data & computer security (csnb414) module 7 program security
TRANSCRIPT
DATA & COMPUTER SECURITY (CSNB414)
MODULE 7PROGRAM SECURITY
Something to Ponder…
How do we assess program security? One approach is by fixing faults, by going
through its requirements, system design, coding etc.
BUT if we follow this method, then do we say that program A in which 20 faults were discovered & fixed is more secure than program B in which 100 faults were discovered & fixed? - One may argue YES, program B in which many faults were discovered in the earlier stages is likely to have more faults to be found. - Another may argue NO, program B has gone through rigorous testing which is proven by the discovery of many faults.
Something to Ponder… (cont.)
Bear in mind, some studies have shown that more faults may be introduced by fixing a single initial error – if it is not analyzed and done properly!
Another approach to assess program security is by evaluating its conformance to its user requirements (i.e. whether the program behave in the manner it is expected to be).
However, if program X meets all its requirements but the whole set of requirements itself does not cover all the necessary security features, then is program X really secure?
The whole assessment of program security is indeed complicated and subjective!
Overview of Program Security
The root causes of program security flaws can be roughly divided into two, which are:(1) code that was intentionally designed or coded to be malicious(2) code that was unintentionally developed in a sloppy or misguided way
Though, the increasing use of internets and networked computers nowadays has led to higher volume of malicious cyber attacks, an inadvertent careless human errors can cause equal or even much more harm to users and organizations.
Thus, it is important to ensure that appropriate and necessary security measures are taken to address both flaws.
Unintentional Program Flaws
Amongst nonmalicious program flaws are due to:(1) Buffer overflows (2) Incomplete mediation(3) Synchronization error(4) Combination of nonmalicious program flaws
The vulnerabilities of unintentional program flaws can be easily exploited and manipulated by individuals with malicious intentions, thus double the danger!!
Buffer Overflows
In programming, we often need to define the buffer size. This means that the buffer can hold any data as long as it is within its size. Otherwise anything outside this range will cause overflows.
The security implications of it is depending on where does the overflows goes to, either effecting:(a) user data (b) system data(c) user program code (d) system program code
Mild security implications include program error etc. The more serious ones can crash the system.
Nowadays, attacks include manipulating the vulnerability of buffer overflows resulting in serious security threats. **Read example page 100 - 104**
Incomplete Mediation
Incomplete mediation is the results of data being exposed to uncontrolled situations.
Assuming at the client side, a user is asked to enter a month, can he then type in ‘Pan’ or ‘Tan’?
This problem could be eliminated with a drop down menu of valid choices of months.
However, what happens if the user is allowed to modify the data in the return URL directly? This is where the vulnerability lies – data is exposed!!
The security implications varies, an innocent mistake may only results in system error.
However, cyber attacks on e-commerce websites may exploit this vulnerability and results in transaction losses (e.g. by modifying the total costs of products sold etc.) **Read example page 105**
Synchronization Error
Synchronization error occurs when data integrity due to time differences is been compromised.
A classic example is Time-of-Check (TOC) to Time-of-Use (TOU) error, by which data validated during TOC is then modified before TOU, however the system is unaware of this modification.
Imagine two persons were accessing to the same bank account relatively at the same time, one through an ATM machine, say X, another through an online banking system, say Y. When both login to the account, they saw that the balance was RM1000. Y then authorized a bank transfer of RM800, which was approved. If this information is not updated immediately (even within few seconds of gap), then X managed to withdraw cash of another RM800 from the same account!!
There is a time-line from the existence of a non-malicious programmer’s error, through its detection, its potential exploit, until a remedy is available. The zero-day exploit is an exploit that with known exploit code, for which no remedy exists.
Zero Day Exploit
An example is the Windows Metafile (.WMF) vulnerability: Once it was known, and exploit code available, it took Microsoft 9 days to come up with a patch. So there was an active zero-day for 9 days.
Adobe Reader Skype OpenOffice.org software Apple iPod player YouTube
Zero Day Exploit - Examples
Malicious Program Flaws
Malicious program, are any program that contain codes which are capable of:- modifying or destroying data- stealing data- allowing unauthorized access- exploiting or damaging a computer system- executing other tasks which a user does not intend to do
Virus scanners can sometimes be used to detect and removed malicious programs. However:- no scanner is 100% accurate or effective- new viruses appear weekly and may be undetected by the scanner
Thus, make sure that your virus scanners are updated regularly!
