CIS 2005 System Security and Control

1
CIS 2005System Security and Control

• Lecture 4
• Module 4 - Software security

2
Threats to Consider
3
This weeks objectives

• Distinguish between different groups of software
• Identify what vulnerabilities, threats and
  controls apply to software
• Discuss types of malicious code, how they work
  and how to protect against them
• Main focus is on malicious code and program
  development controls

4
Software Security

• Keeping programs free from flaws
• Protecting computers from programs with flaws
• When is a program secure?
• Trusted
• Enforces CIA
• Fault fixing
• Penetrate and patch
• Tiger teams

5
Software groups

• System software
• Operating systems
• Utilities

• Applications/programs
• Custom-built software
• Packaged software
• Shareware
• Public-domain
• Freeware

6
Basic Components
ROM or Flash ROM
BIOS
Communicates with peripherals
Program
Boot Sector
Data
CDROM
Operating System
7
Multiuser/Multitasking
Ensure parts of disk are inaccessible
Separate program/data environments
8
Operating systems security

• Multitasking vs. single tasking
• Multi-user vs. single user
• All operating systems offer different levels of
  security with respect to
• File protection
• User authentication and privileges
• Memory protection
• General protection of objects
• Audits, and other areas

9
Programming attacks

• Non-Malicious Program bugs
• Inadvertent human error within the code
• Buffer Overflows
• Incomplete Mediation
• Time-of-Check to Time-of-Use Errors
• Anonymous malicious code (Viruses)
• Targeted malicious code
• Trapdoor (written for particular system)
• Hidden access to functionality
• Salami attack
• Small , insignificant amounts are accumulated
  into something significant
• Covert channel

10
Viruses

• A program which can pass on malicious code by
  modifying existing files or programs
• Damage ranges from minimalto disastrous
• Require a host program or a file as a carrier
• Activated by external action
• Can replicate, but replication is limited to one
  system (or virtual system)

11
Types of viruses

• File virus
• Attaches itself to or replaces program files
• Boot sector
• Replaces the boot program used to start a
  computer with a modifies, infected version of the
  boot program
• Macro virus
• Uses the macro language of an application to hide
  virus code.

12
Types of viruses (contd)

• Logic bomb
• Activates on a certain condition
• Time bomb
• Activates at a certain time
• Trojan horse
• Legitimate program which performs undocumented
  functions
• Worm
• Does not require a host
• Spread via network

13
Challenges of virus detection

• Antivirus programs use virus signatures
• i.e. patterns of known virus code
• Polymorphic virus
• Modifies its code every time it replicates
• File inoculation offers a solution
• Recording of the file size and creation date of
  the original file
• Stealth virus
• Reports the files original size and creation
  date after infecting it

14
(No Transcript)
15
About Viruses True or False?

• Viruses can infect only MS Windows systems?
• Viruses can modify hidden or read only files?
• Viruses can appear only in data files, or only in
  Word documents?
• Viruses spread only on disks or only in e-mail?
• Viruses cannot remain in memory after a complete
  power off/power on reboot?
• Viruses cannot infect hardware?
• Viruses can be malevolent, benign or benevolent?

P126
16
W32.Blaster.Worm

• Worm
• Program that makes copies of itself, from one
  computer to another
• Exploits DCOM RPC vulnerability using TCP port
  135
• Targets only Windows 2000 and Windows XP machines
• Machines with vulnerable DCOM RPC Services
  running
• Attempts to download the msblast.exe file to the
  WinDir\system32 directory and then execute it
• Runs when you start Windows
• Generates an IP address and attempts to infect
  the computer that has that address
• Also attempts to perform DoS on Microsoft Windows
  Update Web server (windowsupdate.com)
• To prevent you from applying a patch on your
  computer against the DCOM RPC vulnerability
• Thousands of computers affected

17
Virus Protection More Recommendations

• Turn off and remove unneeded services
• By default, many OS install unrequired services
• Keep your patch levels up to date
• Enforce a password policy
• Configure your email server to block/remove file
  attachments commonly used to spread viruses
• .vbs, .bat, .exe, .pif. .scr
• Isolate infected computers quickly
• Do not open unsolicited attachments

18
Covert channel

• Leaks information to unauthorized receiver
  through legitimate information or processes
• Used for spying
• Two types of covert channels
• Storage passes information by the presence or
  absence of objects in storage
• Timing passes information by the speed at which
  things happen

19
Covert Channel Example
20
Covert channel (contd)

• National Computer Security Center (NCSC) provides
  a Guide to understanding covert channel analysis
  or trusted systems (Nov 1993)
• http//www.radium.ncsc.mil/tpep/library/rainbow/NC
  SC-TG-030.html

21
Program development controls

• Program integrity can be enforced by employing
• Appropriate programming techniques
• Modularity
• Encapsulation
• Information hiding
• Good software development practices
• Administrative controls

22
Modularity

• Division of a task into logical or functional
  subtasks or modules
• Each module performs a separate, independent part
  of the task

23
Modularity (contd)

• Why is this good for security?
• Modules are easy to understand, maintain and test
• They have limited effect on other modules
• Reuse of correct existing modules can
  significantly reduce programming errors

24
Encapsulation

• Characteristic of a well designed module which
  has little coupling
• Coupling
• Strength of interaction between objects
• Measure of interdependence among modules
• One of the principles of object-oriented design
  where each object is responsible for its own data
  and functionality

25
Encapsulation (contd)

• Why is this good for security?
• Modules operate as if they are surrounded by a
  shield that prevents unwanted access and promotes
  code re-use
• Once again, re-use
• Limited interfaces of objects reduce the number
  of covert channels that can be constructed

26
Information hiding

• A module is designed so that a programmer who
  wants to use this module can use it without
  knowing how the module works.
• All programmers would need to know is what input
  (parameters) that module requires and what output
  it produces

27
Information hiding (contd)

• Why is this good for security?
• Prevents malicious modification of the module
  code

28
Software development practices

• Roles
• Division of labor/separation of duties
• Programming Operational
• Role of system administrator
• Enforcing regular holidays
• Code re-use
• Peer reviews looking at the code
• Walkthroughs
• Based on the concept that correct code is the
  responsibility of the group (egoless)

29
Software development practices

• Independent testing looking at the output
• To check program correctness and that it complies
  with user requirements
• Configuration management
• Maintains version control during software
  development and maintenance

30
Configuration management

• Why is this good for security?
• Protection from intended or unintended
  modification
• once a program version has been approved it
  cannot be changed
• Manages parallel development of several similar
  versions of one program

31
Useful sites

• www.cert.org
• www.auscert.org.au
• http//www.symantec.com/avcenter/refa.html
• http//www.cai.com/virusinfo/

32
Summary

• Different types of software to be considered
• Threats relating to software
• Controls that can be put in place (electronic and
  procedural)