DOCSLIB.ORG

Empirical Testing of the Cysemol Tool for Cyber Security Assessment – Case Study of Linux Server and Mysql

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

DEGREE PROJECT IN NETWORK SERVICES AND SYSTEMS 120 CREDITS, SECOND CYCLE STOCKHOLM, SWEDEN 2016 Empirical Testing of the CySeMoL Tool for Cyber Security Assessment – Case Study of Linux Server and MySQL TALVIA RABBANI KTH ROYAL INSTITUTE OF TECHNOLOGY SCHOOL OF ELECTRICAL ENGINEERING Acknowledgements This report is a Master Thesis that was started in February 2014. It has been done at the Department of Industrial Information and Control System (ICS) at the Royal Institute of Technology. I would like to give a special and sincere thanks to my supervisor, professor Pontus Johnson at the Department of ICS, Royal Institute of Technology for his time, support, patience and guidance. And to my family for all love and support – Thank you. Talvia Rabbani November 2015 Abstract In this Master Thesis, several common applications used with MySQL and Linux server are modelled using the Enterprise Architecture Analysis Tool (EAAT) and the Cyber Security Modelling Language (CySeMoL), both developed by the Department of Industrial Information and Control System (ICS) at KTH. The objective of this study is to use the CySeMoL tool to evaluate the feasibility and correctness of the tool by simulating some particular type of attacks on a real life Linux server. A few common applications with MySQL on a Linux server and two Linux operating system services are modelled and explained together with their detailed information and defense mechanisms. A real life penetration test has then been carried out in order to validate the simulated results from the tool. The results of the analysis suggest that the security vulnerability predictions done by CySeMoL on a Linux server has good predictive performance. Sammanfattning: I denna Masteruppsats modelleras ett antal vanliga applikationer på en MySQL- och Linuxplattform med hjälp av Enterprise Architecture Analysis Tool (EAAT) tillsammans med Cybersecurity Modeling Language (CySeMoL). Båda dessa är utvecklade vid avdelningen för industriella informations- och styrsystem (ICS) på KTH. Syftet med denna studie är att validera korrektheten av CySeMoL-verktygets sårbarhetsprediktioner genom att simulera ett antal specifika cyberattacker mot en Linuxplattform. Ett antal vanligt förekommande applikationer på en MySQL-plattform samt två operativsystemstjänster i en Linuxserver modelleras. Penetrationstest utförs därefter för att validera resultaten som simuleras i CySeMoL-verktyget. Studien visar att CySeMols förutsägelser stämmer väl med resultaten av penetrationstesterna. Keywords: Cyber Security, CySeMoL, EAAT, Operating System, Server, Application Modeling. Content 1. Introduction ……………………………………………………………………………... 7 1.1 Background………………………………………………………………………… 7 1.2 Purpose of this thesis……………………………………………………………….. 7 1.3 Work Phase and Methodology……………………………………………………… 8 1.4 Thesis Structure…………………………………………………………………….. 9 2. Literature/Theory ……………………………………………………………………… 10 2.1 Overview of Security Analysis Tools……………………………………………... 10 2.2 CySeMoL…………………………………………………………………………. 11 2.3 EAAT……………………………………………………………………………... 13 2.4 UML and OCL……………………………………………………………………. 14 2.5 P2AMF……………………………………………………………………………. 14 3. Model……………………………………………………………………………………. 16 3.1 Selection of software and services………………………………………………… 16 3.1.1 CentOS 7.1 for Linux distribution…………………………………… 17 3.1.2 MySQL database server……………………………………………… 17 3.1.3 PHP for server scripting language……………………………………. 18 3.1.4 Apache web server…………………………………………………… 19 3.1.5 Pure-FTPd server…………………………………………………….. 19 3.1.6 WordPress web application…………………………………………... 19 3.1.7 PHPMyAdmin web application……………………………………… 20 3.1.8 ISPconfig 3 web application…………………………………………. 20 3.1.9 ClamAV antivirus……………………………………………………. 20 3.1.10 Linux service selection……………………………………………….. 20 3.2 Model Description……………………………………………………………….. 22 3.2.1 Network……………………………………………………………… 22 3.2.2 Asus RT-N66U………………………………………………………. 23 3.2.3 LAMP Communication………………………………………………. 24 3.2.4 Wordpress……………………………………………………………. 26 3.2.5 PHPMyAdmin……………………………………………………….. 27 3.2.6 ClamAnti-Virus…………………………………………………….... 29 3.2.7 Pure-FTPd……………………………………………………………. 30 3.2.8 Ispconfig 3 Control Panel…………………………………………….. 31 3.2.9 Daemons……………………………………………………………... 33 3.3 Model Settings……………………………………………………………………. 34 3.3.1 Defense mechanism of Operating System……………………………. 35 3.3.2 Defense mechanism of Application Server……………………………35 3.3.3 Defense mechanism of Application Client…………………………… 35 3.3.4 Defense mechanism of Software Product……………………………. 35 3.3.5 Defense mechanism of Web Application…………………………...... 37 3.3.6 Defense mechanism of Data Store…................................................... 37 3.3.7 Defense mechanism of Password Authentication Mechanism……….. 