Malicious Program Flaws (cont.)
Sources of malicious codes include:- bulletin boards- shareware- commercial software package- computer networks- pirated software- public domain software
Thus, be careful when downloading materials / software from the internet!! Be careful when accessing unknown websites!! Be careful when chatting too.
Malicious codes include:(1) Trojan horse (3) worms (5) logic bombs(2) viruses (4) trapdoors
Trojan Horse
The word ‘Trojan Horse’ derived from the Greek mythology which means a gift that carried an unannounced and unexpected enemy.
In computing, Trojan Horse is a program which performs a hidden function in addition to its stated functions (i.e. it causes unexpected effects when installed or run by an unsuspecting user).
The malicious code of Trojan Horse often buried deeply in the cover program and lie dormant for a specified period. It waits until some predetermined conditions before executing its malicious acts.
A Trojan Horse is disguised as a useful program, when in reality it may also be downloading information to a third party, deleting, modifying data illegally etc.
Virus
Virus is a code segment, which replicates by attaching copies of itself to executable files.
It is often designed to attack a single platform, for example \ an IBM-PC virus referring to the hardware, where as a DOS virus referring to the OS.
This malicious code is called ‘virus’ based on its ability to infect other programs by modifying them. The infected programs can then act as virus to infect others. And the chain goes on and on…
A virus can be planted in shared system utilities to access common data, such as electronic mail, system news bulletins etc. Since many users access these utilities, a virus planted in one can spread quickly.
Virus (cont.)
Virus requires a host program as a carrier. For a virus to do its malicious work and spread itself, it must be activated by being executed.
However, this does not mean that a user must explicitly run the viral program to trigger its malicious acts. For example, the SETUP program that is invoked during computer initialization, may call many other programs, where one of which may contain the virus. Thus, the virus code is then being activated without the user realizing it!!
A common approach of virus activation is by opening an attachment to an e-mail message that contains virus.
Types of viruses include boot infections, file infections, partition infections etc.
Virus (cont.)
‘I Love You’ virus (May 2000) Creator unknown. FBI has
opened a criminal investigation and was hunting for a code writer who signed the virus code "Spider, Manila, Philippines" and added the comment: "I hate go to school.“
As for 2004, it was the most costly virus to businesses, causing estimated losses of USD$10bn+.
The White House, Congress, the FBI and the Pentagon amongst those that were badly affected.
The virus spread at a great speed around the world via email attachments. It was reported that 1200+ computers were affected in the first 3 hours – probably because people were tempted to open the file attachment entitled ‘LOVE’
Worm
A work is a program that travels independently along computer cables. Most computers are connected via cabling, so these can be easily affected by worms and results in serious damages in a short time.
Similar to a virus, a worm can replicate itself. However, unlike a virus, a worm is very much self contained, it does not require a host to survive on.
Another main difference between a worm and a virus is that a worm operates through network, where as a virus can spread through any medium (but usually uses copied program or data files).
Worm (cont.)
Morris worm (Nov 1988) Written by a student
at Cornell University, Robert Tappan Morris.
Propagated through vulnerabilities in BSD Unix
Estimated 6000 computers infected. Effects intended to be benign, but caused huge overloading.
Morris convicted under the US Computer Crime and Abuse Act and received three years probation, community service and a fine in excess of $10,000.
He is now a lecturer at one of US’s top university, as well as an entrepreneur.
Trapdoors
A trapdoor is a secret, undocumented entry point into a module.
The trapdoor is often inserted during the code development, perhaps with the intention of assisting in module testing, or allowing access in the event of future errors.
In addition to this legitimate use, trapdoors can allow a person with malicious intentions to access into a program once it is placed into production.
The person may be the original corrupted programmer, a hacker who accidentally discover the trapdoors etc.
Trapdoors remain a program vulnerability if it not noticed or its usage its not being properly monitored.
Logic Bomb
A logic bomb is a program that sits on your computer and does no harm until……. a specified condition is executed.
Example of a logic bomb is the well known Michael Angelo virus which does nothing until the date on the computer is March 6, which is the birth date of Michael Angelo’s. Once it has reached this date, the program then erases everything from the hard drive!!
