Amplified Distributed Reflective Attacks

DNS request for large TCT record;
spoof victim’s IP

Open recursive DNS Servers(anyone can query)

Botnet command and control
Botnet is a network of compromised comuters that the “botmaster” uses for malicious purposes
– There needs to be command & control(C&C) from the botmaster to the bots
Example: a bot reports to the botmaster its status, is directed to a site to download a malware(botcode) update, and/or receives instructions to spam/phish/DDos, etc.

Botnet C&C problem
Naively, we could have victims contact us..
suppose we create malware(vx)
– download vx code; fiddle; compile
– uses email propagation/social engineering

Spreading is easy, but what if we want to use the compromised computers(victims)?

Naively, we could have victims contact us…
problems:VX must include author’s address(not stealthy)
single rallying point(not robust)
VX has hard-coded address(not mobile)

Past Malware

– In the past, often for “fame” and/or “fun”
e.g., defacing web pages
fast and large-scale spreading

Modern Malware
– now, often for profit and political gains
– Technical sophistication based on the latest technologies
– Efficiency, robustness, and evasiveness

Botnet
-Bot(zombie)
A compromised computer under the control of an attacker
Bot code(malware) on the computer communicates with the attacker’s server and carries out malicious activities per attacker’s instructions

Botnet
A network of bots controlled by an attacker to perform coordinated malicious activities
Key platform for most Internet-based attacks and frauds

Attacks and Frauds by Botnets
spam, distributed denial of service attacks, key logging & data/Identity theft, click fraud, phishing& pharming, Cheating in online games/polls, key/password cracking, Anonymized terrorist & criminal communication

DDos using botnets
Attacker, Bots/zombies, Syn flood,etc. Victim

The internet worm

What it did:
– Determine where it could spread
– Spread its infection
– Remain undiscovered and undiscoverable

Effect
Resource exhaustion – repeated infection due to programming bug
Servers are disconnected from the Internet by system admin to stop the infection

Exploit security flaws
– Guess password(encrypted passwd file readable)
– Fingerd: buffer overflow
– Sendmail: trrapdoor(accepts shell command)

spread
– Bootstrap loader to target machine, then fetch
– Rest of code(password authenticated)

Remain un-discoverable
– load code in memory, encrypt, remove file
– Periodically changed name and process ID

What we learned:
– Security scanning and patching
– Computer Emergency Response Team

Prevention: Limit contact to outside world
Detection and Identification
Removal

4 generations of antivirus software:
– simple scanners: Use “signatures” of known virus
– Heuristic scanners: Integrity checking: checksum, encrypted has
– Activity traps
– Full-featured analysis: host-based network-based, sandboxing-based

Macro Viruses

Macro:
An executable program(e.g.
instructions opening a file, starting an application)
embedded in a word processing document, e.g. MS Word

A common technique for spreading
-A virus macro is attached to a word document
– document is loaded and opened in the host system
– When the macro executes, it copies itself to macro file
– The global macro can be activated/spread when new documents are opened

Rootkit
Resides in opening systems
– Modifies OS code and data structure

Helps user-level malware
– E.g., hide it from user(not listed in “is” or “ps” command)

Inspect all files
FindFisrtFile()
{checkfile, FindNextFile, repeat -> windows API, NTQueryDirectoryObject -> Kernel Native Interface -> Device drive functions <-> Drivers

Worms
– Use network connections to spread from system to system

Viruses

Four stages of viruses
Dormant Phase, Propagation Phase, Triggering Phase, Execution Phase

Virus structure
virus code -> Physically -> Original Program
Logically Virus code part(a) -> Original Program

First line: go to “main” of virus program
Second line: a special flag(infected or not)
Main: Find uninfected programs^ infect them
Do something damaging to the system
“go to” frist line of the host program
Avoid detection by looking at size of program
compress/ decompress the host program

Type of Virus
– parasitic virus: scan/infect programs
– Memory-resident virus: infect running programs
– Macro virus: embedded in documents, run/spread
– Boot sector virus: run/spread whenever the system is booted
– Polymorphic virus: encrypt part of the virus program randomly generated key

Boot Sector Virus
Bootstrap Loader, System Initialization
Virus code -> System Initialization -> Bootstrap Loader

Malicious Code

Reasons attackers use malware: automation, scalability, and deniability
Attackers release malicious programs on the internet and let spread

types of malicious software
– needs host program: trap door, logic bombs, trojan horses, viruses, browser plug-in extension, script
– independent: Worms, botnet, APTs

Trap door
– A secret entry point to a program or system.
– Typically works by recognizing some special sequence of inputs or special user ID.