38 3.3.8 Defense mechanism of Network Zone……………………………….. 40 3.3.9 Defense mechanism of Protocol……………………………………… 40 4. Prediction ………………………………………………………………………………. 43 4.1 OperatingSystem.compromise and OperatingSystem.AccessThroughUI………... 43 4.2 Operatingsystem.aRPSpoof………………………………………………………. 45 4.3 OperatingSystem.findExploit……………………………………………………...46 4.4 Networkinterface.aRPSpoof……………………………………………………… 48 4.5 NetworkZone.access……………………………………………………………... 48 4.6 ApplicationServer.Compromise………………………………………………….. 50 5. Evaluation……………………………………………………………………………… 51 5.1 OperatingSystem.compromise and OperatingSystem.AccessThroughUI…………... 51 5.2 Operatingsystem.aRPSpoof…………………………………………………………. 54 5.3 OperatingSystem.findExploit……………………………………………………….. 55 5.4 Networkinterface.aRPSpoof………………………………………………………… 60 5.5 NetworkZone.access………………………………………………………………... 60 5.6 ApplicationServer.Compromise…………………………………………………….. 63 6. Discussion of the Results……………………………………………………………….. 65 7. Conclusions……………………………………………...……………………………… 67 8. References 9. Appendix 1 10. Appendix 2 vi Chapter 1 Introduction In this chapter, at first, the background information is briefly introduced. Then, the purpose of this thesis is presented. The work phase and the methodology is explained in the next section. Finally the structure of the thesis is described. 1.1 Background The vast growth of the Internet has brought many technological advances like electronic commerce applications, social networks, information distribution and easy access to information. Organizations across the world generate large amounts of sensitive data daily and transfer those through the internet. This vast growth of the Internet has also brought risks in the network. There are significant risks when transferring sensitive information through the internet because of deficiencies regarding network security. There is a possibility for an organization to be hacked by an attacker. The nature of security risks concerning the internet is increasing quickly and constantly. Therefore, cybersecurity was developed to protect networks, computers, programs and data from attack, damage and unauthorized access. The task of cyber security, not only requires ensuring the security of end systems but of the entire network. Nevertheless, it is complex and difficult to manage cybersecurity of an entire enterprise system. To estimate the cyber security of the whole system the enterprise needs experts, for example network penetration testers. There are some delimitations of hiring these type of experts for example, the time that they need to study the whole system, the expertness of their work [1]. Depending on these difficulties, there is a need for a security assessment tool to estimate the cyber security for enterprise networks; a tool that can evaluate possible attacks that could occur in the targeted network in graphical approach for understanding the vulnerabilities of the system in an easy way without having any security experts. With this in mind, the department of Industrial Information and Control Systems (ICS) at KTH, developed an attack graph tool called Cyber Security Modeling Language (CySeMoL) by which the cyber security of each system in an enterprise architecture can be analyzed and evaluated with a probabilistic method [2]. 1.2 Purpose of This Thesis CySeMoL has been developed for system-level assessment of cyber security of information system architectures. It has been tested in various case studies for example- within the electric power industry, power substation automation systems as well as office environments [2]. However, CySeMoL has not been particularly applied in a typical operating system environment. 7 The purpose of this master thesis project is to use the CySeMoL tool to evaluate the feasibility and correctness of the tool by simulating the attacks on a real life Linux server containing a set of commonly used applications. To carry out and accomplish the objectives of this project, common applications used with MySQL server will be installed in a Linux environment. Next, the architecture of the operating system with the applications will be modeled in the CySeMoL tool. The probability of succeeding of certain kinds of attacks will be investigated using the CySeMoL tool and thereafter validating the correctness of the results by comparing it to real time penetration testing in the installed Linux operating system. 1.3. Work Phase and Methodology The master thesis project can be divided into these following work phases: Literature study Data collection Model implementation Predict the probabilities of attacks Evaluate the results In the beginning of the thesis, the fundamental concept and knowledge about CySeMoL and EAAT are essential. Without a comprehensive knowledge of how CySeMoL works it is impossible
Recommended publications
  • Ispconfig 3 Manual]

