Application Security

95-752:8-1
 Malicious Code
• Vulnerable Software
• Hacker toolkits
• Back/Trapdoors
• Greedy Programs / Logic bombs
• Salami Attacks
• Trapdoors
• Worms/Viruses
• Bot Networks
95-752:8-2
 Vulnerable Software
• Buffer overflows
• Insecure running environment
• Insecure temporary files
• Insecure program calls
• Weak encryption
• Poor programming
• “If people built buildings the way that
programmers write software, the first woodpecker
to come along would destroy civilization.”
95-752:8-3
 Handling Vulnerabilities

• Locating
• Dealing with vendors
• Applying patches
• Disabling services
• Reconfiguring software/services

95-752:8-4
 Hacker Toolkits
Programs that automatically scan for
security problems on systems
– Useful for system administrators to
find problems for fixing
– Useful for hackers to find problems for
exploitation
Examples:
– SATAN
– COPS
– ISS
Countermeasure: Detection Software

95-752:8-5
 Back/Trapdoors
• Pieces of code written into applications of
operating systems to grant programmers easy
access
• Useful for debugging and monitoring
• Too often, not removed
• Examples:
– Dennis Richie’s loging/compiler hack
– Sendmail DEBUG mode
• Countermeasures
– Sandboxing
– Code Reviews

95-752:8-6
 Logic Bombs
• Pieces of code to cause undesired effects
when event occurs
• Used to enforce licenses (time-outs)
• Used for revenge by disgruntled
• Can be hard to determine malicious
• Examples
– British accounting firm logic bomb
– British bank hack
• Countermeasures
– Personnel security
95-752:8-7
 Viruses
• Pieces of code that attach to existing programs
• Not distinct program
• No beneficial use – VERY destructive
• Examples:
– Michelangelo
– Love letter
• Countermeasures
– Virus detection/disinfection software

95-752:8-8
 Structure of a Virus
• Marker: determine if a potential carrier
program has been previously infected
• Infector: Seeks out potential carriers and
infects
• Trigger check: Establishes if current
conditions are sufficient for manipulation
• Manipulation: Carry out malicious task

95-752:8-9
 Types of Viruses
• Memory-resident
• Hardware
• Buffered
• Hide-and-seek
• Live-and-die
• Boot segment
• Macro
95-752:8-10
 Worms
• Stand-alone programs that copy themselves
from system to system
• Some use in network computation
• Examples:
– Dolphin worm (Xerox PARC)
– Code Red (2001, $12B cost)
– Morris Worm (1988, $20M cost)
• Countermeasures
– Sandboxing
– Quick patching: fix holes, stop worm
95-752:8-11
 Trojan Horses
• Programs that have malicious covert purpose
• Have been used for license enforcement
• Examples:
– FIX2001
– AOL4FREE
– RIDBO
• Countermeasures
– Sandboxing
– Code reviews

95-752:8-12
 Greedy Programs
• Programs that copy themselves
• Core wars
• Have been used in destructive web
pages, standalone programs
• Can be very difficult to show deliberate
usage
• Countermeasures:
– CPU quotas on process families
– Process quotas
– Review of imported software & web pages

95-752:8-13
 Bot Networks
• Collections of compromised machines
• Typically, compromised by scripts
• Respond to commands, perhaps encrypted
• Examples:
Leaves
Code Red II
• Countermeasures: Vul patching, Integrity
checks
95-752:8-14