CS4235 MIDTERM REVIEW

25 questions, multiple question & T or F

SECURITY MINDSET

 Differences between passive and active attacks

 Passive —— attempt to learn or make use of information from the system
that does not affect system resources.
 Eavesdropping on transmissions. The goal of attacker is to obtain information that is
being transmitted.
 Active —— attempt to alter system resources or affect their operation.
 Modification of the data stream or the creation of a false stream.
SECURITY MINDSET

 Key security concepts

 Confidentiality, integrity and availability, also known as the CIA triad,
is a model designed to guide policies for information security within an
organization.
 Confidentiality: Preserving authorized restrictions on information access
and disclosure.
 Integrity: Guarding against improper information modification or
destruction, maintaining consistency, accuracy and trustworthiness of
data.
 Availability: Guarantee timely and reliable access to the information by
authorized people (not denied and not slow).
SECURITY MINDSET

 Other terminologies
 System integrity: assures that a system performs its intended function in
an unimpaired manner, free from deliberate or inadvertent unauthorized
manipulation of the system.
 Data integrity: assures that data received are exactly as sent by an
authorized entity.
 Message integrity: Insuring that the message received by the recipient is
identical to the message transmitted by the sender.
 Privacy: assures that individuals control or influence what information
related to them may be collected and stored and by whom and to whom
that information may be disclosed.
SECURITY MINDSET

 Threats
 A potential violation of security (the attack may not have been carried
out)
 1. Unauthorized disclosure —— gains access to data for which the entity
is not authorized (passive attack)
 Exposure: directly release sensitive data
 Interception: an unauthorized entity directly accesses sensitive data traveling
between authorized sources and destinations (在正当传输中阻截).
 Inference: indirectly accesses sensitive data by reasoning from characteristics or
byproducts of communications.
 Intrusion: gain access to sensitive data by circumventing a system's security
protections.
SECURITY MINDSET

 2. Deception —— result in an authorized entity receiving false data and

believing it to be true (active attack).
 Masquerade: An unauthorized entity posing as an authorized entity.
 Falsification: False data deceive an authorized entity.
 Repudiation: Falsely denying responsibility for an act.
 3. Disruption —— interrupts or prevents the correct operation services
and functions (active attack).
 Incapacitation: disable a system component.
 Corruption: undesirably alters system operation
 Obstruction: interrupts delivery
 4. Usurpation —— control of system services or functions by an
unauthorized entity (active attack).
 Misappropriation: get unauthorized control of a system resource.
 Misuse: Causes a system component to perform a detrimental function or service.
SECURITY MINDSET

 Security implementation involves four complementary courses of action:

prevention, detection, response and recovery.
 Attack surface categories (an attack surface consists of the reachable and
exploitable vulnerabilities in a system)
 Network attack surface
 Software attack surface
 Vulnerabilities in application utility or operating system
 Particular focus is Web server software
 Human attack surface
 Vulnerabilities created by personnel or outsiders, such as social engineering, human
error and trusted insiders
SOFTWARE SECURITY

 Defensive programming concept (objective, what we try to achieve, how?)

 Objective: designing and implementing software so that it continues to
function even under attack
 We try to achieve: software that is able to detect erroneous conditions
resulting from some attack
 How?
 Key rule —— never assume everything! Check all assumptions and handle any
possible error states.
 Assumptions about the type of inputs a program will receive and the environment it
executes in should be validated by the program and all potential failures handled
gracefully and safely.
 A changed mindset: understand how failures can occur and the steps needed to
reduce the chance of them occurring in their programs.
 SOFTWARE SECURITY

 Software testing techniques (provide variable inputs to a software)

 Handling program input
 Validating input syntax: ensure that data conform with many assumptions before subsequent use by
comparing the input data against what is wanted or, alternatively, comparing the input data with
known dangerous values.
 Software testing technique that uses randomly generated data as inputs to a program
 Range of inputs is very large
 Intent to determine if the program correctly handles abnormal inputs
 Simple, free of assumptions, cheap
 Handling program output
 Output conforms to the expected form and interpretation
 Identify what is permissible output and filter any possibly untrusted data to ensure that only valid
output is displayed
SOFTWARE SECURITY