Thus, always remember to make a duplicate copy of important files just in case…
Recaps..
Basically, we have seen some examples on the two root causes of program security flaws :(1) code that was intentionally designed or coded to be malicious(2) code that was unintentionally developed in a sloppy or misguided way
For the later point especially, there are some control mechanisms that can be taken to protect against this type of flaw.
Most of these control mechanism involves careful steps introduced during the software development itself.
In the next few slides, we will look at some examples of these controls.
Software Development Controls Against Program Threats Amongst software development controls
that are deployed to safeguard against program threats are:(1) Peer reviews(2) Modularity, encapsulation and information hiding(3) Independent testing(4) Configuration management etc.
Peer Reviews
Often a program is developed by a team of programmers / designers. Thus here during peer reviews, members of team participate in peer design reviews and peer code reviews.
When a designer or a programmer has completed a particular section of code, several other designers or programmers are invited to participate in a "walk-through" of the design or code. The original developer presents the material in an orderly manner, pausing for the comments, questions and suggestions of others.
The review is not to punish the programmer for having made errors but rather than to identify errors much earlier in the software development process and to improve on it.
Modularity, Encapsulation & Information Hiding The principles of software engineering
recommend writing code in small, self-contained units called modules, hence the term ‘modularity’.
Encapsulation and information hiding are security byproducts of modularity. Thus, all three terms are related to one another.
Modularity
Modularity
Modularization is the process of diving a task into subtasks. Each module performs a separate, independent part of the task.
The advantages of this approach are:- Maintainability If a function is implemented as a single module, the module can be replaced with a revised one, if necessary. The new module may be needed due to a change in requirements or hardware or the environment. Sometimes the replacement is just an enhancement that uses a smaller, faster, more correct or otherwise better module.
Modularity (cont.)
- UnderstandabilityA program composed of many small modules will be easier to comprehend than one large, unstructured program.- ReusabilityModules developed for one purpose can often be reused in other programs. Reuse of correct, existing program modules can significantly reduce the difficulty of programming and testing.- CorrectnessAn error can be quickly traced to its cause if the modules perform only one task each.
Modularity (cont.)
- TestabilityA single module with well-defined inputs, output and function can be tested exhaustively by itself, without concern for its effects on other modules (other than the expected function and output, of course)
Encapsulation
Modularity leads to a form of independence in which each module acts as an independent object. A well-designed module has little coupling to other routines of the same program.
This characteristics is called ‘encapsulation’, in which a module essentially operates as if it is surrounded by a shield that prevents unwanted access from the outside.
Modules interact only through certain restricted well-defined interfaces by using encapsulation concept. A module is entered only at specified entry points.
Information Hiding
A modular design leads to modules with limited effects on other modules. Because of this reason, a module can be seen as a form of black box, with certain well-defined inputs and outputs and well-defined function which other modules and other designers do not need to know how this module completes its functions. There is enough to be assured that the module does its task in some correct manner.
Concealing the way that a module does its task is called information hiding.
This is desirable because programmers cannot maliciously alter the modules of others if they do not know how the modules work.
Independent Testing
The purpose of testing is to certify the correctness of a program, where as an independent testing is a testing carried out by an independent party.
Normally, a independent test team will check whether the program does what its design says it should, not necessarily what the programmer interpreted the design to require.
The test team and the programmer may differ in their interpretation of the design but it is better to identify the ambiguity and resolve it in the earlier stage rather than to combine modules which are incompatible.
Independent testing may also detect malicious codes written by any programmer in the team.
Configuration Management
Configuration management is a systematic method of managing source code, object code and documentation.
Through configuration management all changes to a program or documentation must be approved by a group of professionals called a Change Control Board (CCB) and are well recorded.
The main security motivation for using configuration management is protecting the integrity of programs and documentation, because changes occur only after explicit approval from the authority.
Configuration Management (cont.)
All changes are also carefully evaluated for side effects. By applying configuration management, previous versions of programs are archived and it is possible to react to a faulty change.
The other advantage of is protecting a program from malicious modification. For example, programmers cannot sneak in and make small, subtle changes such as inserting trapdoors in their program once a reviewed program accepted for a system. The programmers have access to the running production program only through the configuration management panel and these people are alert to such security breaches.
DATA & COMPUTER SECURITY (CSNB414)
END OF MODULE 7--END--