    Ispconfig 3 Manual]

    [ISPConfig 3 Manual] ISPConfig 3 Manual Version 1.0 for ISPConfig 3.0.3 Author: Falko Timme <[email protected]> Last edited 09/30/2010 1 The ISPConfig 3 manual is protected by copyright. No part of the manual may be reproduced, adapted, translated, or made available to a third party in any form by any process (electronic or otherwise) without the written specific consent of projektfarm GmbH. You may keep backup copies of the manual in digital or printed form for your personal use. All rights reserved. This copy was issued to: Thomas CARTER - [email protected] - Date: 2010-11-20 [ISPConfig 3 Manual] ISPConfig 3 is an open source hosting control panel for Linux and is capable of managing multiple servers from one control panel. ISPConfig 3 is licensed under BSD license. Managed Services and Features • Manage one or more servers from one control panel (multiserver management) • Different permission levels (administrators, resellers and clients) + email user level provided by a roundcube plugin for ISPConfig • Httpd (virtual hosts, domain- and IP-based) • FTP, SFTP, SCP • WebDAV • DNS (A, AAAA, ALIAS, CNAME, HINFO, MX, NS, PTR, RP, SRV, TXT records) • POP3, IMAP • Email autoresponder • Server-based mail filtering • Advanced email spamfilter and antivirus filter • MySQL client-databases • Webalizer and/or AWStats statistics • Harddisk quota • Mail quota • Traffic limits and statistics • IP addresses 2 The ISPConfig 3 manual is protected by copyright. No part of the manual may be reproduced, adapted, translated, or made available to a third party in any form by any process (electronic or otherwise) without the written specific consent of projektfarm GmbH.
  • To the Members of the Senate Judiciary Committee: We, The

    To the Members of the Senate Judiciary Committee: We, The

    To the members of the Senate Judiciary Committee: We, the undersigned, have played various parts in building a network called the Internet. We wrote and debugged the software; we defined the standards and protocols that talk over that network. Many of us invented parts of it. We're just a little proud of the social and economic benefits that our project, the Internet, has brought with it. We are writing to oppose the Committee's proposed new Internet censorship and copyright bill. If enacted, this legislation will risk fragmenting the Internet's global domain name system (DNS ), create an environment of tremendous fear and uncertainty for technological innovation, and seriously harm the credibility of the United States in its role as a steward of key Internet infrastructure. In exchange for this, the bill will introduce censorship that will simultaneously be circumvented by deliberate infringers while hampering innocent parties' ability to communicate. All censorship schemes impact speech beyond the category they were intended to restrict, but this bill will be particularly egregious in that regard because it causes entire domains to vanish from the Web, not just infringing pages or files. Worse, an incredible range of useful, law-abiding sites can be blacklisted under this bill. These problems will be enough to ensure that alternative name-lookup infrastructures will come into widespread use, outside the control of US service providers but easily used by American citizens. Errors and divergences will appear between these new services and the current global DNS, and contradictory addresses will confuse browsers and frustrate the people using them.
  • DEFINICIÓN Un Antivirus