 Race conditions and how to prevent them

 Race conditions
 Without synchronization of access, it’s possible that values may be corrupted or
changes lost due to overlapping access, use and replacement of shared values.
 Deadlock
 Processes or threads wait on a resource held by the other
 One or more programs has to be terminated
 How to prevent?
 Need suitable synchronization mechanism —— acquire a lock on the shared file
 SOFTWARE SECURITY
 Buffer overflow attacks (how they occur, how to prevent them & related topics)
 How they occur:
 Programmers often make assumptions (remain unvalidated!) about the maximum expected size of input.
 Testing may not identify vulnerability because test inputs are unlikely to include large enough inputs to
trigger the overflow.
 Could be located on the stack, in the heap, or in the data section of the process.
 Consequences: corruption of program data; unexpected transfer of control; execution of code chosen
by attacker; possible memory access violation.
 How to prevent:
 Treat all inputs as dangerous!
 How to exploit:
 Understand how buffer is stored in memory and determine potential for corruption
 Trigger buffer overflow using externally sourced data under the attacker’s control
SOFTWARE SECURITY

 Shellcode
 A small piece of code used as the payload in the exploitation of a software vulnerability
that can be executed once the code is injected into a running application. Stack and heap-
based buffer overflows are the most popular way of doing so.
 The term shellcode literally refers to written code that starts a command shell.
 However, Because the function of a payload is not limited to merely spawning a shell, some
have suggested that the name shellcode is insufficient.
 Most shellcode is written in machine. Shellcode is therefore often created to target one
specific combination of processor, operating system and service pack, called a platform.
For some exploits, due to the constraints put on the shellcode by the target process, a very
specific shellcode must be created. However, it is not impossible for one shellcode to work
for multiple exploits, service packs, operating systems and even processors.
SOFTWARE SECURITY

 OpenSSL heartbleed vulnerability

 Heartbleed was caused by a flaw in OpenSSL, an open source code library that
implemented the Transport Layer Security (TLS) and Secure Sockets Layer (SSL)
protocols. In short, a malicious user could easily trick a vulnerable web server into
sending sensitive information, including usernames and passwords.
 To understand how it works, you need to know a little bit about how the TLS/SSL
protocols operate, and how computers store information in memory.
 One important part of the TLS/SSL protocols is what's called a heartbeat. Essentially,
this is how the two computers communicating with one another and let each other
know that they're still connected even if the user isn't downloading or uploading
anything at the moment. Occasionally, one of the computers will send an encrypted
piece of data, called a heartbeat request, to the other. The second computer will
reply back with the exact same encrypted piece of data. Crucially, the heartbeat
request includes information about its own length.
SOFTWARE SECURITY

 So, for example, if you're reading your Yahoo mail but haven't done anything in a
while to load more information, your web browser might send a signal to Yahoo's
servers saying: "This is a 40 KB message you're about to get. Repeat it all back to me.
 The Heartbleed vulnerability arose because OpenSSL's implementation of the
heartbeat functionality was missing a crucial safeguard: the computer never checks
to make sure the heartbeat was actually as long as it claimed to be. So if a request
said it was 40 KB long but was actually only 20 KB, the receiving computer would set
aside 40 KB of memory buffer, then store the 20 KB it actually received, then send
back that 20 KB plus whatever happened to be in the next 20 KB of memory. That
extra 20 KB of data is information that the attacker has now extracted from the web
server.
 Even when a computer is done with information, it persists in memory buffers until
something else comes along to overwrite it. If you're the attacker, you have no way to
know in advance what might be lurking in that 20, but there are a number of
possibilities: SSL private keys, usernames and passwords (more commonly)
SOFTWARE SECURITY

 Stack buffer overflow

 Used by Morris Worm
 Stack frame
 When one function calls another, it needs somewhere to save the return address.
 Also needs locations to save the parameters to be passed in to the called function and
to possibly save register values.
 Stack grows from high memory to low memory, stack overflow overwrites from low
memory to high memory.
 Compile-time vs run-time defenses (Two broad defense approaches of
buffer overflow)
 Compile-time defense
 1. use a modern high-level language not vulnerable to buffer overflow attacks
 2. compiler enforces range checks and permissible operations on variables
 3. Handling dynamically allocated memory is more problematic because the size
information is not available at compile time
SOFTWARE SECURITY

