ソフトウェアエンジニアの技術ブログ：Software engineer tech blog

– In the past, often for “fame” and/or “fun”
e.g., defacing web pages
fast and large-scale spreading

Modern Malware
– now, often for profit and political gains
– Technical sophistication based on the latest technologies
– Efficiency, robustness, and evasiveness

Botnet
-Bot(zombie)
A compromised computer under the control of an attacker
Bot code(malware) on the computer communicates with the attacker’s server and carries out malicious activities per attacker’s instructions

Botnet
A network of bots controlled by an attacker to perform coordinated malicious activities
Key platform for most Internet-based attacks and frauds

Attacks and Frauds by Botnets
spam, distributed denial of service attacks, key logging & data/Identity theft, click fraud, phishing& pharming, Cheating in online games/polls, key/password cracking, Anonymized terrorist & criminal communication

DDos using botnets
Attacker, Bots/zombies, Syn flood,etc. Victim

What it did:
– Determine where it could spread
– Spread its infection
– Remain undiscovered and undiscoverable

Effect
Resource exhaustion – repeated infection due to programming bug
Servers are disconnected from the Internet by system admin to stop the infection

Exploit security flaws
– Guess password(encrypted passwd file readable)
– Fingerd: buffer overflow
– Sendmail: trrapdoor(accepts shell command)

spread
– Bootstrap loader to target machine, then fetch
– Rest of code(password authenticated)

Remain un-discoverable
– load code in memory, encrypt, remove file
– Periodically changed name and process ID

What we learned:
– Security scanning and patching
– Computer Emergency Response Team

Prevention: Limit contact to outside world
Detection and Identification
Removal

4 generations of antivirus software:
– simple scanners: Use “signatures” of known virus
– Heuristic scanners: Integrity checking: checksum, encrypted has
– Activity traps
– Full-featured analysis: host-based network-based, sandboxing-based

Macro:
An executable program(e.g.
instructions opening a file, starting an application)
embedded in a word processing document, e.g. MS Word

A common technique for spreading
-A virus macro is attached to a word document
– document is loaded and opened in the host system
– When the macro executes, it copies itself to macro file
– The global macro can be activated/spread when new documents are opened

Rootkit
Resides in opening systems
– Modifies OS code and data structure

Helps user-level malware
– E.g., hide it from user(not listed in “is” or “ps” command)

Inspect all files
FindFisrtFile()
{checkfile, FindNextFile, repeat -> windows API, NTQueryDirectoryObject -> Kernel Native Interface -> Device drive functions <-> Drivers

Worms
– Use network connections to spread from system to system

Four stages of viruses
Dormant Phase, Propagation Phase, Triggering Phase, Execution Phase

Virus structure
virus code -> Physically -> Original Program
Logically Virus code part(a) -> Original Program

First line: go to “main” of virus program
Second line: a special flag(infected or not)
Main: Find uninfected programs^ infect them
Do something damaging to the system
“go to” frist line of the host program
Avoid detection by looking at size of program
compress/ decompress the host program

Type of Virus
– parasitic virus: scan/infect programs
– Memory-resident virus: infect running programs
– Macro virus: embedded in documents, run/spread
– Boot sector virus: run/spread whenever the system is booted
– Polymorphic virus: encrypt part of the virus program randomly generated key

Boot Sector Virus
Bootstrap Loader, System Initialization
Virus code -> System Initialization -> Bootstrap Loader

Reasons attackers use malware: automation, scalability, and deniability
Attackers release malicious programs on the internet and let spread

types of malicious software
– needs host program: trap door, logic bombs, trojan horses, viruses, browser plug-in extension, script
– independent: Worms, botnet, APTs

Trap door
– A secret entry point to a program or system.
– Typically works by recognizing some special sequence of inputs or special user ID.

Logic Bombs
– Embedded in some legitimate program
– Explode or perform malicious activities when certain condition are met

Trojan Horses
– Hidden in an apparently useful host program
– Performs some unwanted/harmful function when the host program is executed

Viruses
– Infect a program by modifying it
– Self-copy into the program to spread

– Certain aggregate/statistical queries can be allowed by all users.
– Consider a student grade database with schema studentid, student_standing(junior or senior), exam1_score, exam2_score, final_grade.