Logic Bombs
– Embedded in some legitimate program
– Explode or perform malicious activities when certain condition are met

Trojan Horses
– Hidden in an apparently useful host program
– Performs some unwanted/harmful function when the host program is executed

Viruses
– Infect a program by modifying it
– Self-copy into the program to spread

Inference Attacks on Databases

– Certain aggregate/statistical queries can be allowed by all users.
– Consider a student grade database with schema studentid, student_standing(junior or senior), exam1_score, exam2_score, final_grade.

Average score on an example is a query that any student should be able to run.
Attacker wants to find exact score of some student
Inference attack when target takes the exam late
– Average score before target takes the exam
– Average score after target takes the exam
– Target score can be easily found

Another example: only one student has junior standing in a senior class
– Get average score of students who have junior standing
– This query discloses score of a single student

Defenses Against Inference Attacks
– Do not allow aggregate query results when the set of tuples selected is either too small or too large
– Transform data by removing identifying information
deindentification
anonymization
this has to be done with care

SQL Injections

– Malicious SQL commands are sent to a database
– Can impact both confidentiality(extraction of data) and integrity(corruption of data)
– In a web application environment, typically a script takes user input and build an SQL query
– Web application vulnerability can be used to craft an SQL injection

Return information about items shipped to a certain city specified user in web application that uses forms

Var Shipcity;
Shipcity = Request.form("Shipcity");
Var sql = "select * from OrdersTable where 
Shipcity = "" + Shipcity + """;

SQL Injection Example
– User enters REDMOND
– Script generates SELECT * FROM OrdersTable Where Shipcity = ‘Redmond’
– What if user enters Redmond’ ;DROP table OrdersTable;?
– In this case, SELECT * FROM OrdersTable WHERE Shipcity = ‘Redmond’;DROP OrderesTable is generated
Malicious user is able to inject code to delete the table
– Many other code injection examples exist

Input checking
(golden rule – all input is evil)

see OWASP top 10 proactive controls
https://www.owasp.org/index.php/OWASP_Proactive_Controls

Importance of Database Security

Why securing data stored in databases so important and different?
– Databases store massive amounts of sensitive data
– Data has structure that influences how it is accessed
– Accessed via queries or programs written in languages like SQL
– Transactional nature of queries
– Derived data or database views

Relational Database System (RDBS)
– Relational model based database systems are widely used in real-world envrionments
– A relational database consists of relations or tables
– A table is defined by a schema and consists of tuples
– Tuples store attribute values as defined by schema
– Keys used to access data in tuples

Employee Table: Foreign Key, Primary Key

Operations on relations:
– Create, select, insert, update, join and delete
– Example: SELECT * FROM EMPLOYEE WHERE DID = ’15’
– It returns tuples for Robin and Cody

Queries written in a query language(e.g., SQL) use such basic operations to access data in a database as needed.

Two commands: GRANT and REVOKE
GRANT {privileges|role}
TO {user|role|public}
e.g. GRANT SELECT ON ANY TABLE TO Alice

Privileges can be for operations such as SELECT, INSERT, UPDATE OR DELETE.

Revisiting Assurance

Testing:
Demonstrate existence of problem
Cannot demonstrate absence of problem
Regression testing: ensure that alterations do not break existing functionality / performance

Challenges:
test case generation, code coverage, exponential number of different executions, different execution environments

Penetration testing:
Ethical hackers attempt to defeat security measures
Cannot demonstrate absence of problem

Formal verification: Checking a mathematical specification of program to ensure that security assertions hold.
– Model checking, automated theorem proving
– State variables w/initial assignment, program specification describing how state changes, boolean predicates over state variables
– Difficulty: exponential time & space worst case complexity
– Model checking pioneers won the 2007 turning award

Common Criteria(2005) international standard replaced orange book
– Originated out of European, Canadian, and US standards
– Idea: users specify system needs, vendors implement solution and make claims about security properties, evaluators determine whether vendors actually met claims
– Evaluation assurance level(EAL) rates systems
– EAL1 most basic, EAL7 most rigorous