 Run-time defense
 Executable address space protection: use virtual memory support to make some
regions of memory non-executable, requires support from memory management unit
(MMU)
 Address space layout randomization (ASLR): a memory-protection process for
operating systems that guards against buffer-overflow attacks by randomizing the
location where system executables are loaded into memory.
Manipulate location of key data structures (stack, heap, global data), using random
shift for each process.
Randomize location of heap buffers
Randomize location of standard library functions
• Guard pages: If a program attempts to access an address within a guard page, the
system raises a STATUS_GUARD_PAGE_VIOLATION (0x80000001) exception.
OPERATING SYSTEM

 Approaches for hardening OS

 Remove unnecessary services, applications, protocols
 If fewer software packages are available to run, the risk is reduced.
 System planning process should identify what is actually required.
 When performing the initial installation, the supplied defaults should not be used.
 Configure users, groups and authentication
 Not all users with access of the system have access to the same data and resources.
 Privileges should be restricted who only those who require them only when they are
needed to perform a task.
 Configure resources controls
 Appropriate permissions can be set on data and resources
 Many security hardening guides provide lists of recommended changes to the default
access configuration
OPERATING SYSTEM
 Install additional security controls
 Anti-virus software
 Host-based firewalls
 IDS (intrusion detection system) or IPS (intrusion prevention system) software
Both increase the security level of networks, monitoring traffic and inspecting and
scanning packets for suspicious data.
Detection in both systems is mainly based on signatures already detected and
recognized.
IDS achieves this through early warnings aimed at administrators, but it’s not
designed to block attacks
IPS is designed to inspect attack data and take the corresponding action, blocking
it before the attack succeeds.
 Application while-listing
 Specifying an index of approved software applications that are permitted to be
present and active on a computer system. The goal of whitelisting is to protect
computers and networks from potentially harmful applications
OPERATING SYSTEM

 Test the system security

 Goal: ensure the previous security configuration steps are correctly implemented;
Identify any possible vulnerabilities
 Should be done following the initial hardening of the system
 There are programs specifically designed to review a system and scan for known
vulnerabilities and poor configuration practices
 Should be repeated periodically as part of the security maintenance process
OPERATING SYSTEM

 Trusted computing base (what are they, what criteria should be met)
 TCB requirements
 1. tamper-proof
 2. complete mediation
 3. correct
 TPM
 A Trusted Platform Module is a microchip that is often built into a computer to
provide hardware-based security. It provides safe storage of encryption keys,
certificates and passwords.
 It is the hardware module at heart of hardware/software approach to trusted
computing
OPERATING SYSTEM

 Isolating OS from Untrusted User Code

 Hardware support for memory protection
 Processor execution modes (system mode V.S. user mode, execution rings)
 Privileged instructions which can only be executed in system code
 System calls used to transfer control between user and system code —— such calls
come through “call gates” and return back to user code. The processor execution
mode changes when call and return happen.
 Isolating user process from each other (user isolation and separation)
 OS uses hardware support for memory protection to ensure this
OPERATING SYSTEM

 Process protection through Memory Management

 Address space: unit of isolation (each process has its own mapping from address
space to physical memory
 Processes view memory as contiguous often larger than available physical memory.
Operating system maps logical virtual addresses or pages onto physical memory
frames. OS will not map a virtual page of process A to a physical page of process B
unless explicit sharing is desired.
 MMU uses page tables to resolve virtual addresses to physical addresses
 Isolating OS from application code
 OS resides in a portion of each process’s address space
 For each process, it can cross the fence only in controlled/limited ways
 DOS (disk operating system) has no such fence, any process could alter DOS and any
virus could spread by hooking DOS interrupt handlers via kernel changes
 OPERATING SYSTEM

 Complete mediation
 TCB
 No protected resource (memory page or file) could be accessed without going through the TCB
 TCB acts as a reference monitor that cannot be bypassed
 User code
 Cannot access OS part of address space without changing to system mode
 Cannot access physical resources because they require privileged instructions which can only
be executed in system mode
 OS
 Virtualizes physical resources and provides an API for virtualized resources
 File for storing persistent data on disk
 Translation from virtual resource to physical resource can only be done by OS
 Compromise of OS (TCB) impacts all applications, means attacker has access to everything!
OPERATING SYSTEM

 Virtualization
 Limiting the damage of a hacked OS: compromising of OS in VM1 only
impacts applications running on VM1
 Meet the requirement of small and simpler: hypervisor partitions
physical resources and let guest OS handle management
 Virtualization security concerns
 Guest OS isolation -> ensures programs executing within a guest OS may only access
and use the resources allocated to it
 Guest OS monitoring by the hypervisor -> hypervisor has privileged access to the
programs and data in each guest OS
 Virtualized environment security -> particularly image and snap shot management
which attackers may attempt to modify
AUTHENTICATION