    DEFINICIÓN Un Antivirus

    ANTIVIRUS DEFINICIÓN Un antivirus es un programa de computadora cuyo propósito es combatir y erradicar los virus informáticos. Para que el antivirus sea productivo y efectivo hay que configurarlo cuidadosamente de tal forma que aprovechemos todas las cualidades que ellos poseen. Hay que saber cuales son sus fortalezas y debilidades y tenerlas en cuenta a la hora de enfrentar a los virus. Un antivirus es una solución para minimizar los riesgos y nunca será una solución definitiva, lo principal es mantenerlo actualizado. Para mantener el sistema estable y seguro el antivirus debe estar siempre actualizado, tomando siempre medidas preventivas y correctivas y estar constantemente leyendo sobre los virus y nuevas tecnologías. ¿CÓMO FUNCIONA? Básicamente, un antivirus compara el código de cada archivo con una base de datos de los códigos (también conocidos como firmas o vacunas) de los virus conocidos, por lo que es importante actualizarla periódicamente a fin de evitar que un virus nuevo no sea detectado. También se les ha agregado funciones avanzadas, como la búsqueda de comportamientos típicos de virus (técnica conocida como Heurística) o la verificación contra virus en redes de computadores. Normalmente un antivirus tiene un componente que se carga en memoria y permanece en ella para verificar todos los archivos abiertos, creados, modificados y ejecutados en tiempo real. Es muy común que tengan componentes que revisen los adjuntos de los correos electrónicos salientes y entrantes, así como los scripts y programas que pueden ejecutarse en un navegador web (ActiveX, Java, JavaScript). ALGUNOS ANTIVIRUS 1 CLAM ANTIVIRUS Comodo AntiVirus FProt Antivirus FSecure AntiVirus ZoneAlarm Antivirus ANTIVIRUS HEURISTICOS Los heurísticos analizan el código de cada archivo con métodos genéricos y detectan virus nuevos que todavía no se han incluido en la base de datos de virus del programa antivirus.
  • Domain Name Server Comparison

    Domain Name Server Comparison

    DomainNameServerComparison: BIND8vs.BIND9vs.djbdnsvs.??? BradKnowles SeniorConsultantforSnow,BV [email protected] http://www.shub-internet.org/brad/papers/dnscomparison/ Entirecontentscopyright©2003byBradKnowles,allrightsreserved Overview • Meta Information • TLD Survey Results • Software – Installation – Features – Performance • Conclusions 2003-01-28 Copyright©2003byBradKnowles 2 MetaInformation • Hardware Used • Software Used • Methodology 2003-01-28 Copyright©2003byBradKnowles 3 HardwareUsed • TLD Survey – OS: BSD/OS 4.2 – CPU: Pentium III – RAM: 512MB real, 1.0GB virtual 2003-01-28 Copyright©2003byBradKnowles 4 HardwareUsed • Performance Testing – Compaq Armada 4131T Laptop • OS: FreeBSD 4.6.2-RELEASE • CPU: Pentium 133 • RAM: 48MB real, 384MB virtual • NICs: Asanté FriendlyNET AL1011 “Prism2” 802.11b WiFi PC Card & Linksys EtherFast 10/100 PC Card (PCM100) • HD: 10GB IBM Travelstar 20GN – 4200 RPM – 12ms avg. seek 2003-01-28 Copyright©2003byBradKnowles 5 HardwareUsed: PerformanceTesting Image copyright © 2001 Sunset Computer Services, Inc. All Rights Reserved. 2003-01-28 Copyright©2003byBradKnowles 6 SoftwareUsed • ISC – BIND 8.3.3-REL – BIND 9.2.2rc1 • djbdns 1.05 – daemontools 0.76 – ucpsi-tcp 0.88 – tinydns-bent 1.1 • nsd 1.02b1 • Nominum – ANS (Authoritative Name Server) 2.0.1-1eval – CNS (Caching Name Server) 1.1.0b1 • PowerDNS 2.9.4 2003-01-28 Copyright©2003byBradKnowles 7 SomeSoftwareConsidered • QuickDNS (authoritative) – See <http://www.menandmice.com/2000/2600_isp_dns_solution.html> • Aimed at small-to-medium size businesses,
  • Sirdom. Sistema Para La Gestión Del Servicio De Resolución De Nombres De Dominios

    Sirdom. Sistema Para La Gestión Del Servicio De Resolución De Nombres De Dominios

