CHAPTER TWO

Computer System Threat

By: Kidanemariam F.(MSc)

1
 Outline
• Security in Computer System
• Malicious Code

Viruses

Trojan horses

Worms

Spy-wares
• Class of Attacks

Reconnaissance

Access

Denial of Service
• Program Flaws
• Controls to to protect against Program Flaws |OS
• Program Security Defense
2
Security in Computer System

• Security refers to providing a protection system to

computer system resources such as:
– CPU, memory, disk
– software programs and
– most importantly data/information stored in the
computer system.

• So a computer system must be protected against

– unauthorized access by users and
– malicious access to system including viruses, worms
etc…

3
Security features in Operating System
• An operating system manages and controls access
to hardware components
• Older operating systems focused on ensuring data
confidentiality
• Modern operating systems support four basic
functions
– Positively identify a user
– Restrict access to authorized resources
– Record user activity
– Ensure proper communications with other computers and
devices (sending and receiving data)
4
Operating system Security attack types
Malware Attack:
- A generic term for software that has malicious purpose
- is software that is intentionally included or inserted in a
system for a harmful purpose.
• Different forms of malicious software (malware)
• Intended to
– Cause distress to a user
– Damage files or systems
– Disrupt normal computer and network functions
• Examples
• Viruses, worms
• Logic bomb
• Trojan horses
• Spy-wares
• New ones: Spam/scam, Slammer, Nimda, e-payment 5
frauds, etc.
 Name Description
Virus Attaches itself to a program and propagates copies of itself to
other programs
Worm Program that propagates copies of itself to other computers

Logic bomb Triggers action when condition occurs

Trojan horse Program that contains unexpected additional functionality

Backdoor (trapdoor) is a secret entry point into a program that allows someone
that is aware of the backdoor to gain access without going
through the usual security access procedures.

Auto-rooter Malicious hacker tools used to break into new machines

remotely
Kit (virus generator) Set of tools for generating new viruses automatically
Spammer programs Used to send large volumes of unwanted e-mail
Flooders Used to attack networked computer systems with a large
volume of traffic to carry out a denial of service (DoS) attack

Keyloggers Captures keystrokes on a compromised system

Zombie Program activated on an infected machine that is activated
to launch attacks on other machines
4
Rootkit Set of hacker tools used after attacker has broken into a
computer system and gained root-level access 6
 Malware Attack…
• Malicious software can be divided into two
categories:
• those that need a host program
– fragments of programs that cannot exist
independently of some actual application
program, utility, or system program.
– Viruses and logic bombs are examples.

• those that are independent

• are self-contained programs that can be scheduled
and run by the operating system.
• Worms and zombie programs are examples. 7
 Malware Attack…
• Malicious software can also be divided into two
categories:
 software threats that do not replicate
• are programs or fragments of programs that are activated
by a trigger.
• Examples are logic bombs and zombie programs.

 those that replicate

• consist of either a program fragment or an independent
program that, when executed, may produce one or more
copies of itself to be activated later on the same system
or some other system.
• Viruses and worms are examples.
8
 Malware Attack…
Viruses
A malicious code that replicates and hides itself
inside other programs usually without your
knowledge.
A virus is a piece of software that can "infect" other
programs by modifying them.
Similar to biological virus: Replicates and Spreads
Can do serious damage such as erasing file…

Worms
• A worm is a program that can replicate itself and
send copies from computer to computer across
network connections.
9
 More on Virus
During its lifetime, a typical virus goes through the following four
phases:
• Dormant phase: The virus is idle.
– The virus will eventually be activated by some event, such as a date, the
presence of another program or file, or the capacity of the disk exceeding
some limit.
• Propagation phase: The virus places an identical copy of itself into
other programs or into certain system areas on the disk.
– Each infected program will now contain a clone of the virus, which will itself
enter a propagation phase.
• Triggering phase: The virus is activated to perform the function for
which it was intended.
– As with the dormant phase, the triggering phase can be caused by a variety
of system events

• Execution phase: The function is performed.

– The function may be harmless, such as a message on the screen, or
– damaging, such as the destruction of programs and data files.
10
 More on Virus…
Types of viruses
• Parasitic virus: The traditional and still most common
form of virus.
– A parasitic virus attaches itself to executable files and replicates
• Memory-resident virus: resides in main memory as
part of a resident system program.
– From that point on, the virus infects every program that executes.
• Boot sector virus: Infects a master boot record or boot
record and spreads when a system is booted from the
disk containing the virus.
• Stealth virus: A form of virus explicitly designed to hide
itself from detection by antivirus software.
– a virus that uses compression so that the infected program is
exactly the same length as an uninfected version.
11
 More on Virus…
Types of viruses…

 Polymorphic virus: A virus that mutates with every

infection, making detection by the "signature" of the
virus impossible.

 Metamorphic virus: As with a polymorphic virus, a

metamorphic virus mutates with every infection.
– The difference is that:
– a metamorphic virus rewrites itself completely at each
iteration, increasing the difficulty of detection.
– Metamorphic viruses my change their behavior as well as
their appearance.