 What is authentication
 Authentication answers the question: on whose behalf the requesting
process runs?
 Includes claims about an identity (who are you?) and verification of the
claimed identity (Are you who you say you are?) of the user who wants
to gain access to system and resource.
 Methods (how is authentication implemented?)
 Something a user knows —— knowledge factors (passwords, answers)
 Something a user has —— possession factors (tokens, smart cards)
 Something a user is —— inherence factors (static biometric: fingerprint,
retina, face)
 Something a user does —— dynamic biometric (voice pattern, typing rhythm)
AUTHENTICATION
 Authentication process
 identification step
 presenting an identifier to the security system
 verification step
 presenting or generating authentication information that corroborates the binding
between the entity and the identifier
 Password selection strategy
 Goal: choose non-guessable passwords, but still memorable
 User education: Users can be told the importance of using hard-to-guess
passwords and can be provided with guidelines for selecting strong passwords.
 >_<: Many users will simply ignore the guidelines.
 >_<: Users may not be good judges of what is a strong password.
 Computer-generated password
 Quite random in nature.
 >_<: Hard to remember. Even if the password is pronounceable, the user may have difficulty
remembering it and so be tempted to write it down
AUTHENTICATION
 Reactive Password Checking: the system periodically runs its own
password cracker to find guessable passwords. The system cancels any
passwords that are guessed and notifies the user.
 >_<: source intensive, because a determined opponent who is able to steal a
password file can devote full CPU time to the task for hours or even days.
 >_<: any existing passwords remain vulnerable until the reactive password checker
finds them.
 Proactive Password Checking: a user is allowed to select his or her own
password. However, at the time of selection, the system checks to see if
the password is allowable and if not, rejects it.
 >_<: difficult to strike a balance between user acceptability and strength.
 If the system rejects too many passwords, users will complain that it is too hard to
select a password. If the system uses some simple algorithm to define what is
acceptable, this provides guidance to password crackers to refine their guessing
technique.
 AUTHENTICATION

 Authentication security issues

 Eavesdropping —— adversary attempts to learn the password by some approaches that
involve the physical proximity of user and adversary.
 Host attacks —— change the host where password/biometric templates are stored.
 Replay —— repeat a previously captured user response (copy your login information and
paste it back).
 Client attacks —— find a way to make the victims open the door for you to get into the
network. Requires user-interaction such as enticing them to click a link or open a
document
 Trojan horse —— masquerades as an authentic application for the purpose of capturing
user password or biometric (eg: re-enter username and password in a pop-up window).
 Denial-of-service (DoS) —— make resources unavailable to intended users by sending
excessive messages asking the server to authenticate requests that have invalid return
address (flooding the target traffic that triggers a crash.
AUTHENTICATION

 Password security (vulnerable, ways to make is secure)

 1. Vulnerabilities
 Guessing the password for a given user allows impersonation
 Keylogging to steal a password (record the keys struck on a keyboard to steal
password)
 Users do not authenticate who is asking for a password
 The naïve method to check password supplied with a user id is to store a list of
passwords in a system file that is readable only by the admin account. But what if
permissions are set incorrectly?
 2. Hash function
 Do not store passwords, but store something that is derived from them (the result of
one-way hash function)
AUTHENTICATION

 3. Attack unsalted passwords

 Dictionary attack —— uses a file constructed by extracting words from large texts, pre-
compute all their hash values and compare them to the password hash. Choosing an
exact word as password is at high risk of being breached through a dictionary attack
(“friendship” V.S. “dontpwnme4”). Further processing is to replace words in dictionary
files with their “leet speak” (a special dictionary) equivalents (“hello” -> “h3110”)
 Brute force attack —— tries every possible combination of characters up to a given length
(usually try popular passwords first). Computationally expensive, but you will always
eventually find the password given plenty of time.
 Rainbow table —— a pre-computed database of hashes. Dictionaries and random
strings are run through a selected hash function and the hash mapping is stored in a table.
The main difference between a rainbow table and a dictionary/brute-force attack is
precomputation. Rainbow table attack won’t spend huge amount of time computing
hash functions. The trade-off for speed is the immense amount of memory required
to host a rainbow table.
 AUTHENTICATION