    Revista de investigación Editada por Área de Innovación y Desarrollo, S.L. Envío: 27-01-2013 Aceptación: 30-01-2013 Publicación: 19-02-2013 SIRDOM. SISTEMA PARA LA GESTIÓN DEL SERVICIO DE RESOLUCIÓN DE NOMBRES DE DOMINIOS SIRDOM. MANAGEMENT SYSTEM FOR THE RESOLUTION NAMES DOMAINS SERVICE. Yoedusvany Hernández Mendoza1 Yordanis Arencibia López2 Yankier Crespo González3 1. Máster, Ingeniero Informático. Profesor del Departamento de Redes, UNICA. 2. Máster, Ingeniero Informático. Profesor del Departamento de Redes, UNICA. 3. Máster, Ingeniero Informático. Profesor del Departamento de Redes, UNICA. RESUMEN Este artículo presenta un estudio del comportamiento del servicio DNS, su funcionamiento, herramientas y por último se propone un sistema informático que permite configurar y gestionar dicho servicio a través de una serie de prestaciones y facilidades que las aplicaciones actuales no posibilitan. Este sistema permitirá gestionar el servicio de resolución de nombres de dominio sobre BIND en su versión 9. ABSTRACT This paper presents a study of the behavior of DNS, its operating principle, tools and finally proposes a computer system to configure and manage this service through a number of benefits and facilities that do not allow current applications. This system will manage the service of domain name resolution on BIND version 9. PALABRAS CLAVE Bind, DNS, dominio, resolución, sistema. KEYWORDS Bind, DNS, domain, resolution, system. SIRDOM. SISTEMA PARA LA GESTIÓN DEL SERVICIO DE RESOLUCIÓN DE NOMBRES DE DOMINIOS DE NOMBRES DE RESOLUCIÓN DE SERVICIO DEL GESTIÓN LA PARA SISTEMA SIRDOM. 2 INTRODUCCIÓN Las diferentes instituciones y organizaciones, siendo los centros educacionales unos de los principales, han tenido que cambiar sus esquemas tradicionales para adaptarse a la actual era de la información.
  • Clam Antivirus: Open-Source Virus Protection

    Clam Antivirus: Open-Source Virus Protection

    Clam Antivirus: Open-Source Virus protection Michaël Van Canneyt March 16, 2014 Abstract Protecting your precious PC against email and other viruses doesn’t have to cost a lot of money: Clam Antivrus is an open source virus scanner which can be installed on Unix machines (suitable for integration in mail server’s MTAs) but which also has a Windows version for those that are not fortunate enough have a Unix at hand. Introducing Clam Antivirus Clam Antivirus is an open-source implementation of a virus scanner which does 1 thing only: it scans a file for known viruses. The virus scanner consists of 2 parts: One is the actual scanner, clamscan: It scans a file to see whether it is infected with a known virus. It reports on the found viruses. The known viruses are kept in a database file. The second part (freshclam) serves to keep this database up-to-date: new viruses are born every day, and existing viruses mutate to more dangerous forms regularly, it is therefore of the utmost importance to keep the database with virus definitions up-to-date. The freshclam program should be run on a regular basis, for instance in a cron job on Unix. The Unix version features also a client/server model: The scanner runs as a daemon. The clamscan program then sends the file to be scanned to the daemon, for inpection. This reduces startup time and system load, which is quite important on servers than run a heavy- load MTA service. On Windows, a small GUI frontend exists which allows to perform and schedule scans, and to perform and schedule the virus database update.
  • Powerdns Offerings ­ Version Current As of November 2012 ● Remotely Pollable Statistics for Real Time Graphing ● High Performance ● SNMP Statistics Bridge (Read Only)

    Powerdns Offerings ­ Version Current As of November 2012 ● Remotely Pollable Statistics for Real Time Graphing ● High Performance ● SNMP Statistics Bridge (Read Only)

