processing to do, it rejects the
offer.
How to prevent these flaws
Good software engineering practices
Operating system controls
Administrative controls
Program controls in general