 4. Adding salt
 One-way hash function is deterministic. Two users with the same password will have the
same hashes.
 Salt: a fixed-length cryptographically-strong random value that is added to the input of has
functions to create unique hashes for every input.
 Store salt along with username. When the user logs in , we can lookup the username, append
the salt to the provided password, hash it and verify the stored hash wit computed hash.
 Prevent duplicate passwords from being visible in the password file.
 Become nearly impossible to find out whether a person uses the same password on two or
more different systems.
 Increase the difficulty of attacks: has to compute a rainbow table for each password
appended with a salt. Ideally, we want the salt to be truly random and unpredictable to bring
the attacker to a halt.
 AUTHENTICATION
 Other authentication methods
 Something you have (Tokens, smart cards)
 May require additional hardware (eg: readers)
 Something you are (biometrics)
 Do you get the same biometric measurement every time? —— probability distribution or a range for
feature values.
 Threats:
Inherent imprecision (e.g., two people may have their fingerprints digitally interpreted as the same)
Impersonation (e.g., use a voice recording, take photo of a face)
Coercion (e.g., force the user to put his finger on the fingerprint reader)
 Multi-factor authentication
 Use more than on method (eg: type password but also send a code via SMS; other things like your
location)
 Attacker must defeat both to compromise authentication
 Network authentication
 Send username and password to a server in a network
 Introduces new problems: need crypto to secure network communication
ACCESS CONTROL

 Controlling access to resources

 Authentication establishes the source of a request
 Authorization or access control answers the question if a certain source
of a request is allowed to read the file.
 Elements of access control
 Subject —— entity capable of accessing objects
 Equates with “process”
 Typically accountable for the actions they initiate
 Have three classes: owner, group, world
 Object —— resource to which access is controlled
 Entity used to contain/receive information
 Access right —— the way in which a subject may access an object
 Eg: read, write, execute, delete, create, search
ACCESS CONTROL

 ACL vs C-List
 ACL (access control list): for each object Oi -> [ (subject S1, rwx), (subject
S2, r), ... ]
 C-list: for each subject Si -> [ (object O1, w), (object O2, r), ... ]
 Discretionary access control (DAC) —— control access based on the
identity of the requestor.
 Often provided using an access control matrix
 >_<: so many entries in the matrix because you define access right for each
individual
 >_<: cannot control if someone you share a file with will not further share the
data -> cannot control information flow
 ACCESS CONTROL
 RBAC vs ABAC
 RBAC —— based on the roles that users have within the system
 Role: abstraction of a group of individual.
 In enterprise setting, access may be based on job function or role of a user
 Users authenticate themselves to the system, can activate one or more roles for themselves
 ^_^: policy need not be updated when an individual leaves the organization
 >_<: lack of context -> unable to model policies that depend on contextual details, such as
time, location, relationship between users.
 >_<: role explosion ->each user often needs unique access rights. An ever-increasing
number of users requires an exponentially increasing number of roles to accommodate
various permission combinations
 >_<: toxic combination -> various roles assigned to the same user could contain conflicting
data (eg: one role allows you to create new policy and another role allows you to approve it)
 >_<: management nightmares -> with exponentially more roles, role engineering becomes
an increasing difficult task. Any attempts to audit or certify such an environment would be
fraught with management nightmares
 ACCESS CONTROL
 ABAC —— based on attributes of the user, the resource to be accessed and current
environmental conditions
 Adding context by specifying individual attributes using natural language.
 The context surrounding the user, their data and the interaction between the two are important to
provide access to the right user, at the right time and location, when certain regulation is met
 Adopts a policy driven approach.
 Attributes of subjects, objects and the environment are used to express rich policies.
 SetUID
 stands for set user ID on execution, a special type of file permission in Unix and
Unix-like operating systems. It is a security tool that permits users to run certain
programs with escalated privileges.
 When an executable file's setuid permission is set, users may execute that program
with a level of access that matches the user who owns the file. For instance, when a
user wants to change their password, they run the passwd command. The passwd
program is owned by the root account and marked as setuid, so the user is
temporarily granted root access for that very limited purpose.
 MANDATORY ACCESS CONTROL