    Products, Features & Services PowerDNS PowerDNS, founded in the late 1990s, is a premier supplier of DNS software, services and support. Deployed throughout the world with some of the most demanding users of DNS, we pride ourselves on quality software and the very best support available. PowerDNS customers include leading telecommunications service providers, large scale integrators, content distribution networks, cable networks / multi service operators and Fortune 500 software companies. In various important markets, like Scandinavia, Germany and The Netherlands, PowerDNS is the number one supplier of nameserver software. PowerDNS is based in The Netherlands, Europe and is privately held. Products Authoritative Server The PowerDNS Authoritative Server is the only solution that enables authoritative DNS service from all major databases, including but not limited to MySQL, PostgreSQL, SQLite3, Oracle, Sybase, Microsoft SQL Server, LDAP and plain text files. DNS answers can also be fully scripted using a variety of (scripting) languages like for example Lua, Java, Perl, Python, Ruby, C and C++. Such scripting can be used for dynamic redirection, (spam)filtering or real time intervention. In addition, the PowerDNS Authoritative Server is the leading DNSSEC implementation, hosting the majority of all DNSSEC domains worldwide. The Authoritative Server hosts at least 30% of all domain names in Europe, and around 90% of all DNSSEC domains in Europe. Recursor The PowerDNS Recursor is a high­end, high­performance resolving name server which powers the DNS resolution of at least a hundred million subscribers. Utilizing multiple processors and supporting the same powerful scripting ability of the Authoritative Server, the Recursor delivers top performance while retaining the flexibility modern DNS deployments require.
  • Linux Security Review 2015

    Linux Security Review 2015

    Linux Security Review 2015 www.av-comparatives.org AV-Comparatives Linux Security Review Language: English May 2015 Last revision: 26 th May 2015 www.av-comparatives.org -1- Linux Security Review 2015 www.av-comparatives.org Contents Introduction ....................................................................................................................... 3 Reviewed products ............................................................................................................... 4 Malware for Linux systems ..................................................................................................... 5 Linux security advice ............................................................................................................ 6 Items covered in the review .................................................................................................. 7 Avast File Server Security ...................................................................................................... 8 AVG Free Edition for Linux.................................................................................................... 11 Bitdefender Antivirus Scanner for Unices ................................................................................ 13 Clam Antivirus for Linux ....................................................................................................... 17 Comodo Antivirus for Linux .................................................................................................. 20 Dr.Web Anti-virus for
  • Characterizing Antivirus Workload Execution

    Characterizing Antivirus Workload Execution

    Characterizing Antivirus Workload Execution Derek Uluski, Micha Moffie and David Kaeli Computer Architecture Research Laboratory Northeastern University Boston, MA {duluski,mmoffie,kaeli}@ece.neu.edu Abstract head is introduced if we enable anti-virus scan- ning. Many users are unhappy with the per- Despite the pervasive use of anti-virus (AV) formance penalty they must pay for security. software, there has not been a systematic The amount of overhead introduced can be study of the characteristics of the execution of so significant that many users will defer virus this workload. In this paper we present a char- scanning or totally disable their anti-virus soft- acterization of four commonly used anti-virus ware. Then their system will be vulnerable to software packages. Using the Virtutech Simics viruses. Thus, it is important to address the toolset, we profile the behavior of four popu- performance overhead associated with anti- lar anti-virus packages as run on an Intel Pen- virus software execution. tiumIV platform running Microsoft Windows- Most anti-virus software packages employ a XP. range of scanning techniques to decide whether In our study, we focus on the overhead in- or not a given file is infected. More complex troduced by the anti-virus software during on- techniques also exist such as: sandboxing, dig- access execution. The overhead associated ital watermarking, and heuristic-based tech- with anti-virus execution can dominate overall niques [11]. performance. The AV-Test group has already There are two main usage models when run- reported that this overhead can range from 23- ning anti-virus software, 1) on-demand,and2) 129% on live systems running on-access exper- 1 on-access.
  • Anti-Virus Outbreak Response Testing and Impact

