USC CSci530 Computer Security Systems CSci530: Security Systems Lecture notes Lecture 7&8 - October 7&14, 2016 Fall 2016 – Part II Untrusted Computing and Mailicious Code Dr. Clifford Neuman Dr. Clifford Neuman University of Southern California University of Southern California Information Sciences Institute Information Sciences Institute Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Terminology Terminology Vulnerability – A weakness in a system, program, Trusted – Parts of a system that we depend upon for the procedure, or configuration that could allow an proper enforcement of policies, whether or not the code adversary to violate the intended policies of a system. is free of vulnerabilities (almost all systems have Threat – Tools or knowledge (capabilities) that care vulnerabilities). - as compared with capable of exploiting a vulnerability to violate the Trustworthy – our belief that a system is free of intended policies of a system. vulnerabilities that could result in the violation the Attack – An attempt to exploit a vulnerability to violate the relevant security policies. intended policies of a system. Accreditation – A statement by a third party that a system Compromise or intrusion – The successful actions that or software has been found to be trustworthy with violate the intended polices of a system. respect to a particular set of policies and for a particular operational environment. Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE 1 Incidents and Breaches More Terminology Penetration – A successful attack (intrusion) that exploits Secure – A system is secure if it correctly enforces a a vulnerability in the code base of a system or its correctly stated policy for a system. A system can only configuration. The result will often be to install a be secure with respect to a particular set of policies and subversion. under a set of stated assumptions. There is no system Denial of Service – An attack that prevents authorized that is absolutely secure. access to a resource, by destroying a target or Trusted Computing Base – That part of a system which if overwhelming it with undesired requests. compromised affects the security of the entire system. Subversion - An intentional change to the code base or One often unstated assumption made with respect to a configuration of a system that alters the proper secure system is that the TCB is correctly implemented enforcement of policy. This includes the installation of and has not been compromised. backdoors and other control channels in violation of Attack Surface – The accumulation of all parts of a system the policy relevant to the system. that are exposed to an adversary against which the Subversion vectors – the methods by which subversions adversary can try to find and exploit a vulnerability that are introduced into a system. Often the vectors take will render the system insecure (i.e. violate the security the form of malicious code. policies of the system). Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Categorizing Malicious Code Classes of Malicious Code How propagated The perceived effect • Trojan Horses • Viruses – Embedded in useful program that others will want to run. – Propagation and payload – Covert secondary effect. • Worms • Viruses (an specialization of a Trojan horse) – Propagation and payload – When program started will try to propagate itself. • Spyware • Worms – Reports back to others – Exploits bugs to infect running programs. • Zombies or bots or botnets – Infection is immediate. – Controllable from elsewhere Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE 2 Activities of Malicious Code Defenses to Malicious Code • Modification of data • Detection – Propagation and payload – Virus scanning • Spying – Intrusion Detection – Propagation and payload • Least Privilege • Advertising – Don’t run as root – Reports back to others or uses locally – Separate users ID’s • Propagation • Sandboxing – Controllable from elsewhere – Limit what the program can do • Self Preservation • Backup – Covering their tracks – Keep something stable to recover • Subversion Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Trojan Horses Security Systems CSci530: • A desirable documented effect Lecture 8 - October 14, 2016 – Is why people run a program Untrusted Computing and • A malicious payload Mailicious Code – An “undocumented” activity Dr. Clifford Neuman that might be counter to the University of Southern California interests of the user. Information Sciences Institute • Examples: Some viruses, much spyware. • Issues: how to get user to run program. Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE 3 Trojan Horses Viruses • Software that doesn’t come from a • Resides within another program reputable source may embed trojans. – Propagates itself to infect new • Program with same name as one programs (or new instances) commonly used inserted in search path. • May be an instance of Trojan Horse • Depending on settings, visiting a web – Email requiring manual execution site or reading email may cause program – Infected program becomes trojan to execute. Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Viruses Viruses • Early viruses used boot sector • Some viruses infect program – Instruction for booting system – Same concept, on start program – Modified to start virus then jumps to code for the virus. system. – Virus may propagate to other – Virus writes itself to boot sector programs then jump back to host. of all media. – Virus may deliver payload. – Propagates by shared disks. Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE 4 Viruses can be Spread by Email Viruses Phases • Self propagating programs • Insertion Phase – Use mailbox and address book for likely – How the virus propagates targets. • Execution phase – Mail program to targeted addresses. – Forge sender to trick recipient to open – Virus performs other malicious program. action – Exploit bugs to cause auto execution on • Virus returns to host program remote site. – Trick users into opening attachments. Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Analogy to Real Viruses How Viruses Hide • Self propagating • Encrypted in random key to hide • Requires a host program to replicate. signature. • Similar strategies • Polymorphic viruses changes the – If deadly to start won’t spread code on each infection. very far – it kills the host. • Some viruses cloak themselves by – If infects and propagates before trapping system calls. causing damage, can go unnoticed until it is too late to react. Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE 5 Macro Viruses Worms • Code is interpreted by common • Propagate across systems by exploiting application such as word, excel, vulnerabilities in programs already postscript interpreter, etc. running. – Buffer overruns on network ports • May be virulent across architectures. – Does not require user to “run” the worm, instead it seeks out vulnerable machines. – Often propagates server to server. – Can have very fast spread times. Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Delayed Effect Zombies/Bots • Malicious code may go undetected if • Machines controlled remotely effect is delayed until some external – Infected by virus, worm, or trojan event. – Can be contacted by master – A particular time – May make calls out so control is – Some occurrence possible even through firewall. – An unlikely event used to trigger – Often uses IRC for control. the logic. Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE 6 Spyware Some Spyware Local • Infected machine collect data • Might not ship data, but just uses it – Keystroke monitoring