 Mandatory access control (MAC) —— control access based on comparing

security labels with security clearances.
 Works in a company and the company decides how data should be shared
 Multilevel security: data has associated classification level and users are cleared at various
levels —— top secret, secret, confidential, restricted, unclassified, etc.
 Implementing MAC
 TCB associates labels with each user and object and checks them when access requests
are made
 Label = (sensitivity level, compartment)
MANDATORY ACCESS CONTROL

 MAC confidentiality (Bell and La Padua or BLP Model)

 Simple security property (ss property): “no read-up”
 prohibits a subject of lower clearance from reading an object of higher classification
 The * (star) property: “no write-down”
 prohibits a high-level subject from sending messages to a lower-level object

 Biba Integrity model (记忆：在军队中，只能给下级写命令，并且阅读上级的命令)

 Simple integrity (read) property —— “read up”
 Subjects have read access to an object only if the security level of the subject is equal
to or lower than the level of the object
 The * integrity (write) property —— “write down”
 Subjects have write access to an object only if the security level of the subject is equal
to or higher than the level of the object
MANDATORY ACCESS CONTROL

 Policies for commercial environment —— Chinese Wall

 A virtual information barrier erected between those who have material,
non-public information and those who don’t, in order to prevent conflicts
of interest.
 Separation-of-duty and conflict-of-interest requirements
 Eg: you don’t want someone who is trading with stocks to have access to
internal information of the stock market.
 Clark-Wilson Model
 Three main rules of integrity models:
 1. Prevent unauthorized users from making modifications
 2. Prevent authorized users from making improper modifications (separation of duties
 3. Maintain internal/external consistency
 MANDATORY ACCESS CONTROL
 Assurance
 A process that ensures a system is developed and operated as intended by the
system’s security policy
 Testing —— assurance validation
 Demonstrate existence of problem
 Cannot demonstrate absence of problem
 Regression testing: ensure that alterations do not break existing functionality/performance (make
sure the new application does not mess up the existing ones)
 Sanitization
 Data sanitization —— Data sanitization is the process of deliberately, permanently,
and irreversibly removing or destroying the data stored on a memory device.
 Sanitized data —— any computer data that has been checked by the computer to
see if it contains any information that might be harmful to the system. Special
sequences are usually removed that might be misinterpreted as computer
instructions or database queries. If its inputs are not sanitized, the application may
be vulnerable to attacks such as an SQL injection.
 DATABASE SECURITY

 SQL injection attacks and defenses

 Defenses
 Input checking —— golden rule: all input is evil

 Inference attacks and defenses (what are they, why are they bad, how to
defense against them)
 Inference is the process of performing authorized queries and deducing
unauthorized information (based on premises known or assumed to be
true) from the legitimate responses received
DATABASE SECURITY

 Eg: Consider a student grade database with ID, student standing, exam
score. Any student should be able to compute average score. The
attacker wants to find exact score of some student.
 Inference attack when target takes the exam late -> compare average before target
takes the exam with average after target takes the exam.
 Inference attack when only one student has junior standing in a senior class ->get
average score of students who have junior standing.
 Defenses
 Do not allow aggregate query results when the set of tuples selected is either too
small or too large.
 Transform data by removing identifying information: Deidentification,
Anonymization, Perturbation (perturb the values of the database by a small error.
Statistical measures such as sum and mean will not be affected).
MALICIOUS CODE

 Types and differences

 Needs host program
 Trap doors, Logic bombs, Trojan horses, Viruses, Browser plug-ins, Extensions, Scripts
 Independent
 Worms, Botnet, APTs

 Characteristics of modern malware (trojan horse, logic bomb, ...)

 Trap doors
 A secret entry point to a program or system
 Works by recognizing some special sequence of inputs or special user ID
 Logic bombs
 Embedded in some legitimate program
 “Explode” or perform malicious activities when certain conditions are met
MALICIOUS CODE

 Trojan horses
 Hidden in an apparently useful host program
 Performs unwanted/harmful function when the host program is executed
 Viruses
 Infect a program by modifying it
 Self-copy into the program to spread
 Four stages of viruses: dormant, propagation, triggering, execution
 Rootkit
 Resides in operating systems, modifies OS code and data structure
 Helps user-level malware (hide from users <- not listed in “ls” command)
 Worms
 A worm virus is a malicious, self-replicating program that can spread throughout a
network without user intervention.
 Worms cause damage similar to viruses, exploiting holes in security software and
potentially stealing sensitive information, corrupting files and installing a back door
for remote access to the system, among other issues.
MALICIOUS CODE