Average score on an example is a query that any student should be able to run.
Attacker wants to find exact score of some student
Inference attack when target takes the exam late
– Average score before target takes the exam
– Average score after target takes the exam
– Target score can be easily found

Another example: only one student has junior standing in a senior class
– Get average score of students who have junior standing
– This query discloses score of a single student

Defenses Against Inference Attacks
– Do not allow aggregate query results when the set of tuples selected is either too small or too large
– Transform data by removing identifying information
deindentification
anonymization
this has to be done with care

– Malicious SQL commands are sent to a database
– Can impact both confidentiality(extraction of data) and integrity(corruption of data)
– In a web application environment, typically a script takes user input and build an SQL query
– Web application vulnerability can be used to craft an SQL injection

Return information about items shipped to a certain city specified user in web application that uses forms

Var Shipcity;
Shipcity = Request.form("Shipcity");
Var sql = "select * from OrdersTable where 
Shipcity = "" + Shipcity + """;

SQL Injection Example
– User enters REDMOND
– Script generates SELECT * FROM OrdersTable Where Shipcity = ‘Redmond’
– What if user enters Redmond’ ;DROP table OrdersTable;?
– In this case, SELECT * FROM OrdersTable WHERE Shipcity = ‘Redmond’;DROP OrderesTable is generated
Malicious user is able to inject code to delete the table
– Many other code injection examples exist

Input checking
(golden rule – all input is evil)

see OWASP top 10 proactive controls
https://www.owasp.org/index.php/OWASP_Proactive_Controls

Why securing data stored in databases so important and different?
– Databases store massive amounts of sensitive data
– Data has structure that influences how it is accessed
– Accessed via queries or programs written in languages like SQL
– Transactional nature of queries
– Derived data or database views

Relational Database System (RDBS)
– Relational model based database systems are widely used in real-world envrionments
– A relational database consists of relations or tables
– A table is defined by a schema and consists of tuples
– Tuples store attribute values as defined by schema
– Keys used to access data in tuples

Employee Table: Foreign Key, Primary Key

Operations on relations:
– Create, select, insert, update, join and delete
– Example: SELECT * FROM EMPLOYEE WHERE DID = ’15’
– It returns tuples for Robin and Cody

Queries written in a query language(e.g., SQL) use such basic operations to access data in a database as needed.

Two commands: GRANT and REVOKE
GRANT {privileges|role}
TO {user|role|public}
e.g. GRANT SELECT ON ANY TABLE TO Alice

Privileges can be for operations such as SELECT, INSERT, UPDATE OR DELETE.

Testing:
Demonstrate existence of problem
Cannot demonstrate absence of problem
Regression testing: ensure that alterations do not break existing functionality / performance

Challenges:
test case generation, code coverage, exponential number of different executions, different execution environments

Penetration testing:
Ethical hackers attempt to defeat security measures
Cannot demonstrate absence of problem

Formal verification: Checking a mathematical specification of program to ensure that security assertions hold.
– Model checking, automated theorem proving
– State variables w/initial assignment, program specification describing how state changes, boolean predicates over state variables
– Difficulty: exponential time & space worst case complexity
– Model checking pioneers won the 2007 turning award

Common Criteria(2005) international standard replaced orange book
– Originated out of European, Canadian, and US standards
– Idea: users specify system needs, vendors implement solution and make claims about security properties, evaluators determine whether vendors actually met claims
– Evaluation assurance level(EAL) rates systems
– EAL1 most basic, EAL7 most rigorous

Trusted path from user to secure system
prevents programs from spoofing interface of secure components
prevents programs from tapping path(e.g. keyloggers)

Audit log showing object accesses – only useful if you /look/ at the log
detect unusual use of the system

Kernel Design
Security kernel enforce all security mechanisms
Good isolation, small size for verifiability, keeps security code together
Reference monitor controls access to objects (monitors all references to objects)
Tamperproof[impossible to break or disable]
Un-Bypassable[always invoked, complete mediation]
Analyzable [small enough to analyze & understand]

All parts of OS needed for correct enforcement of securioty policy
handles primitive I/O, clocks, interrupt handling, hardware capabilities, label checkikng
Virtual machine provides hardware isolation, logical OS separation

Assurance: Ways of convincing ourselves that a model, design, & implementation are correct

Methods of assurance validation:
Testing / Penetration testing
Formal verification validation
Checking that developers have implemented all requirements
Requirements checking, design & code reviews, system testing