12
 Malware Attack…
• Logic bomb
 The logic bomb is code embedded in some legitimate
program that is set to "explode" when certain
conditions are met.
 Examples of conditions that can be used as triggers for
a logic bomb are:
• the presence or absence of certain files,
• a particular day of the week or date, or
• a particular user running the application.

 Once triggered, a bomb may:

• alter or delete data or entire files,
• cause a machine halt, or
• do some other damage.
13
 Malware attack…
Trojan Horse
• Any malicious program which
misinterprets itself as useful, or
interesting in order to convince a
victim to install it.
• The program claims to do one
thing
– (it may claim to be a game) but
instead does damage when you run
it (it may erase your Hard Disk).
• Trojan horse programs do not
replicate themselves like a virus,
• Such program traps user login
credentials and stores them to
send to malicious user 14
 Spyware
• Software placed on a computer
– typically without user’s knowledge
– reports back information about user’s activities
• Some operate through monitoring cookies

• A software that literally spies on what you

do on your computer.
– Example: Simple Cookies, mobile codes , web
crawlers, Xerox
– Types of information that is gathered includes the
Websites visited, browser and system information, and
your computer IP address.

15
 Spam (junk mail)
• Filling e-mail inboxes with unwanted junk
mail.

• Anyone using e-mail is essentially

guaranteed to receive spam

• How spammers get your mail.

– Web search
– Sending test emails
– Exchange or buy from other spammers

16
 Malware attacks…
• Infection mechanisms
 First, the virus should search for and detect objects
to infect
 Installation into the infectable object
• Writing on the boot sector
• Add some code to executable programs
• Add some code to initialization/auto-executable
programs
• Trigger mechanism
 Date
 Number of infections
 First use

• Effects: It can be anything

 A message
 Deleting files
 Formatting disk
 Overloading processor/memory
17
 Etc.
Suggestions to secure your Computer
• Use anti-virus software.
• Depending on the vendor, the antivirus software
may also contain anti-spyware tools, anti-spam
filtering, a personal firewall, and more.
• Update your computer regularly.
• Be careful with the email attachments
– Safe: .jpg .bmp .pdf .txt ….
– Unsafe: .exe .doc .xls .ppt …
• Avoid email software by Microsoft (outlook,
outlook express…). They are mostly targeted.
• Use firewall to protect you from malware attack.
• Use IDS…
18
Protecting an OS from Malicious Software

• Install updates
• Use malicious software scanners
• Back up systems and create repair disks
• Create and implement organizational
policies

19
Using Malicious Software Scanners

• Effective way to protect operating system

• Scan systems for virus, worms, and Trojan
horses
• Often Called Virus Scanners
• Functions of anti-viruses
- Identification of known viruses
- Detection of suspected viruses
- Blocking of possible viruses
- Disinfection of infected objects
- Deletion and overwriting of infected objects
20
 Malicious Software Scanners…

• Automatically runs at a scheduled time

• Manual run option
• Detects known and unknown malicious
software
• Updates for new malicious software
• Scans files that are downloaded
• Uses protected or quarantined zones for
downloaded files

21
 Suggestions to fight spam
• Never reply junk emails
• Do not open any files or executable
attachments
• Immediately DELETE the malicious email
• Don’t post your actual email address in the
website.
• Norton, McAfee, and many more include spam
as one of the threats that they protect
against.
• Can use spam filtering applications

22
 OS Security: Files
• Common threats to file system:
– File permission
– File sharing

• Files must be protected from unauthorized reading

and writing actions

• Data resides in files;

– protecting files means protects data

23
 Access Permissions
• This listing indicates that the file is readable,
writable, and executable by the user who owns
the file (user Abe)

• as well as the group owning the file (which is a

group named student).

• The file is also readable and executable, but not

writable by other users.

Rwxrwxr-x Abe student Sep 26 12:25 test.l

24
 OS Security: Memory

• Hardware memory available on the system

can be corrupted by badly written software
• Can harm data integrity
• Two options:
– Stop using the program
– Apply a patch (service pack) to fix it

25
 OS Authentication Methods
• Authentication:
– Verifies user identity; something a person is, has, or does.
– Permits access to the operating system
– Use of biometrics, passwords, passphrase, token, or other
private information.
– Strong Authentication is important
• Physical authentication:
– Allows physical entrance to company property
– Magnetic cards and biometric measures
• Digital authentication:
– verifies user identity by digital means
26
 OS Authentication Methods…
• Passwords
– User name + password most common
identification, authentication scheme.
– Weak security mechanism, must
implement strong password
protections
• Passphrase
– Is a sequence of characters that is
longer than a password.
– Takes the place of a password.
– Can be more secure than a password
because it is more complex.