 Ransomware
 a type of malicious software that threatens to publish the victim‘s data or
perpetually block access to it unless a ransom is paid.
 Crimeware
 any computer program designed for the express purpose of conducting malicious
and illegal activities online. 主要目的是经济犯罪或窃取机密资料.
 Keylogger
 a type of malware that records every keystroke made by the user and saves that
information locally.
 Spear phishing
 an email or electronic communications scam targeted towards a specific
individual, organization or business. Although often intended to steal data for
malicious purposes, cybercriminals may also intend to install malware on a targeted
user‘s computer. (目标并非一般个人，针对特定公司、组织)
MALICIOUS CODE

 Polymorphic
 a type of malware that constantly changes its identifiable features in order
to evade detection. Many of the common forms of malware can be
polymorphic, including viruses, worms, bots, trojans, or keyloggers.
 Macro virus
 A virus that is written in a macro language: a programming language which is
embedded inside a software application, such as Microsoft Office, Excel,
PowerPoint. A macro virus infects documents but not the executable
portions of the code and executes each time a document is opened.
 A machine executable virus code is attached to the beginning or end of an
executable program. When initiated, the infected program will first execute
the virus code and then the original code of the program. Since the virus
finally changes possession of control to the original program, if the harmful
action is performed quickly, a user is unlikely to notice any difference.
MALICIOUS CODE

 Botnets
 Bot: a compromised computer under the control of an attacker
 Bot code (malware) on the computer communicates with the attacker’s
server (“botmaster”) and carries out malicious activities
 Botnet: a net of bot controlled by an attacker to perform coordinated
malicious activities
 DDoS attack
 In DoS (denial-of-service) attack, the perpetrator seeks to make a machine or network
resource unavailable to its intended users by temporarily or indefinitely disrupting
services of a host. Typically accomplished by flooding the targeted machine with
superfluous requests in an attempt to prevent legitimate requests from being fulfilled
 In DDoS (distributed denial-of-service) attack, the incoming traffic flooding the victim
originates from many different resources, making it impossible to stop the attack
simply by blocking a single source.
MALICIOUS CODE

 Popular forms of DDoS attack

 DNS amplification attack: a popular form of DDoS in which attackers use publicly
accessible open DNS(domain name server) to flood a target system with DNS
response traffic.
The primary technique consists of an attacker sending a DNS name lookup request
to an open DNS server with the source address spoofed to be the target’s
address.
Attackers will typically submit a request for as much zone information as possible
to maximize the amplification effect. In most attacks of this type observed by US-
CERT, the spoofed queries sent by the attacker are of the type, “ANY,” which
returns all known information about a DNS zone in a single request. Because the
size of the response is considerably larger than the request, the attacker is able to
increase the amount of traffic directed at the victim.
MALICIOUS CODE

 UDP flood: an DDoS attack that floods a target with User Datagram Protocol (UDP)
packets. The goal of the attack is to flood random ports on a remote host. This causes
the host to repeatedly check for the application listening at that port, and (when
no application is found) reply with an ICMP ‘Destination Unreachable’ packet. This
process saps host resources, which can ultimately lead to inaccessibility.
 SYN flood: an DDoS attack which exploits a known weakness in the TCP
(transmission control protocol) connection sequence (the “three-way handshake”),
wherein a SYN request to initiate a TCP connection with a host must be answered by a
SYN-ACK response from that host, and then confirmed by an ACK response from the
requester. In a SYN flood scenario, the requester sends multiple SYN requests, but
either does not respond to the host’s SYN-ACK response, or sends the SYN requests
from a spoofed IP address. Either way, the host system continues to wait for
acknowledgement for each of the requests, binding resources until no new
connections can be made, and ultimately resulting in denial of service
MALICIOUS CODE

 APT & its characteristics (Advanced Persistent Threat)

 Advanced —— special operation and operators
 Persistent —— long-term presence, multi-step over time, “low-and-
slow”
 Threat —— targeted at high-value organization and information
 Characteristics
 Zero-day exploit: a cyber attack occurs on the same day a weakness is discovered in
the software
 No readily available signature for its detection
 Social engineering to trick even the most sophisticated users
 Carry out its intended mission in a low-and-slow fashion to completely blend in with
normal activities
MALICIOUS CODE