    Anti-Virus Outbreak Response Testing and Impact

    Insecurity in Security Software Maik Morgenstern Andreas Marx AV-Test GmbH http://www.av-test.org Virus Bulletin 2005 Conference presentation about “Insecurity in Security Software” Copyright © 2005 AV-Test GmbH, Klewitzstr. 6, D-39112 Magdeburg, Germany Phone: +49 391 6075460, Fax: +49 391 6075469, http://www.av-test.org Table of content z The paradox z Types of security software z Comparison of CVE advisories z Examples of bugs and security vulnerabilities z Why bugs occur z Vulnerability lifecycle z What to do? (for users and developers) z Trustworthy computing security development lifecycle The paradox z All software products contain security vulnerabilities (and other bugs) z AV software is widely deployed to protect companies, organizations and home users z Every week, security flaws are discovered in different AV products z The paradox: Security software is meant to secure the system, but nowadays it introduces new security holes. Types of security software z Two different groups of security software: – Home and business user software (widely used) z Firewalls z IPSec products z IDS/IPS z AV software… – Tools used by researchers (small deployment) z IDA Pro z OllyDbg z Softice… CVE advisories for vendor products (2001 quarterly average = 100, Source: © The Yankee Group) z Microsoft / Security vendors / All vendors Bugs leading to security vulnerabilities z A couple of examples from recent months (advisory titles): – ISS and the Witty Worm – Trend Micro VSAPI ARJ parsing – McAfee Virus Library – Symantec Multiple Products UPX Parsing Engine Heap Overflow – Computer Associates Vet Antivirus Library Remote Heap Overflow – Kaspersky AntiVirus "klif.sys" Privilege Escalation Vulnerability – OllyDbg "INT3 AT" Format String Vulnerability – DataRescue IDA Pro Dynamic Link Library Format String Vulnerability – Clam AntiVirus ClamAV Cabinet File Handling DoS Vulnerability Bugs vs.
  • Självständigt Arbete På Grundnivå

    Självständigt Arbete På Grundnivå

    Självständigt arbete på grundnivå Independent degree project - first cycle Datateknik Computer Engineering Master's thesis Hantering av nätverkscache i DNS Two ye Hans Lindqvist i MITTUNIVERSITETET Avdelningen för informationssystem och -teknologi (IST) Examinator: Ulf Jennehag, [email protected] Handledare: Johannes Lindén, [email protected] Författare: Hans Lindqvist, [email protected] Utbildningsprogram: Datateknik, 180 hp Huvudområde: Datateknik Termin, år: VT, 2019 ii Hantering av nätverkscache i DNS Hans Lindqvist 2019-06-13 Sammanfattning Domännamnsystemet, DNS, utgör en fundamental del av användbarheten för Internet, men dess cachefunktion utmanas av adressers ökande storlek, antal och automatisering. Parallellt råder begränsad minneskapacitet hos vissa enheter i Internets utkant mot Internet of Things. Studien har tittat närmare på nutida behov av namnuppslagning och har då betraktat hur DNS påverkats av IPv6- adressutbredning, mobila enheter, innehållsleveransnätverk och webbläsarfunktioner. Undersökningen har i två fritt tillgängliga serverprogramvaror för DNS-uppslag sökt efter den optimala hanteringen av cache hos begränsade enheter i, eller på gränsen till, Sakernas Internet. Med hjälp av tillgången till öppen källkod för programmen, Unbound och PowerDNS Recursor, har dess respektive strukturer tolkats för att uppskatta och jämföra minnesbehov. Därefter har en simulering gjorts i en laborativ miljö med fiktiva DNS-data av verklighetstrogen karaktär för att mäta den faktiska förbrukningen av minne på DNS-serverns process. Vid simuleringen undveks att individuellt anpassa programmens inställningar, att blanda in data för DNSSEC, samt att införa minnesbegränsningar i testmiljön. Undersökningen av källkod beräknade att Unbound var mer optimalt för posttyperna A+AAAA medan PowerDNS Recursor var effektivare för posttypen PTR. För båda posttyperna som helhet visade mätningarna i simuleringen att Unbound kunde lagra DNS-data tätare än PowerDNS Recursor.
  • Clam Antivirus 0.100.2 User Manual Contents 1

    Clam Antivirus 0.100.2 User Manual Contents 1

    Clam AntiVirus 0.100.2 User Manual Contents 1 Contents ClamAV User Manual, 87d 88d 89d c 2018 Cisco Systems, Inc. Authors: Tomasz Kojm This document is distributed under the terms of the GNU General Public License v2. Clam AntiVirus is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ClamAV and Clam AntiVirus are trademarks of Cisco Systems, Inc. 1 Introduction 2 1 Introduction Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed espe- cially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. The core of the package is an anti-virus engine available in a form of shared library. 1.1 Features • Licensed under the GNU General Public License, Version 2 • POSIX compliant, portable • Fast scanning • Supports on-access scanning (Linux only) • Detects over 1 million viruses,