Taxonomy of flaws: Taxonomy of flaws: - how (genesis)
- when (time)
- where (location)
Genesis Genesis - Intentional
- Malicious: Trojan Horse, Trapdoor, Logic Bomb, Worms, Virus
- Non-malicious
- Inadvertent
- Validation error
- Domain error
- Serialization error
- Identification/authentication error
- Other error
Software provides functionality Software provides functionality Functionality comes with certain risks Software security aims to manage risk Security is always a secondary concern Security achievement is hard to evaluate when nothing bad happens
Attacker: Attacker: - Download the site’s code for offline study
- Mapping the site functionality and vulnerabilities
- Experiment with site response to supplied data
Several vulnerabilities exist from corrupting sites, applications, servers, to other clients
A1-Injection A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A10-Unvalidated Redirects and Forwards https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2013_Project
Virus: a program that attaches copies of itself into other programs. Propagates and performs some unwanted function. Viruses are not programs - they cannot run on their own. Virus: a program that attaches copies of itself into other programs. Propagates and performs some unwanted function. Viruses are not programs - they cannot run on their own. Bacteria: make copies of themselves to overwhelm a computer system's resources. Denying the user access to the resources.
Worm: a program that propagates copies of itself through the network. Independent program. May carry other code, including programs and viruses. Worm: a program that propagates copies of itself through the network. Independent program. May carry other code, including programs and viruses. Trojan Horse: secret, undocumented routine embedded within a useful program. Execution of the program results in execution of secret code.
Logic bomb, time bomb: programmed threats that lie dormant for an extended period of time until they are triggered. When triggered, malicious code is executed. Logic bomb, time bomb: programmed threats that lie dormant for an extended period of time until they are triggered. When triggered, malicious code is executed. Trapdoor: secret, undocumented entry point into a program, used to grant access without normal methods of access authentication. Dropper: Not a virus or infected file. When executed, it installs a virus into memory, on to the disk, or into a file.
Virus lifecycle: Virus lifecycle: Dormant phase: the virus is idle. (not all viruses have this stage) Propagation phase: the virus places an identical copy of itself into other programs of into certain system areas. Triggering phase: the virus is activated to perform the function for which it was created. Execution phase: the function is performed. The function may be harmless or damaging.
Parasitic virus: most common form. Attaches itself to a file and replicates when the infected program is executed. Parasitic virus: most common form. Attaches itself to a file and replicates when the infected program is executed. Memory resident virus: lodged in main memory as part of a resident system program. Virus may infect every program that executes.
Boot Sector Viruses: Boot Sector Viruses: - Infects the boot record and spreads when system is booted.
- Gains control of machine before the virus detection tools.
- Very hard to notice
- Carrier files: AUTOEXEC.BAT, CONFIG.SYS,IO.SYS
Stealth virus: a form of virus explicitly designed to hide from detection by antivirus software. Stealth virus: a form of virus explicitly designed to hide from detection by antivirus software. Polymorphic virus: a virus that mutates with every infection making detection by the “signature” of the virus difficult.
Virus V has to be invoked instead of target T. Virus V has to be invoked instead of target T. - V overwrites T
- V changes pointers from T to V
High risk virus properties: - Hard to detect
- Hard to destroy
- Spread infection widely
- Can re-infect
- Easy to create
- Machine independent
Prevention: disallow the download/execution Prevention: disallow the download/execution Detection: determine infection and locate the virus. Identification: identify the specific virus. Removal: remove the virus from all infected systems, so the disease cannot spread further. Recovery: restore the system to its original state.
Prevention: Prevention: Good source of software installed Isolated testing phase Use virus detectors Limit damage: Make bootable diskette
Virus Signature: needs constant update Virus Signature: needs constant update - Storage pattern
- Code always located on a specific address
- Increased file size
- Execution pattern
- Transmission pattern
- Polymorphic Viruses
Heuristics: monitoring files and how programs access these files Heuristics: monitoring files and how programs access these files - Suspicious access alert
Cloud-based detection: perform virus scanning remotely Firewall-based detection of abnormal activities - Not virus detection but abnormal communication patterns
Self-replicating (like virus) Self-replicating (like virus) Objective: system penetration (intruder) Phases: dormant, propagation, triggering, and execution Propagation: - Searches for other systems to infect (e.g., host tables)
- Establishes connection with remote system
- Copies itself to remote system
- Execute
Adware: a malware designed to display advertisements in the user’s software Adware: a malware designed to display advertisements in the user’s software - Maybe harmless or harmful
Spyware: a malware that spies on the user
Malware: Malware: - with malicious payloads, or of limited or no benefit
- Intend to cause shock, anxiety, or the perception of a threat
Rapidly increasing, high impact attacks Scareware warnings
Holds a computer system, or the data it contains, hostage against its user by demanding a ransom. Holds a computer system, or the data it contains, hostage against its user by demanding a ransom. - Disable an essential system service or lock the display at system startup
- Encrypt some of the user's personal files
Victim has to - enter a code obtainable only after wiring payment to the attacker or sending an SMS message
- buy a decryption or removal tool
Dostları ilə paylaş: |