 Payload
 In the world of malware, payload is used to describe what a virus, worm or
trojan horse is designed to do on a victim’s computer. Eg: damage to data, theft
of confidential information, damage to computer-based systems or processes.
 “有效负载”， 病毒代码中实现恶性动作功能的部分
 Malware analysis
 Static analysis: attempts to understand what a malware instance would
do if executed (do not run program)
 Dynamic analysis: attempts to understand what a program does when
executed (run program and exam the behavior)
 FIREWALLS
 Design goals
 Enforcement of security policies
 All traffic from internal network to the Internet, and vice versa, must pass through the firewall
 Only traffic authorized by policy is allowed to pass
 Dependable
 The firewall itself is immune to subversion

 Firewall types (not host vs home vs person) —— types of firewalls in general

 Packet filtering (static)
 Decisions made on a per-packet basis
 Applies rules to each incoming and outgoing packet based on matches in the IP or TCP header
 Two default policies:
Discard —— prohibit unless expressly permitted (conservative, controlled)
Forward —— permit unless expressly prohibited (easier to manage and use, less secure)
 FIREWALLS

 Packet filtering countermeasures

Attack Countermeasure
IP address spoofing: the creation of IP packet with a false Discard packet with an inside source
source IP address for the purpose of impersonating another address if the packet arrives on an
computer. (the sender’s address in the header can be external interface.
altered, so that to the recipient it appears that the packet
came from another source)
Source routing attack (aka path addressing attack): the Discard all packets that use the option of
attacker specifies the route to be taken by the packet with a source routing.
hope to fool the firewall.
Tiny fragment Enforcing the rule that the first fragment
of a packet must contain a predefined
minimum amount of the transport header.
FIREWALLS

 Stateful inspection firewall (dynamic packet filtering)

 Monitors the state of active connections that traverse all interfaces of the firewall
over a period of time, (examining both incoming and outgoing packets) and uses this
information to determine which network packets to allow through the firewall.
 In static packet filtering, only the headers of packets are checked. Stateful inspection
analyzes packets down to the application layer.
 Because of this, filtering decisions are based on not only administrator-defined rules
(as in static packet filtering), but also on context that has been established by prior
packets that have passed through the firewall.
 By recording session information such as IP address, port number, a dynamic packet
filter can implement a much tighter security posture.
FIREWALLS

 Stateless vs Stateful firewall

 Stateless
Watch network traffic and restrict packets based on source and destination
addresses or other static values.
Does not account for possibility that a packet “pretending” to be something you
ask for.
The basic purpose of stateless firewall is to enhance security through the use of
packet filtering.
Typically faster and perform better under heavier traffic loads
• Stateful
Watch traffic streams from end to end, aware of communication paths.
Better at identifying forged communications.
FIREWALLS

 Application-level gateway
 An application program that runs on a firewall system between two networks
 Implemented through a proxy server, which acts as an intermediary between a client
and a server.
 Consists of security components that augment a firewall
 >_<: additional processing overhead on each connection
 Bastion hosts
 Serves as a platform for an application-level gateway
 System identified as a critical strong point in the network’s security
 A bastion host is a special purpose computer on a network specifically designed and
configured to withstand attacks.
 Runs secure OS and only essential services -> the computer generally hosts a single
application, for example a proxy server, and all other services are removed or limited
to reduce the threat to the computer.
FIREWALLS

 Host based firewall

 Used to secure an individual host, common location is a server
 Filtering rules can be tailored to the host environment
 Provides an additional layer of protection
 Personal firewall
 Control traffic between a personal computer or workstation and the Internet or
enterprise network
 For both home and corporate use
 Primary role is to deny unauthorized remote access -> monitor outgoing traffic to
detect and block worms and malware activity
FIREWALLS

 Distributed firewall deployment

 DMZ (demilitarized zone, aka as a perimeter network) is a physical or logical
subnetwork that contains and exposes an organization's external-facing services to
an untrusted network, usually a larger network such as the Internet.
 The purpose of a DMZ is to add an additional layer of security to an organization’s
trusted internal network, such as local area network (LAN).
 Distributed firewall is a system or group of systems (router, proxy, or gateway),
involving stand-along firewalls and host based firewalls, that implements a set of
security rules under a central administrative control to enforce access control
between two networks to protect the "inside" network from the "outside" network.
 Internal firewall
Add more stringent filtering capability.
Provide two-way protection with respect to the DMZ