Digital certificates:
- digital passport that identifies and verifies holder of certificate

Kerberos: 27
Developed by MIT
 Class of Attacks
Reconnaissance is the information-gathering stage
of ethical hacking, where you collect data about the
target system. This data can include anything from
network infrastructure to employee contact details.
The goal of reconnaissance is to identify as many
potential attack vectors as possible

Access control is a fundamental component of data

security that dictates who's allowed to access and
use company information and resources. Through
authentication and authorization, access control
policies make sure users are who they say they are
and that they have appropriate access to company
data.
28
 Class of Attacks...
A denial of service attack is the deliberate flooding of
a machine or network with bogus traffic to
overwhelm them and make their service unavailable.
It can lead to the target server crashing or simply
being unable to respond to legitimate requests.

Denial of service attacks usually do not lead to

system compromise, data loss, or theft. However, a
DoS attack can cause a significant loss of time and
resources to the targeted service since it can last
anywhere between a few hours and several months.

2
 Program Flaws
Buffer Overflows
Buffer overflow flaw — often inadvertent (=>non-malicious)
but with serious security consequences
Many languages require buffer size declaration
For Example:

C language statement: char sample[10];

Execute statement: sample[i] = ‘A’; where i=10

Out of bounds (0-9) subscript – buffer overflow occurs

Some compilers don’t check for exceeding bounds

C does not perform array bounds checking.

Similar problem caused by pointers
No reasonable way to define limits for pointers
Where does ‘A’ go?
Depends on what is adjacent to ‘sample[10]’

Affects user’s data - overwrites user’s data

Affects users code - changes user’s instruction

Affects OS data - overwrites OS data

Affects OS code - changes OS instruction
This is a case of aliasing 30
 Program Flaws ...
Buffer Overflows...
Implications of buffer overflow:
Attacker can insert malicious data values/instruction codes
into „overflow space”
Supp. buffer overflow affects OS code area
Attacker code executed as if it were OS code
Attacker might need to experiment to see what happens when
he inserts A into OS code area
Can raise attacker’s privileges (to OS privilege level)
When A is an appropriate instruction
Attacker can gain full control of OS
Web server attack similar to buffer overflow attack: pass very
long string to web server
Buffer overflows still common
Used by attackers
to crash systems
to exploit systems by taking over control
Large number of vulnerabilities due to buffer overflows 31
 Program Flaws...
Incomplete Mediation
Incomplete mediation flaw — often inadvertent (=>
nonmalicious) but with serious security consequences
Incomplete mediation:
Sensitive data are in exposed, uncontrolled condition
Example URL to be generated by client’s browser to
access server, e.g.:
http://www.things.com/order/final&custID=101&part=555
A&qy=20&price=10&ship=boat&shipcost=5&total=205

Instead, user edits URL directly, changing price and total

cost as follows:
http://www.things.com/order/final&custID=101&part=555
A&qy=20&price=1&ship=boat&shipcost=5&total=25
User uses forged URL to access server
The server takes 25 as the total cost

32
 Program Flaws...
Incomplete Mediation ...
Unchecked data are under a serious vulnerability!

Possible solution: anticipate problems

Don’t let client return a sensitive result (like total) that can be
easily recomputed by server
Use drop-down boxes / choice lists for data input
Prevent user from editing input directly
Check validity of data values received from client

33
Program Flaws ...
Time-of-check to Time-of-use Errors
Time-of-check to time-of-use flaw — often inadvertent (=>
nonmalicious) but with serious security consequences

A.k.a. synchronization flaw / serialization flaw

TOCTTOU — mediation with “bait and switch” in the middle

Non-computing example:
Swindler shows buyer real Rolex watch (bait)
After buyer pays, switches real Rolex to a forged one
In computing:
Change of a resource (e.g., data) between time access
checked and time access used
Q: Any examples of TOCTTOU problems from
computing?

34
TOCTTOU — mediation with “bait and switch” in the middle
...
Q: Any examples of TOCTTOU problems from
computing?

A: E.g., DBMS/OS: serialization problem:

pgm1 reads value of X = 10
pgm1 adds X = X+ 5
 pgm2 reads X = 10, adds 3 to X, writes X = 13
pgm1 writes X = 15

X ends up with value 15 – should be X = 18

Prevention of TOCTTOU errors
Be aware of time lags
Use digital signatures and certificates to „lock” data values
after checking them
So nobody can modify them after check & before use
Q: Any examples of preventing TOCTTOU from
DBMS/OS areas?

35
Prevention of TOCTTOU errors
...
Q: Any examples of preventing TOCTTOU from
DBMS/OS areas?

A1: E.g., DBMS: locking to enforce proper serialization

(locks need not use signatures—fully controlled by DBMS)
In the previous example:
will force writing X = 15 by pgm 1, before pgm2
reads X (so pgm 2 adds 3 to 15)
OR:
will force writing X = 13 by pgm 2, before pgm1
reads X (so pgm 1 adds 5 to 13)

A2: E.g., DBMS/OS: any other concurrency control mechanism

enforcing serializability

36
Many Thanks!
Letting if u have
any questions!